Cluster Users

A cluster can be accessed remotely via any daemon secure socket. The cluster access can be abstracted via:

  • A floating IP address, usually handled by a system/svc/vip failover service
  • A Round Robin DNS record grouping all or a subset of the cluster nodes
  • A Round Robin DNS record grouping a set of cluster floating IP addresses

Accessing a cluster via the secure socket requires:

  • the client to present a trusted x509 certificate.
  • the user object to exist on the cluster.
  • the certificate CN must match the usr object name (cn=usr1, obj path=system/usr/usr1).

The cluster can generate the certificates, or an external PKI can be trusted by the cluster.


Set an appropriate cluster name in cluster.conf, then

export CLUSTERNAME=$(om cluster get --kw


Changing the cluster name once the cluster is setup and used is hard.

Configure for external PKI

Store the Certificate Authority certificate chain in a secret.

om system/sec/ca-external create
om system/sec/ca-external add --key certificate_chain --from ~/ca_crt_chain.pem

Create the Certificate for the TLS listener as a secret.

om system/sec/cert-$CLUSTERNAME create
om system/sec/cert-$CLUSTERNAME gen cert

Make the external CA sign this certificate and load the resulting certificate key.

om system/sec/cert-$CLUSTERNAME create --kw cn=vip.$CLUSTERNAME.mycorp
om system/sec/cert-$CLUSTERNAME decode --key certificate_signing_request >~/$CLUSTERNAME.csr

#### signing procedure ####

om system/sec/cert-clu add --key certificate --from ~/$CLUSTERNAME_crt.pem
om system/sec/cert-clu add --key certificate_chain --from ~/$CLUSTERNAME_crt_chain.pem

Declare this Certificate Authority for the TLS listener.

om cluster set --kw

If available, declare the Certificate Revokation List location, so the listener can refuse revoked certificates before their expiration.

om cluster set --kw cluster.crl=http://crl.mycorp

Configure for internal PKI

Create the CA certificate.

om system/sec/ca-$CLUSTERNAME create
om system/sec/ca-$CLUSTERNAME set \
    --kw o=mycorp \
    --kw c=fr \
    --kw email=admin@mycorp
om system/sec/ca-$CLUSTERNAME gen cert

Create the Certificate for the TLS listener as a secret.

om system/sec/cert-$CLUSTERNAME create \
    --kw ca=system/sec/ca-$CLUSTERNAME \
    --kw cn=vip.$CLUSTERNAME.mycorp
om system/sec/cert-$CLUSTERNAME gen cert

Create Users

om system/usr/root create
om system/usr/usr1 create

If the system/sec/ca-$CLUSTERNAME exists, the created users will automatically get populated with certificate_chain, certificate and private_key keys. The client certificate data can be extracted with:

om system/usr/usr1 decode --key certificate_chain
om system/usr/usr1 decode --key certificate
om system/usr/usr1 decode --key private_key

Grant privileges

om system/usr/root set --kw grant+=root
om system/usr/usr1 set --kw grant+=squatter
om system/usr/usr1 set --kw grant+=admin:ns1
om system/usr/usr1 set --kw 'grant+=guest:*'