TLS between AGS and Aerospike DB
Overview
This page describes how to set up Transport Layer Security (TLS) for encrypting network traffic between Aerospike Graph Service (AGS) and an Aerospike database instance.
Prerequisites
- Aerospike Database TLS setup:
- Configure TLS on your Aerospike database cluster.
- Record the
tls-nameconfigured during this step for later use.
- TLS certificate files:
- Verify that the required TLS certificate file (PEM-encoded X.509 format) is in the local filesystem.
Procedure
-
Configure AGS.
In your AGS properties file, set the following configuration options:
aerospike.client.tls=trueaerospike.client.host=<host>:<tls-name>:<port># Replace <host> and <port> with your Aerospike DB host name and port.# Replace <tls-name> with the "tls-name" value from your Aerospike Database TLS configuration setup# in which you set up TLS on the Aerospike DB instance. -
Prepare TLS certificates directory.
Create a local directory for storing your TLS certificate files, for example,
/home/graph-user/graph/tls. -
Run the Docker image
The AGS Docker image must have access to the TLS certificates. When starting the Docker image, use the
-vflag to create a volume bind which binds a local directory containing the TLS files to the Docker image directory/opt/aerospike-graph/aerospike-client-tls.In the following example, the directory
/home/graph-user/graph/tlscontains the required certificate files.docker run -p 8182:8182 \-v /home/graph-user/graph/conf/aerospike-graph.properties:/opt/aerospike-graph/aerospike-graph.properties \-v /home/graph-user/graph/tls:/opt/aerospike-graph/aerospike-client-tls \aerospike/aerospike-graph-serviceIf AGS encounters any problems with the TLS setup, the image startup fails with an error. If the images starts up without errors, the TLS connection is successful.