Skip to content
Webinar - May 13th: How Criteo powers real-time decisions with a reduced footprintRegister now

TLS between Gremlin and AGS

Overview

This page describes how to set up Transport Layer Security (TLS) for Aerospike Graph Service (AGS) to encrypt network traffic from Gremlin client applications.

Prerequisites

  • TLS certificate files:
    • Verify that the required TLS certificate file (PEM-encoded X.509 format) is in the local filesystem.
  • The matching private key to the certificate.
  • A PEM-encoded X.509 Certificate Authority (CA) (optional).

Set up Gremlin with AGS

  1. Configure AGS.

    In your AGS properties file, set the following option:

    aerospike.graph-service.ssl.enabled=true

  2. Prepare TLS certificates directory.

    Create a local directory for storing your TLS certificate files. For example, /home/graph-user/graph/gremlin-server-tls.

  3. Bind TLS files to a Docker filesystem directory.

    The AGS Docker image must have access to the TLS files. When starting the Docker image, use the -v flag to create a volume bind which binds a local directory containing the TLS files to the Docker image directory /opt/aerospike-graph/gremlin-server-tls. If the certificate is signed by a Certificate Authority, bind that separately to the Docker image directory /opt/aerospike-graph/gremlin-server-ca.

Filesystem requirements

In the Docker image filesystem, /opt/aerospike-graph/gremlin-server-tls must only contain two files, the certificate and private key. Similarly, /opt/aerospike-graph/gremlin-server-ca must only contain one file, the certificate authority file. AGS will fail to launch if incompatible files are found in those directories, or if the number of files is incorrect.

In the following example, the following TLS files are located in the local filesystem:

  • Certificate: /home/graph-user/gremlin-server-tls/myCertificate.crt

  • Private Key: /home/graph-user/gremlin-server-tls/myCertificateKey.key

  • Certificate Authority (CA): /home/graph-user/ca/ca.crt

To set up TLS with a CA, start Docker with the following command:

docker run -p 8182:8182 \
-v /home/graph-user/graph/conf/aerospike-graph.properties:/opt/aerospike-graph/aerospike-graph.properties \
-v /home/graph-user/tls:/opt/aerospike-graph/gremlin-server-tls \
-v /home/graph-user/ca:/opt/aerospike-graph/gremlin-server-ca \
aerospike/aerospike-graph-service

To set up TLS without a CA, start Docker with the following command:

docker run -p 8182:8182 \
-v /home/graph-user/graph/conf/aerospike-graph.properties:/opt/aerospike-graph/aerospike-graph.properties \
-v /home/graph-user/tls:/opt/aerospike-graph/gremlin-server-tls \
aerospike/aerospike-graph-service

If AGS encounters any problems with the TLS setup, the image startup fails with an error. If the images starts up without errors, the TLS connection is successful.

Feedback

Was this page helpful?

What type of feedback are you giving?

What would you like us to know?

+Capture screenshot

Can we reach out to you?