Skip to main content
Loading
Version: Graph 2.2.0

TLS setup for Aerospike Graph Service

Overview

This page describes how to set up Transport Layer Security (TLS) for encrypting network traffic between Aerospike Graph Service (AGS) and the Aerospike Database (ASDB).

Prerequisite

  • A running instance of an Aerospike database
  • A Certificate Authority (CA)
  • Two signed certificate/key pairs (one for the Aerospike database and one for each of your AGS instances)

Enable TLS

  1. Enable TLS on your Aerospike database See TLS Configuration in the ASDB documentation to set up TLS on the Aerospike database.

  2. Edit your Aerospike configuration file When all your certificates are in place, edit aerospike.conf (located at /etc/aerospike/aerospike.conf by default). Replace the placeholder HOSTNAME with the signed hostname of the SSL certificate.

    The following sample network context shows the required parameters for enabling TLS.

    network {
    tls HOSTNAME {
    cert-file /opt/aerospike/etc/aerospike_server.crt
    key-file /opt/aerospike/etc/aerospike_server.key
    ca-file /opt/aerospike/etc/ca.crt
    protocols TLSv1.2
    }
    service {
    address any
    access-address 172.17.0.1
    alternate-access-address 127.0.0.1
    access-port 3000
    port 3000
    tls-address any
    tls-port 4303
    tls-authenticate-client false
    tls-name HOSTNAME

    # Uncomment the following to set the `access-address` parameter to the
    # IP address of the Docker host. This will the allow the server to correctly
    # publish the address which applications and other nodes in the cluster to
    # use when addressing this node.
    # access-address IPADDR
    }
    }
    info

    The tls-name parameter must be the cluster name (CN) that the certificate on the Aerospike database is signed for, and AGS must be able to resolve it as a DNS hostname. The DNS hostname must resolve to the IP address of the Aerospike database.

  3. Set up certificates for your AGS instances

    Put the CA and a certificate/key pair in a Java KeyStore, and the CA in a Java TrustStore. Both files must use the extension .jks.

  4. Enable TLS for AGS

    If you use a properties file to start your graph server, add the parameter tls=true to the file.

    You can also use the command-line argument -e TLS=true when starting the Graph Docker image.

  5. Set up the JAVA_OPTIONS environment variable

    The JAVA_OPTIONS environment variable holds the path and password information for your KeyStore and TrustStore. This information are the paths to the files within the Docker container where you run the Graph Docker image. The following example shows usage:

    JAVA_OPTIONS=-Djavax.net.ssl.trustStore=/path/to/trust-store.jks -Djavax.net.ssl.keyStore=/path/to/key-store.jks -Djavax.net.ssl.trustStorePassword=abc123 -Djavax.net.ssl.keyStorePassword=abc123
  6. Start the Graph Docker image

    Include the JAVA_OPTIONS environment variable when starting the Graph Docker image.

    -e JAVA_OPTIONS