# TLS setup for Aerospike Graph Service

## Overview

This page describes how to set up Transport Layer Security (TLS) for encrypting network traffic between Aerospike Graph Service (AGS) and the Aerospike Database (ASDB).

### Prerequisite

-   A running instance of an Aerospike database
-   A Certificate Authority (CA)
-   Two signed certificate/key pairs (one for the Aerospike database and one for each of your AGS instances)

## Enable TLS

1.  Enable TLS on your Aerospike database See [TLS Configuration](https://aerospike.com/docs/database/manage/network/tls) in the ASDB documentation to set up TLS on the Aerospike database.
    
2.  Edit your Aerospike configuration file When all your certificates are in place, edit `aerospike.conf` (located at `/etc/aerospike/aerospike.conf` by default). Replace the placeholder `HOSTNAME` with the signed hostname of the SSL certificate.
    
    The following sample `network` context shows the required parameters for enabling TLS.
    
    ```plaintext
    network {
    
        tls HOSTNAME {
    
          cert-file /opt/aerospike/etc/aerospike_server.crt
    
          key-file /opt/aerospike/etc/aerospike_server.key
    
          ca-file /opt/aerospike/etc/ca.crt
    
          protocols TLSv1.2
    
        }
    
      service {
    
        address any
    
        access-address 172.17.0.1
    
        alternate-access-address 127.0.0.1
    
        access-port 3000
    
        port 3000
    
            tls-address any
    
            tls-port 4303
    
            tls-authenticate-client false
    
            tls-name HOSTNAME
    
        # Uncomment the following to set the `access-address` parameter to the
    
        # IP address of the Docker host. This will the allow the server to correctly
    
        # publish the address which applications and other nodes in the cluster to
    
        # use when addressing this node.
    
        # access-address IPADDR
    
      }
    
    }
    ```
    
    ::: important
    The `tls-name` parameter must be the cluster name (CN) that the certificate on the Aerospike database is signed for, and AGS must be able to resolve it as a DNS hostname. The DNS hostname must resolve to the IP address of the Aerospike database.
    :::
    
3.  Set up certificates for your AGS instances
    
    Put the CA and a certificate/key pair in a Java KeyStore, and the CA in a Java TrustStore. Both files must use the extension `.jks`.
    
4.  Enable TLS for AGS
    
    If you use a [properties file](https://aerospike.com/docs/graph/2.5.0/install/docker#use-a-properties-file) to start your graph server, add the parameter `tls=true` to the file.
    
    You can also use the command-line argument `-e TLS=true` when starting the Graph Docker image.
    
5.  Set up the JAVA\_OPTIONS environment variable
    
    The JAVA\_OPTIONS environment variable holds the path and password information for your KeyStore and TrustStore. This information are the paths to the files within the Docker container where you run the Graph Docker image. The following example shows usage:
    
    ```plaintext
    JAVA_OPTIONS=-Djavax.net.ssl.trustStore=/path/to/trust-store.jks -Djavax.net.ssl.keyStore=/path/to/key-store.jks -Djavax.net.ssl.trustStorePassword=abc123 -Djavax.net.ssl.keyStorePassword=abc123
    ```
    
6.  Start the Graph Docker image
    
    Include the JAVA\_OPTIONS environment variable when starting the Graph Docker image.
    
    Terminal window
    
    ```bash
    -e JAVA_OPTIONS
    ```