Skip to content

Altair SLC Hub™ Documentation

TLS

Altair SLC Hub™ Documentation

Home
Getting Started
Getting Started
- Installation Overview
- Planning
- Installation
  Installation
  - Guide
  - Reference Architectures
    Reference Architectures
    
    Azure
    
    AWS
  - Steps
    Steps
    
    Initial Install
    Initial Install
    
    Initial Install (Linux)
    
    Initial Install (Windows)
    
    Configuration Requirements
    
    License
    License
    
    License
    
    License (legacy)
    
    Database Configuration
    
    Object Store Configuration
    Object Store Configuration
    
    External Connection
    
    Internal Object Store
    
    Legacy Configuration
    
    Bootstrap
    
    Verify Ingress
    
    Enable Services
    
    Administrator Password
- Uninstall
  Uninstall
  - Uninstall (Linux)
  - Uninstall (Windows)
Setup
Setup
- Configuration
  Configuration
  - Guide
  - Configuration Overview
  - Features
    Features
    
    Add Workers
    Add Workers
    
    Guide
    
    Worker Install
    Worker Install
    
    Worker Install (Linux)
    
    Worker Install (Windows)
    
    Hostnames and Routing
    
    Add Worker (On Separate Machine)
    
    Add Worker (On Hub Server)
    
    Disable Worker (On Hub Server)
    
    Configure SLC
    
    Configure R + Python
    
    Upgrade SLC
    
    Remove SLC
    
    Users
    Users
    
    Guide
    
    Local
    
    LDAP
    
    PAM
    
    Library Server User
    
    OnDemand API Server User
    
    Email
    
    HTTPS
    HTTPS
    
    Get A Certificate
    
    HTTPS
    
    Vault
    Vault
    
    Introduction
    
    Object Store
    
    Email SMTP Server
    
    LDAP Server
    
    Relational Database
    
    Auth Domain Credentials
    
    Namespaces
    Namespaces
    
    Create Namespace
    
    Administrator
    
    Execution Profiles
    Execution Profiles
    
    Guide
    
    Creating Worker Labels
    
    Using Constraints
    
    Resource Requirements Facets
    
    File System Manager
    File System Manager
    
    Introduction
    
    Workbench File Explorer
    
    Link Session
    
    Workflow
    
    Alternate Internal Certificate Authority
    Alternate Internal Certificate Authority
    
    Guide
    
    Initial Bootstrap
    
    Get Certificates
    
    Install Certificates
    
    Configure Hub
    
    Configure worker
    
    Dynamic Port Range Configuration
    
    Password Policies
    Password Policies
    
    Validation
    
    Failed Logon Attempts
    
    Expiration
- Upgrading
  Upgrading
Reference
Reference
- Introduction
- Deployment Services
  Deployment Services
  - On Demand
    On Demand
    
    Deployment
    
    Asynchronous On Demand
    
    Synchronous On Demand
  - Pipelines
  - Batch Jobs
- Enterprise
  Enterprise
- Namespaces
- Execution Profiles
- Access Control
  Access Control
- TLS TLS
  Table of contents
  - Internal TLS
- Disabled IPv6
- Logging
- REST API
- Troubleshooting
- Backup and Restore
  Backup and Restore
  - Backup
    Backup
    
    Internal database
    
    Internal Object Store
  - Restore
    Restore
    
    Internal database
    
    Internal Object Store
About
About

TLS

Internal TLS¶

All internal communications are secured using TLS as part of the zero-trust approach. The minimum protocol version used is TLS 1.2.

Altair SLC Hub creates a root Certificate Authority (CA) at bootstrap. This is used to create certificate pairs for the Hub Server and Compute Nodes. To ensure the automatic transfer of these certificates is secure, a token with a 5 minute lifetime is created containing the Hash of the public CA and cryptographically random data. This token is returned from the hubctl worker add command-line. The token is then passed out-of-band to the hubctl worker register command on the compute node. The compute node can then get the public CA from the server over a TLS connection and manually confirm the certificate is correct, by checking the hash. Once the Compute node has the root CA it can download all the other required certificates for secure communication. This is shown in the diagram below: