Facebook's Mcrouter SSL Setup

Facebook released Mcrouter back on September 15th, they went through what it does and how it helps Facebook and other companies. Most of the documentation is on the Github wiki page, which has different types of setups, command line options and different supported features. It's a really great tool when you have a ton of clients connecting to your cache layer and need to route them appropriately.

One item they left off the documentation was SSL. It was clear you needed SSL certificate, private key and the signing CA public key. But wasn't clear was the implementation details and how the authentication between two Mcrouter's actually happened. I will clear that up for you here.

In Mcrouter authentication over SSL is certificate and IP based. The private key and certificate need to be signed by a trusted CA that the other Mcrouters can validate against. The certificate's alternative IP addresses need to match the IP address of the Mcrouter's server. Below I will show you how to create a CA, Private Key and Certificate to use with Mcrouter. (remember each private key and certificate is unique to each mcrouter and what ip addresses you add to the SAN CSR)

Install the necessary dependencies

RHEL/CentOS/Fedora:

yum install gnutls-utils
Debian/Ubuntu:
apt-get install gnutls-utils

Create your CA private key and certificate (public key)

CA Private Key:

certtool --generate-privkey --outfile ca-key.pem
CA Public Key (certificate):
certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca.crt
Answer all questions as default (press enter) except the ones below:
Does the certificate belong to an authority? Y
  path length -1
  Will the certificate be used to sign other certificates? Y
CA Signing Configuration (ca_config.txt)
expiration_days = -1
  honor_crq_extensions

Create your servers private key, csr and certificate

Private Key:

certtool --generate-privkey --outfile my_server_private_key.pem
For the CSR it needs to be a SAN certificate, for that you need to create a configuration file (my_server_csr_san_config) to send with the command (change the country, state, locality, organization as you see fit):

[req]
  default_bits = 2048
  default_keyfile = my_server_private_key.pem
  distinguished_name = req_distinguished_name
  req_extensions = v3_req

  [req_distinguished_name]
  countryName = US
  countryName_default = US
  stateOrProvinceName = California
  stateOrProvinceName_default = California
  localityName = Menlo Park
  localityName_default = Menlo Park
  organizationalUnitName  = Facebook
  organizationalUnitName_default  = Facebook
  commonName = my-mcrouter-server
  commonName_max  = 64

  [v3_req]
  basicConstraints = CA:FALSE
  keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  subjectAltName = @alt_names

  [alt_names]
  DNS.1 = localhost
  IP.1 = 127.0.0.1
  IP.2 = <inbound ip address>
Make sure to update IP.2 with the IP address the server will be connecting with. You can add more too; IP.3, IP.4, etc...

CSR:
openssl req -new -out my_server.csr -key my_server_private_key.pem -config my_server_csr_san_config.txt -batch
Create and sign the server's certificate:
certtool --generate-certificate --load-request my_server.csr --outfile my_server.crt --load-ca-certificate ca.crt --load-ca-privkey ca-key.pem --template ca_config.txt`

Use in the command line

mcrouter --ssl-port 11433 --pem-cert-path=my_server.crt --pem-key-path=my_server_private_key.pem --pem-ca-path=ca.crt

Just an FYI, I did end up adding this to the GIthub wiki for Mcrouter.