Configuring an NFS Client with TLS

This task shows how to set up the NFS client to connect securely to a TLS enabled NFS server, ensuring data transmitted between client and server is encrypted.

Ensure that the following are true:

The system is running Oracle Linux 9 or later.
You have the Certificate Authority (CA) certificate from the NFS server, or have generated a self-signed certificate on the NFS server as described in Generating a Self-Signed Certificate for TLS Authentication.
The ktls-utils package is installed.

(Optional) Remove obsolete certificates.

If you have been using self-signed certificates for testing, it's a good idea to remove any previous, obsolete anchors first. For example, to list the existing anchors and then remove an unwanted anchor:

trust list

pkcs11:id=%43%0E%35%20%3B%78%60%39%D0%C7%F8%53%1A%B6%73%83%12%90%AC%5D;type=cert
type: certificate
label: Test CA
trust: anchor
category: authority
...
sudo trust anchor --remove pkcs11:id=%43%0E%35%20%3B%78%60%39%D0%C7%F8%53%1A%B6%73%83%12%90%AC%5D;type=cert

Import the certificate into the system trust store.
Run the following command to add the certificate as a new anchor in the system trust policy store:
```
sudo trust anchor cert.pem
```
Enable and start the TLS daemon.
Run the following command to enable tlshd immediately and whenever the system reboots:
```
sudo systemctl enable --now tlshd.service
```
Mount the NFS share using TLS encryption.
Run the following command, replacing nfs-server and path/to/share with the NFS server's host name and the exported directory:
```
sudo mount -o xprtsec=tls server-hostname:/path/to/share /mnt/
```
Verify the connection.
Run the following command. Look for a message in the output that says the server handshake was successful:
```
sudo journalctl -u tlshd
```