Skip to main content
Loading

Configure the Aerospike XDR Proxy service

Overviewโ€‹

This page describes how to configure the XDR Proxy service.

Serviceโ€‹

The service section configures Connector's listening ports, TLS and network interface.

The following options are available:

OptionRequiredDefaultDescription
protocolnoTCPIncoming protocol for the connector. See protocols for details.
portno8080List of ports the connector listens to.
addressno0.0.0.0List of interface IP addresses the connector binds to. Use 0.0.0.0 for all interfaces.
tlsRequired, if port not specified.N/ASee Configuring TLS.
io-threadsno# of processorsNumber of IO threads to read, parse incoming XDR requests and to write acknowledgments to XDR.
worker-threadsno# of processorsNumber of threads that will invoke the connector to dispatch a record.
max-concurrent-recordsno32768Maximum number of XDR records to concurrently process in the connector.
managenoN/ASee Querying and managing metrics and logs.
cluster-namenoproduct-nameGroup or cluster this connector instance belongs to. Used for grouping instances in Prometheus.
enable-tcp-xdr-ack-bufferingnotrueEnables buffering of XDR acknowledgments for protocol TCP.
socket-receive-buffer-bytesno32768Number of bytes read from incoming XDR connection in each attempt. We recommend higher buffer size for large records.

For several examples of the service section of the config file, see "Examples" at the bottom of this page.

Protocolsโ€‹

The incoming protocol for the connector. Valid values are:

ProtocolDescription
TCPThe change notification source is Database 5.0 or later. This is the default.
HTTP_1_1The change notification source is Database 4.9 or earlier.
HTTP_2Change notification source is the ESP connector.

Querying and Managing Metrics and Logsโ€‹

You can use the Management and Metrics API to query and manage the outbound server metrics and logs using a REST endpoint. These settings are for using the manage subsection of the service section to specify the endpoint and (optionally) TLS settings for securing connections.

OptionRequiredDefaultDescription
portnononeList of ports a manage service listens to.
addressno0.0.0.0List of interface IP addresses the connector binds to. Use 0.0.0.0 for all interfaces.
tlsRequired if port not specified.N/ASee Configuring TLS below.

Configuring TLSโ€‹

In the tls option of the service section and the manage section, you can specify TLS settings for making secure connections.

The configuration options are:

OptionRequiredDefaultDescription
portnoList of HTTPS/TLS ports the server listens to.
key-storenoKeystore configuration containing the server-side certificate and key. See Configuring a TLS Store.
trust-storenoDefault java trust store.Keystore configuration containing the trusted CA certificates. See Configuring a TLS Store.
protocolsnoTLSv1.2List of allowed TLS protocols.
ciphersnoDefault java ciphersList of allowed ciphers.
revoke-certificatesnoReject TLS certificates with the serial numbers specified in this list
allowed-peer-namesnoList of client (Aerospike Database nodes) peer names for mutual authentication. If set, only those clients (Aerospike Database nodes) that present certificates matching the peer names will be allowed to connect.
mutual-authnofalseSpecifies whether the outbound connector must perform mutual authentication with the Aerospike cluster.
cert-refresh-interval-msnoSpecifies interval in milliseconds to check for updates in configured tls files. If empty, certificate refresh will not be applied.

Configuring a TLS storeโ€‹

The key-store and trust-store options are for describing how TLS keystores and truststores are configured. All relative file paths are considered relative to the directory in which the configuration file is located. See Setting Up TLS Keystores for Aerospike Connect for information about creating keystores.

OptionRequiredDefaultDescription
store-fileyesThe store file.
store-password-fileyesRead store password from this file.
key-password-filenoRead key password from this file.
store-typenoJKSKeystore type. Valid values are JKS, JCEKS, PKCS12, PKCS11, DKS, Windows_MY, BKS, PEM [1]

[1] PEM format files are supported. See configure a key store and configure a trust store for details.

Configure a TLS Key store with PEM filesโ€‹

OpenSSL default format and PKCS #8 format are supported for private keys.

OptionRequiredDescription
store-typeYesValue should be PEM.
store-fileYesPrivate Key in PEM format. Can be in encrypted or cleartext format.
store-password-fileOptionalPassword that protects the private key specified as the value of the store-file parameter.
certificate-chain-filesYesList of files containing X.509 certificate chain corresponding to the private key specified in store-file. Multiple entries in each certificate file are allowed. All entries from all files are concatenated in order, with the first X.509 certificate from the first file being added at index 0, and the last X.509 certificate from the last file being added last. The chain must be ordered and contain a X.509 certificate at index 0 corresponding to the Private Key specified in store-file. Any entries not corresponding to a X.509 Certificate are ignored whenreading the PEM format Certificate files

Examples

...
service:
...
tls:
...
key-store:
store-type: PEM
store-file: key.pem # Cleartext private key.
certificate-chain-files: # Certificate chain in multiple PEM files.
- cert-1.pem
- cert-2.pem
...
...
...
...
service:
...
tls:
...
key-store:
store-type: PEM
store-file: key.pem
store-password-file: storepass # Password protecting key.pem.
certificate-chain-files: certchain.pem
...
...
...

Configure a TLS Trust store with PEM filesโ€‹

OpenSSL default format and PKCS #8 format are supported for private keys.

OptionRequiredDescription
store-typeYesValue must be PEM.
certificate-filesYesX.509 certificates to trust. All X.509 PEM entries in all the files are added to the trust store. Any entries not corresponding to X.509 certificate are ignored.

Examples

...
service:
...
tls:
...
trust-store:
store-type: PEM
certificate-files: certs.pem
...
...
...
...
service:
...
tls:
...
trust-store:
store-type: PEM
certificate-files:
- certs-1.pem
- certs-2.pem
...
...
...

Examplesโ€‹

Clear-text onlyโ€‹

...
service:
port: 8080
address: 192.168.5.154
manage:
address: 0.0.0.0
port: 8902
...

TLS onlyโ€‹

...
service:
tls:
port: 8443
allowed-peer-names:
- asd.aerospike.com
protocols:
- tlsv1.3
trust-store:
store-file: tls/ca.aerospike.com.truststore.jks
store-password-file: tls/storepass
key-store:
store-file: tls/connector.aerospike.com.keystore.jks
store-password-file: tls/storepass
key-password-file: tls/keypass
manage:
tls:
port: 8903
trust-store:
store-file: tls/ca.aerospike.com.truststore.jks
store-password-file: tls/storepass
key-store:
store-file: tls/connector.aerospike.com.keystore.jks
store-password-file: tls/storepass
key-password-file: tls/keypass
...

Clear text and TLSโ€‹

...
service:
port: 8080
address: 192.168.5.154
tls:
port: 8443
allowed-peer-names:
- asd.aerospike.com
protocols:
- tlsv1.3
trust-store:
store-file: tls/ca.aerospike.com.truststore.jks
store-password-file: tls/storepass
key-store:
store-file: tls/connector.aerospike.com.keystore.jks
store-password-file: tls/storepass
key-password-file: tls/keypass
manage:
address: 0.0.0.0
port: 8902
tls:
port: 8903
trust-store:
store-file: tls/ca.aerospike.com.truststore.jks
store-password-file: tls/storepass
key-store:
store-file: tls/connector.aerospike.com.keystore.jks
store-password-file: tls/storepass
key-password-file: tls/keypass
...