TRA Pool Node TLS Configuration

Specify pool node configuration options for Transport Layer Security (TLS), previously known as Secure Sockets Layer (SSL), to define communication between the TRA and a downstream pool node using the TLS protocol. The supported protocol versions are SSLv2, SSLv3, TLSv1, TLSv1.1, and TLSv1.2.

SSL/TLS Node Connection Configuration

You configure a TLS connection between the TRA and a downstream pool node by setting the following configuration in the tra_config_network_topology.xml file:

Set secured=true in the node definition.

Add the TLS security configuration options for the node, for example:

<pools>
  <pool name="tcpPool" monitor="tcp-connect" balance-method="single-node" monitor-port="9999" >
      <node name="tcp1" id="1" domain-name4="localhost" secured="true" security-own-certificate-path="poolName_nodeName_own_certificates" security-require-client-certificate="false" security-trusted-certificates-path="nodeName_trusted_certificates" security-allowed-ssl-versions="sslv2,sslv3,tlsv1.1,tlsv1.2" security-raw-cipher-list="" />
  </pool>
</pools>

TLS Pool Node Configuration Options lists the available options.

Note: The TRA does not allow multiple certificates, private keys, and PEM files to co-exist in the same directory. This means that each node requires its own directory for the certificate, private key, and PEM file.

For more information about TRA pool node configuration, see the discussion about TRA pool node reference in MATRIXX Configuration.

For information about TRA configuration in cloud native environments, see the discussion about configuring a containerized Traffic Routing Agent in MATRIXX Installation and Upgrade.

Table 1. TLS Pool Node Configuration Options
TRA TLS Option	Description
secured	(Boolean) When set to `true`, enables TLS connections for a node. When set to `false` (default), the following options are skipped.
security-own-certificate-path	(String) The path to the directory containing the security certificates (certificate, private key, and PEM file) for the node. Set to `nodeName_own_certificates` by default, where `nodeName` is the name of the node. If using the default path, you must create the default directory if it does not exist already.
security-require-client-certificate	(Boolean) Determines whether a client certificate is required for the TLS connection. When set to: `true` — A client certificate is required in the directory specified for `security-own-certificate-path`. `false` — A client certificate is not required.
security-trusted-certificates-path	(String) The path to the folder containing the trusted certificates for the node. Set to `poolName_nodeName_trusted_certificates` by default, where `nodeName` is the name of the node. If using the default path, you must create the default directory if it does not exist already.
security-allowed-ssl-versions	Important: This option is deprecated and should not be used. Use security-disabled-ssl-versions. (String) comma-separated list of TLS versions that the node accepts for TLS connections. Defaults to `sslv2,sslv3,tls1,tlsv1.1,tlsv1.2`.
security-disabled-ssl-versions	(String) comma-separated list of TLS versions that the node does not accept for TLS connections. Defaults to `sslv2,sslv3,tls1,tlsv1.1,tlsv1.2`
security-raw-cipher-list	(String) The TLS ciphers that the node uses for TLS connections, for example: `CAMELLIA128-SHA`. Defaults to an empty string.
security-force-quiet-shutdown	<virtual-servers-options>