Skip to main content

Security and Authentication for Aerospike Connect for Elasticsearch

Create a TLS Keystore

To use TLS, an Aerospike Connect for Elasticsearch connector requires a public/private key pair and corresponding certificate. These must be provided in a keystore file.

The connector supports the proprietary Java Keystore format ("JKS") and the PKCS #12 format. JKS is the default for Java versions prior to 9. PKCS #12 is the default for Java 9 and later.

For development and testing, you can generate a new key pair and certificate using the JDK's keytool command line utility. The following command creates a new keystore file and key/cert pair:

keytool -keystore resources/keystore -alias connector -genkeypair -storetype PKCS12 -keyalg RSA

The keytool will prompt for a new password for the keystore file as well as some additional information about the certificate.

keytool -keystore resources/keystore -alias connector -genkeypair -storetype PKCS12 -keyalg RSA
Enter keystore password:
Re-enter new password:
What is your first and last name?
What is the name of your organizational unit?
What is the name of your organization?
What is the name of your City or Locality?
What is the name of your State or Province?
What is the two-letter country code for this unit?
Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yes

If your existing private key and certificate (chain) are separate PEM files, you can use OpenSSL to combine them into a PKCS #12 keystore:

openssl pkcs12 -inkey ./key.pem -in ./cert.pem --export -out resources/keystore

If you have a chain of certificates because your CA is an intermediary, build the PKCS #12 file as follows:

cat ./cert.pem intermediate.pem rootCA.pem > cert-chain.pem
openssl pkcs12 -inkey ./key.pem -in ./cert-chain.pem -export -out resources/keystore

This command prompts you for an export password. It will set this as the keystore password of the newly-created keystore file. Update the tls configuration section as per above to use the test keystore.