Skip to main content
We are excited to be a part of AWS re:Invent 2024. Visit us at booth #1844 in Las Vegas.More info
Loading
Version: Graph 2.3.0

TLS setup for Aerospike Graph Service

Overview

This page describes how to set up Transport Layer Security (TLS) for encrypting network traffic between Aerospike Graph Service (AGS) and the Aerospike Database (ASDB).

Prerequisite

  • A running instance of an Aerospike database
  • A Certificate Authority (CA)
  • Two signed certificate/key pairs (one for the Aerospike database and one for each of your AGS instances)

Enable TLS

  1. Enable TLS on your Aerospike database See TLS Configuration in the ASDB documentation to set up TLS on the Aerospike database.

  2. Edit your Aerospike configuration file When all your certificates are in place, edit aerospike.conf (located at /etc/aerospike/aerospike.conf by default). Replace the placeholder HOSTNAME with the signed hostname of the SSL certificate.

    The following sample network context shows the required parameters for enabling TLS. 

    network {
        tls HOSTNAME {
          cert-file /opt/aerospike/etc/aerospike_server.crt
          key-file /opt/aerospike/etc/aerospike_server.key
          ca-file /opt/aerospike/etc/ca.crt
          protocols TLSv1.2
        }
        service {
            address any
            access-address 172.17.0.1
            alternate-access-address 127.0.0.1
            access-port 3000
            port 3000
            tls-address any
            tls-port 4303
            tls-authenticate-client false
            tls-name HOSTNAME

            # Uncomment the following to set the `access-address` parameter to the
            # IP address of the Docker host. This will the allow the server to correctly
            # publish the address which applications and other nodes in the cluster to
            # use when addressing this node.
            # access-address IPADDR
        }
    }
    info

    The tls-name parameter must be the cluster name (CN) that the certificate on the Aerospike database is signed for, and AGS must be able to resolve it as a DNS hostname. The DNS hostname must resolve to the IP address of the Aerospike database.

  3. Set up certificates for your AGS instances

    Put the CA and a certificate/key pair in a Java KeyStore, and the CA in a Java TrustStore. Both files must use the extension .jks.

  4. Enable TLS for AGS

    If you use a properties file to start your graph server, add the parameter tls=true to the file.

    You can also use the command-line argument -e TLS=true when starting the Graph Docker image.

  5. Set up the JAVA_OPTIONS environment variable

    The JAVA_OPTIONS environment variable holds the path and password information for your KeyStore and TrustStore. This information are the paths to the files within the Docker container where you run the Graph Docker image. The following example shows usage:

    JAVA_OPTIONS=-Djavax.net.ssl.trustStore=/path/to/trust-store.jks -Djavax.net.ssl.keyStore=/path/to/key-store.jks -Djavax.net.ssl.trustStorePassword=abc123 -Djavax.net.ssl.keyStorePassword=abc123

  6. Start the Graph Docker image

    Include the JAVA_OPTIONS environment variable when starting the Graph Docker image.

    -e JAVA_OPTIONS
Tags:
Last updated on