Skip to content

Configure TCP

Use a TCP listener when Secret Agent and Aerospike Database run on different hosts, or when you need TLS encryption for the connection. For same-host deployments where TLS is not required, consider using a UDS connection instead.

To configure a TCP listener, add the tcp section to the service context in your Secret Agent configuration file:

service:
  tcp:
    endpoint: 0.0.0.0:3005

The endpoint value specifies the address and port where Secret Agent listens for connections. An address of 0.0.0.0 listens on all interfaces. To listen on a specific interface, set the address to that interface’s IP address. The IP address can be in IPv4 or IPv6 format.

TLS configuration

Secret Agent supports TLS v1.2 and v1.3 over TCP.

For one-way authentication, where the client verifies Secret Agent’s identity:

service:
  tcp:
    endpoint: 0.0.0.0:3005
    tls:
      cert-file: /etc/aerospike/secret-agent/cert.pem
      key-file: /etc/aerospike/secret-agent/key.pem

For mutual authentication, add ca-file to verify client certificates:

service:
  tcp:
    endpoint: 0.0.0.0:3005
    tls:
      cert-file: /etc/aerospike/secret-agent/cert.pem
      key-file: /etc/aerospike/secret-agent/key.pem
      ca-file: /etc/aerospike/secret-agent/ca-file.pem

The certificate and key files must be readable by the Secret Agent process and must be in PEM format. The client (Aerospike Database or other tools) must have the corresponding CA certificate to validate these certificates.

See the Aerospike TLS configuration guide for details on configuring TLS certificates with Aerospike Database.

Feedback

Was this page helpful?

What type of feedback are you giving?

What would you like us to know?

+Capture screenshot

Can we reach out to you?