The Controller Daemon uses a Public / Private key mechanism to ensure component communications are valid and secure. A key pair must be created for the sqdaemon process User-ID and the User-ID's of all the Agent processes that interact with the Controller Daemon. By default on UNIX, the private key is generated in ~/.nacl.id_nacl and the public key in ~/.nacl/id_nacl.pub. These two files will be used by the daemon in association with a sequential file containing a concatenated list of the Public Keys of all the Agents allowed to interact with the Controller Daemon. The Authorized Keys file must contain at a minimum, the public key of the sqdaemon process User-ID and is usually named nacl_auth_keys and placed in the <SQDATA_VAR_DIR>/daemon directory.
The file must also include the Public key's of Engines, running on the same or another platform, that connect to the Controller Daemon. The Authorized Keys file is usually maintained by a Systems Administrator.
The sqdutil utility program using the keygen command is used to generate the necessary keys. The command must be run under the User-ID that will be used to run the Controller Daemon process.
$ sqdutilkeygen
- If the Daemon, Capture Agent and Apply Engine are running on the same system, they may optionally run under the same User-ID, in which case they would share the same public/private key pair.
- Changes are not known to the Daemon until the configuration files are reloaded, using the SQDmon Utility, or the sqdaemon process is stopped and started.