Skip to content

Configure Aerospike Clients

For the complete documentation index see: llms.txt

All documentation pages available in markdown.

Connect your application to Aerospike Cloud over TLS from a host in your peered AWS VPC. Database endpoints use private addresses reachable only after VPC peering is configured and your VPC is associated with the Aerospike Cloud private hosted zone.

Aerospike Cloud clusters use TLS on port 4000. You cannot configure a different TLS port. Confirm Hostname and TLS port in the Connection section on the Details tab.

This page is the application step after VPC peering and database users. For first-time cluster setup, see the Aerospike Cloud quickstart.

Prerequisites

Before configuring a client, confirm the following:

  • VPC peering status is Active in the Aerospike Cloud console and AWS.
  • DNS association with the Aerospike Cloud private hosted zone is complete so Hostname resolves to node private IPs. Without it, clients cannot use the console hostname and would need node IPs you cannot look up from the console.
  • Route tables and security groups allow outbound TCP 4000 to the Aerospike Cloud VPC CIDR (default 10.128.0.0/19). See Configure AWS VPC peering for details.
  • A database user exists with the roles your application needs (for example read-write).
  • Your application (or test host) runs inside the peered VPC (for example EC2, EKS worker, Lambda with VPC access).

Configure your client

Before running the examples below, collect the following from the Aerospike Cloud console. All values come from the cluster Details tab unless noted.

What you needWhere to find it
<HOSTNAME>: seed address and TLS name (for example a1b2c3d4-e5f6-7890-abcd-ef1234567890.aerospike.internal)Connection section → Hostname
TLS port (4000)Connection section → TLS port
CA certificate (PEM)Certificates section → download or copy TLS certificate
<DB_USERNAME> / <DB_PASSWORD>Access manager tab (separate from your Cloud console login)
<NAMESPACE>Configuration section → Namespace

You can also retrieve connection details from the API using Cluster ID from the General section. See Use Cloud APIs for authentication.

Terminal window
curl -s "https://api.aerospike.com/v1/database/clusters/<CLUSTER_ID>" \
  -H "Authorization: Bearer <BEARER_TOKEN>" \
  | jq '.connectionDetails | {hostname, tlsCertificate: (.tlsCertificate | length)}'

Replace <HOSTNAME>, <DB_USERNAME>, <DB_PASSWORD>, and <NAMESPACE> in the examples below with your cluster values.

Aerospike Cloud uses one-way TLS (server certificate verified with the CA). You do not need mutual TLS (mTLS) or a client certificate.

Download the TLS certificate from the Certificates section, then build a TrustStore:

Add CA certificate to Java TrustStore on client nodes

The CA certificate is a public certificate which verifies that the certificate presented by the Aerospike Database is signed by a trusted authority.

Replace all placeholder certificate filenames with the correct filenames for your system.

  1. The following command imports example.ca.crt into a new Java TrustStore named example.ca.jks. The new TrustStore will be used exclusively by the intended Java application.
Terminal window
keytool -importcert -storetype jks -alias example.ca \
-keystore example.ca.jks -file example.ca.crt \
-storepass changeit

Create a strong password

The previous example follows the Java convention of using “changeit” as the password. Change this to a strong password governed by your organization’s password policy.

  1. Verify the certificate is in the TrustStore with the keystore -list command:
Terminal window
keytool -list -keystore example.ca.jks -storepass changeit
Keystore type: jks
Keystore provider: SUN


Your keystore contains 1 entry


example.ca, Apr 5, 2022, trustedCertEntry,
Certificate fingerprint (SHA1): 85:99:36:F8:20:A7:42:AA:ED:E6:9B:7B

The entry is listed as trustedCertEntry. This file can be stored on the filesystem with other public certificates.

Truststore Storage

Do not import the CA certificate into the default system-wide TrustStore of trusted CA certificates used by the Java runtime. Default system-wide trusted CA certificates present security issues, and are not allowed by many enterprise security requirements.

  1. Connect with TLS on port 4000:

    import com.aerospike.client.AerospikeClient;
    import com.aerospike.client.Host;
    import com.aerospike.client.policy.ClientPolicy;
    import com.aerospike.client.policy.TlsPolicy;
    

    String hostname = "<HOSTNAME>";
    

    Host host = new Host(hostname, hostname, 4000);
    

    ClientPolicy policy = new ClientPolicy();
    policy.user = "<DB_USERNAME>";
    policy.password = "<DB_PASSWORD>";
    policy.tlsPolicy = new TlsPolicy();
    

    AerospikeClient client = new AerospikeClient(policy, host);

  2. Start the JVM with your TrustStore. The store password must match keytool -storepass:

    Terminal window
    java -Djavax.net.ssl.trustStore=example.ca.jks \
      -Djavax.net.ssl.trustStorePassword=<STORE_PASSWORD> \
      -jar your-application.jar

For additional TLS options, see Java client: TLS secured connection.

Verify connectivity

Run verification from a host inside your peered VPC (the same network context as your application).

  1. Confirm you can resolve the cluster hostname to private IPs. Use the <HOSTNAME> value from the connection parameters table.

    Terminal window
    dig +short <HOSTNAME>

  2. Run your client with the configuration from the previous section.

  3. Write and read a test record (adjust namespace, set, and key for your cluster).

    After your client connects, write and read a single record in <NAMESPACE>. Use a default WritePolicy so you do not set a TTL. Add the following to your connect example (imports omitted if already present):

    import com.aerospike.client.Bin;
    import com.aerospike.client.Key;
    import com.aerospike.client.Record;
    import com.aerospike.client.policy.WritePolicy;
    

    Key key = new Key("<NAMESPACE>", "connectivity-test", "ping");
    client.put(new WritePolicy(), key, new Bin("status", "ok"));
    Record record = client.get(null, key);
    System.out.println("Read back: " + record);
    client.close();

    If the write succeeds and the read returns your bin values, TLS, RBAC, routing, and DNS are working for application traffic.

    If you include a delete in your smoke test and your cluster uses strong consistency (SC) mode, use DurableDelete (as shown in the Go example above). SC namespaces reject plain deletes. See FAIL_FORBIDDEN on writes.

Troubleshooting

Aerospike Cloud differs from a self-managed cluster in a few ways that affect clients:

  • TLS port 4000 and Hostname are in the Connection section on the Details tab. Use Hostname (not Cluster ID) as the seed address and TLS name.
  • Database users are separate from Aerospike Cloud console accounts. Applications authenticate with database user credentials only.
  • Record expiration is disabled by default (nsup-period is 0). Writes that set a TTL can return FAIL_FORBIDDEN until you enable record expiration.
  • Consistency mode is AP or SC, chosen at provisioning. Check Consistency mode in the Configuration section on the Details tab.

If the client cannot connect, use the connection table below. If put, get, or delete return FAIL_FORBIDDEN, see FAIL_FORBIDDEN on writes.

SymptomLikely causeWhat to check
Connection timeoutApp not in peered VPC, or network misconfigurationRun tests from EC2/EKS inside your peered VPC. See VPC peering troubleshooting for routing, security group, and DNS checks.
DNS failureHosted zone not associated with your VPCAssociate the private hosted zone. Confirm DNS hostnames and DNS resolution are enabled on the VPC.
TLS handshake failureWrong CA file, TLS name, or portConfirm TLS port is 4000, Hostname is the TLS name, and the CA file is from the Certificates section on the Details tab.
Peers not reachableClient resolves hostname but cannot reach node IPsRun client inside peered VPC. Confirm security groups allow outbound TCP 4000 to the Aerospike CIDR (10.128.0.0/19 by default).

FAIL_FORBIDDEN on writes

Write or delete operations can return FAIL_FORBIDDEN: Operation not allowed at this time (error code 22) even when the database user has the correct RBAC roles. The error can look like an RBAC or connectivity issue but is usually caused by one of the following.

The Aerospike server rejects writes that include a time to live (TTL) when the namespace has record expiration disabled. Record expiration is disabled when nsup-period is 0, which is the default for new Aerospike Cloud clusters. The server logs a warning similar to:

WARNING (rw): (write.c::) write_master: disallowed ttl with nsup-period 0

To resolve TTL-related failures, choose one of the following:

  • Remove the TTL from your client code. If your application does not require record expiration, omit the TTL from write operations (or set it to 0, meaning the record does not expire).
  • Enable record expiration on the cluster. If your application requires TTLs, set nsup-period to a non-zero value in advanced configuration.

In strong consistency (SC) mode, plain deletes (without the durable delete flag) are rejected because they do not produce the tombstone record needed to maintain consistency across nodes. The server requires durable_delete: true on the write policy for any delete operation.

Set DurableDelete (or the equivalent in your client language) on the write policy before calling delete. The Go verify example above shows this pattern. To allow non-durable deletes, set strong-consistency-allow-expunge: true in the namespace configuration, though this is not recommended for production.

What’s next
Feedback

Was this page helpful?

What type of feedback are you giving?

What would you like us to know?

+Capture screenshot

Can we reach out to you?