SSL and Deadline

Version: Deadline 9 and later

Introduction

Security is a key feature in all technologies, whether it is to encrypt and decrypt data to prevent eavesdroppers from getting sensitive information, or verifying and authenticating users. Secure Sockets Layer (SSL) does it all, and this week we will be covering the basics of what is it, and how it is used in Deadline!

What is SSL?

SSL is a secured means of communication between a client and the server. When a client attempts to connect to the server, the client verifies that the server is who they say they are via a Certificate Authority. A Certificate Authority is trusted 3rd party which issues certificates to the server, and when a secured connection is being created, it verifies the server. If the server is who they say they are, a connection, called a handshake, is created. The handshake determines the type of encryption that will be used for communications. The client then encrypts their data, sends it over, and the server decrypts it.

Where are SSL Certificates used in Deadline?

SSL is used in three places inside of Deadline, which are covered below.

MongoDB ® Database Authentication

When you are installing the Deadline database, you can enable the use of SSL/TLS authentication. While this step is an optional one, it is highly recommend to do so. Enabling SSL for database authentication ensures that all of your database queries will remain protected from any man-in-the-middle attacks.

database_security.png

For more information on how to enable SSL for database authentication, check out the blog entry on Locking Down Your Farm, or refer to the Database Installation section in the Deadline documentation.

3rd Party Usage Based Licensing

3rd Party Usage Based Licensing (UBL) requires SSL certificates for each product in order to ensure a secure connection with Thinkbox’s Cloud-hosted License Server Gateway. These certificates also ensure that only you can access the render time you have purchased. After 3rd Party UBL has been purchased from theThinkbox Marketplace, the 3rd Party UBL certificates will be made available for download from the Thinkbox Customer Portal. These certificates are then used by theDeadline License Forwarder to establish the secure connection with the Cloud-hosted License Server Gateway.

3pl_krakatoa.png

For more information about purchasing and using 3rd Party UBL, refer to the 3rd Party Usage Based Licensing section in the Deadline documentation.

Web Forwarding (for Usage Based Licensing)

When using UBL, all render nodes must be able to communicate with the Cloud License Server that hosts the render time you’ve purchased from the Thinkbox Marketplace. One way to ensure this is to give all render nodes access to the internet. However, for security reasons, this isn’t always an option. In those cases, Web Forwarding can be enabled in the Deadline License Forwarder. With Web Forwarding enabled, only the machine that the License Forwarder is running on will require internet access, and the render nodes will use the License Forwarder as a proxy to the Cloud License Server.

web_forwarding.png

For Web Forwarding to work, an SSL certificate must be generated using the Certificate Utility that is included with the Deadline Installers package, and that certificate must be installed on all the render nodes. For more information on setting up Web Forwarding, refer to the Web Forwarding section in the Deadline documentation.

How Do You Generate SSL Certificates?

If you want to generate your own SSL certificates, we have a Python ® script on the Thinkbox GitHub ® page. It uses OpenSSL ® to generate the server and client certificates.

Alternatively, you can purchase SSL certificates from a variety of Certificate Authorities for a fee.

Conclusion

Security is taken very seriously with Deadline to protect our communication channels, and enabling SSL wherever possible in Deadline ensures that these security standards are met.

MongoDB is a registered trademark of MongoDB, Inc.

Python is a registered trademark of the Python Software Foundation.

GITHUB is a trademark of GitHub, Inc.

OPENSSL is a trademark of The OpenSSL Software Foundation, Inc.