# Configure service settings for the JMS inbound connector

::: caution
This configuration is only valid for 2.0 and later.
:::

The `service` section of the `/etc/aerospike-jms-inbound/aerospike-jms-inbound.yml` configures the connector’s `manage` section and the `cluster-name`.

The following options are available:

| Option | Required | Default | Description |
| --- | --- | --- | --- |
| `manage` | no | N/A | See [Querying and Managing Metrics and Logs](#querying-and-managing-metrics-and-logs) below. |
| `cluster-name` | no | product-name | Group or cluster this connector instance belongs to. Used for grouping instances in Prometheus. |

## Querying and Managing Metrics and Logs

You can use the [Management and Metrics API](https://aerospike.com/docs/connectors/streaming/common/management-api) to query and manage the JMS Inbound connector metrics and logs using a REST endpoint. These settings are for using the `manage` subsection of the `service` section to specify the endpoint and (optionally) TLS settings for securing connections.

| Option | Required | Default | Description |
| --- | --- | --- | --- |
| `port` | no | none | The list of ports a `manage` service listens to. |
| `address` | no | 0.0.0.0 | The list of interface IP addresses the connector binds to. Use 0.0.0.0 for all interfaces. |
| `tls` | Required if `port` not specified. | N/A | See [Configuring TLS](#configuring-tls) below. |

### Configuring TLS

To make secure connections, specify TLS settings in the `tls` option of the `service` section and the `manage` section.

The configuration options are:

| Option | Required | Default | Description |
| --- | --- | --- | --- |
| `port` | no |  | List of HTTPS/TLS ports the server listens to. |
| `key-store` | no |  | Keystore configuration containing the server-side certificate and key. See [Configuring a TLS Store](#configuring-a-tls-store). |
| `trust-store` | no | Default java trust store. | Keystore configuration containing the trusted CA certificates. See [Configuring a TLS Store](#configuring-a-tls-store). |
| `protocols` | no | TLSv1.2 | List of allowed TLS protocols. |
| `ciphers` | no | Default java ciphers | List of allowed ciphers. |
| `revoke-certificates` | no |  | Reject TLS certificates with the serial numbers specified in this list |
| `allowed-peer-names` | no |  | List of client (Aerospike Database nodes) peer names for mutual authentication. If set, only those clients (Aerospike Database nodes) that present certificates matching the peer names will be allowed to connect. |
| `mutual-auth` | no | false | Specifies whether the connector must perform mutual authentication with the Aerospike cluster. |

#### Configuring a TLS store

The `key-store` and `trust-store` options are for describing how TLS keystores and truststores are configured. All relative file paths are considered relative to the directory in which the configuration file is located. See [Setting Up TLS Keystores for Aerospike Connect](https://aerospike.com/docs/connectors/streaming/common/keystores) for information about creating keystores.

| Option | Required | Default | Description |
| --- | --- | --- | --- |
| `store-file` | yes |  | The store file. |
| `store-password-file` | yes |  | Read store password from this file. |
| `key-password-file` | no |  | Read key password from this file. |
| `store-type` | no | JKS | Keystore type. Valid values are JKS, JCEKS, PKCS12, PKCS11, DKS, Windows\_MY, BKS, PEM \[1\] |

**\[1\]** PEM format files are supported. See [configure a key store](#configure-a-tls-key-store-with-pem-files) and [configure a trust store](#configure-a-tls-trust-store-with-pem-files) for details.

#### Configure a TLS Key store with PEM files

OpenSSL default format and PKCS #8 format are supported for private keys.

| Option | Required | Description |
| --- | --- | --- |
| `store-type` | Yes | Value should be PEM. |
| `store-file` | Yes | Private Key in PEM format. Can be in encrypted or cleartext format. |
| `store-password-file` | Optional | Password that protects the private key specified as the value of the `store-file` parameter. |
| `certificate-chain-files` | Yes | List of files containing X.509 certificate chain corresponding to the private key specified in `store-file`. Multiple entries in each certificate file are allowed. All entries from all files are concatenated in order, with the first X.509 certificate from the first file being added at index 0, and the last X.509 certificate from the last file being added last. The chain must be ordered and contain a X.509 certificate at index 0 corresponding to the Private Key specified in `store-file`. Any entries not corresponding to a X.509 Certificate are ignored whenreading the PEM format Certificate files |

Examples

```yaml
key-store:

  store-type: PEM

  store-file: key.pem # Cleartext private key.

  certificate-chain-files: # Certificate chain in multiple PEM files.

    - cert-1.pem

    - cert-2.pem
```

```yaml
key-store:

  store-type: PEM

  store-file: key.pem

  store-password-file: storepass # Password protecting key.pem.

  certificate-chain-files: certchain.pem
```

#### Configure a TLS Trust store with PEM files

OpenSSL default format and PKCS #8 format are supported for private keys.

| Option | Required | Description |
| --- | --- | --- |
| `store-type` | Yes | Value must be PEM. |
| `certificate-files` | Yes | The X.509 certificates to trust. All X.509 PEM entries in all the files are added to the trust store. Any entries not corresponding to X.509 certificate are ignored. |

Examples

```yaml
trust-store:

  store-type: PEM

  certificate-files: certs.pem
```

```yaml
trust-store:

  store-type: PEM

  certificate-files:

    - certs-1.pem

    - certs-2.pem
```

#### Examples

##### Clear-text only

```yaml
service:

  port: 8080

  address: 192.168.5.154

  manage:

    address: 0.0.0.0

    port: 8902
```

##### TLS only

```yaml
service:

  tls:

    port: 8443

    allowed-peer-names:

      - asd.aerospike.com

    protocols:

      - tlsv1.3

    trust-store:

      store-file: tls/ca.aerospike.com.truststore.jks

      store-password-file: tls/storepass

    key-store:

      store-file: tls/connector.aerospike.com.keystore.jks

      store-password-file: tls/storepass

      key-password-file: tls/keypass

  manage:

    tls:

      port: 8903

      trust-store:

        store-file: tls/ca.aerospike.com.truststore.jks

        store-password-file: tls/storepass

      key-store:

        store-file: tls/connector.aerospike.com.keystore.jks

        store-password-file: tls/storepass

        key-password-file: tls/keypass
```

##### Clear text and TLS

```yaml
service:

  port: 8080

  address: 192.168.5.154

  tls:

    port: 8443

    allowed-peer-names:

      - asd.aerospike.com

    protocols:

      - tlsv1.3

    trust-store:

      store-file: tls/ca.aerospike.com.truststore.jks

      store-password-file: tls/storepass

    key-store:

      store-file: tls/connector.aerospike.com.keystore.jks

      store-password-file: tls/storepass

      key-password-file: tls/keypass

  manage:

    address: 0.0.0.0

    port: 8902

    tls:

      port: 8903

      trust-store:

        store-file: tls/ca.aerospike.com.truststore.jks

        store-password-file: tls/storepass

      key-store:

        store-file: tls/connector.aerospike.com.keystore.jks

        store-password-file: tls/storepass

        key-password-file: tls/keypass
```