Certificate configuration for HTTP on FST

Hello,
In 4.7. Protocols & APIs — EOS DIOPSIDE documentation I noticed that the xrdhttp configuration shown for FSTs (only 3 lines) does not include anything to specify a host certificate and key. At first I thought this was an oversight, but then I noticed this about HTTPS to HTTP conversion of data transfers for performance reasons.

I also submitted a MR to change the http directives to xrd ones as the former are deprecated.

Can anyone clarify? Should MGM(s), and also all FSTs, normally be configured with xrd.tlsca and xrd.tls for HTTPS to work?

Thanks!

Hi Ryan,

Thanks for the merge request this is now in master. You are right, and the way we configure TLS support in all our machines is to use the unified interface provided by xrd.tls and xrd.tlsca.

Cheers,
Elvin

Thanks @esindril !

Regarding the MGM/FST difference, just to confirm, do you mean that only MGM needs the xrd.tls and xrd.tlsca settings (because the xrootd HTTPS to HTTP conversion is used) ?
I had the impression that all FST nodes need host certificates, but if not it would be much simpler.

They all need certificates, sorry if there was any confusion!

Cheers,
Elvin