Loading
Configure Services for Aerospike Connect for Elasticsearch
The service section of the aerospike-elasticsearch-outbound.yaml file configures the source connector's listening ports, TLS, and network interface.
The following options are available:
| Option | Required | Default | Description | Details |
|---|---|---|---|---|
protocol | no | TCP | Incoming protocol for the source connector. | Valid values are TCP when the change notification source is Aerospike Database 5.0 or later, or HTTP_1_1 when the change notification source is prior to Database 5.0. TCP is the default. |
port | no | 8080 | List of ports the source connector listens to. | |
address | no | 0.0.0.0 | List of interface IP addresses the source connector binds to. | Use 0.0.0.0 for all interfaces. |
tls | Required, if port not specified. | N/A | See TLS. | |
io-threads | no | # of processors | Number of IO threads to read, parse incoming XDR requests and to write acknowledgments to XDR. | |
worker-threads | no | # of processors | Number of threads that will invoke the connector to dispatch a record. | |
max-concurrent-records | no | 32768 | Maximum number of XDR records to concurrently process in the source connector. | |
manage | no | N/A | See Metrics and Logs. | |
cluster-name | no | product-name | Group or cluster this connector instance belongs to. | Used for grouping instances in Prometheus. |
enable-tcp-xdr-ack-bufferingintroduced in 2.2.0 | no | true | Enables buffering of XDR acks for protocol TCP. |
Protocolsโ
The incoming protocol for the connector. Valid values are:
| Protocol | Description |
|---|---|
TCP | The change notification source is Database 5.0 or later. This is the default. |
HTTP_1_1 | The change notification source is Database 4.9 or earlier. |
Metrics and Logsโ
Use the Management and Metrics API to query and manage the source (outbound) server metrics and logs using a REST endpoint. These settings are for using the manage subsection of the service section to specify the endpoint and (optionally) TLS settings for securing connections.
| Option | Required | Default | Description |
|---|---|---|---|
| port | no | none | List of ports a manage service listens to. |
| address | no | 0.0.0.0 | List of interface IP addresses the connector binds to. Use 0.0.0.0 for all interfaces. |
| tls | Required if port is not specified. | N/A | See TLS. |
TLSโ
The tls option of the service section and the manage section specifies TLS settings for making secure connections.
| Option | Required | Default | Description |
|---|---|---|---|
| port | no | List of HTTPS/TLS ports the server listens to. | |
| key-store | no | Keystore configuration containing the server-side certificate and key. See TLS Store. | |
| trust-store | no | Default java trust store. | Keystore configuration containing the trusted CA certificates. See TLS Store. |
| protocols | no | TLSv1.2 | List of allowed TLS protocols. |
| ciphers | no | Default java ciphers | List of allowed ciphers. |
| revoke-certificates | no | Reject TLS certificates with the serial numbers specified in this list | |
| allowed-peer-names | no | List of client (Aerospike Database nodes) peer names for mutual authentication. If set, only those clients (Aerospike Database nodes) that present certificates matching the peer names are allowed to connect. | |
| mutual-auth | no | false | Specifies whether the source connector must perform mutual authentication with the Aerospike cluster. |
TLS storeโ
The key-store and trust-store options describe how TLS keystores and truststores are configured. All relative file paths are considered relative to the directory in which the configuration file is located.
See Setting Up TLS Keystores for Aerospike Connect for information about creating keystores.
| Option | Required | Default | Description |
|---|---|---|---|
store-file | yes | The store file. | |
store-password-file | yes | Read store password from this file. | |
key-password-file | no | Read key password from this file. | |
store-type | no | JKS | The keystore type. Valid values are JKS, JCEKS, PKCS12, PKCS11, DKS, Windows_MY, BKS, PEM [1] |
[1] NOTE PEM format files are supported. See configure a key store and configure a trust store for details.
TLS Key store with PEM filesโ
OpenSSL default format and PKCS #8 format are supported for private keys.
| Option | Required | Description |
|---|---|---|
store-type | Yes | Value should be PEM. |
store-file | Yes | Private Key in PEM format. Can be in encrypted or cleartext format. |
store-password-file | Optional | Password that protects the private key specified as the value of the store-file parameter. |
certificate-chain-files | Yes | List of files containing X.509 certificate chain corresponding to the private key specified in store-file. Multiple entries in each certificate file are allowed. All entries from all files are concatenated in order, with the first X.509 certificate from the first file being added at index 0, and Last X.509 certificate from Last file being added last. The chain must be ordered and contain a X.509 certificate at index 0 corresponding to the Private Key specified in store-file. Any entries not corresponding to a X.509 Certificate are ignored when reading the PEM format Certificate files |
Examplesโ
...
service:
...
tls:
...
key-store:
store-type: PEM
store-file: key.pem # Cleartext private key.
certificate-chain-files: # Certificate chain in multiple PEM files.
- cert-1.pem
- cert-2.pem
...
...
...
...
service:
...
tls:
...
key-store:
store-type: PEM
store-file: key.pem
store-password-file: storepass # Password protecting key.pem.
certificate-chain-files: certchain.pem
...
...
...
TLS Trust store with PEM filesโ
OpenSSL default format and PKCS #8 format are supported for private keys.
| Option | Required | Description |
|---|---|---|
store-type | Yes | The value must be PEM. |
certificate-files | Yes | The X.509 certificates to trust. All X.509 PEM entries in all the files are added to the trust store. Any entries not corresponding to X.509 certificate are ignored. |
Examplesโ
...
service:
...
tls:
...
trust-store:
store-type: PEM
certificate-files: certs.pem
...
...
...
...
service:
...
tls:
...
trust-store:
store-type: PEM
certificate-files:
- certs-1.pem
- certs-2.pem
...
...
...
Examplesโ
Clear-text onlyโ
...
service:
port: 8080
address: 192.168.5.154
manage:
address: 0.0.0.0
port: 8902
...
TLS onlyโ
...
service:
tls:
port: 8443
allowed-peer-names:
- asd.aerospike.com
protocols:
- tlsv1.3
trust-store:
store-file: tls/ca.aerospike.com.truststore.jks
store-password-file: tls/storepass
key-store:
store-file: tls/connector.aerospike.com.keystore.jks
store-password-file: tls/storepass
key-password-file: tls/keypass
manage:
tls:
port: 8903
trust-store:
store-file: tls/ca.aerospike.com.truststore.jks
store-password-file: tls/storepass
key-store:
store-file: tls/connector.aerospike.com.keystore.jks
store-password-file: tls/storepass
key-password-file: tls/keypass
...
Clear text and TLSโ
...
service:
port: 8080
address: 192.168.5.154
tls:
port: 8443
allowed-peer-names:
- asd.aerospike.com
protocols:
- tlsv1.3
trust-store:
store-file: tls/ca.aerospike.com.truststore.jks
store-password-file: tls/storepass
key-store:
store-file: tls/connector.aerospike.com.keystore.jks
store-password-file: tls/storepass
key-password-file: tls/keypass
manage:
address: 0.0.0.0
port: 8902
tls:
port: 8903
trust-store:
store-file: tls/ca.aerospike.com.truststore.jks
store-password-file: tls/storepass
key-store:
store-file: tls/connector.aerospike.com.keystore.jks
store-password-file: tls/storepass
key-password-file: tls/keypass
...