TCP connection

When Secret Agent listens on a TCP endpoint, the configuration file snippet looks similar to the following:

service:
  tcp:
    endpoint: 0.0.0.0:3005

The endpoint is the address and port on which Secret Agent listens for connections. Secret Agent listens on all interfaces if the address is 0.0.0.0. If you want to listen only on a specific interface, set the address to that interface's IP address. The IP address can be TCP v4 or v6 format.

TLS configuration

Secret Agent supports TLS v1.2 and 1.3 over TCP. Sample configuration file for one-way authentication:

service:
  tcp:
    endpoint: 0.0.0.0:3005
    tls:
      cert-file: /etc/aerospike/secret-agent/cert.pem
      key-file: /etc/aerospike/secret-agent/key.pem

For mutual authentication add ca-file along with cert-file and key-file. Sample configuration file for mutual authentication:

service:
  tcp:
    endpoint: 0.0.0.0:3005
    tls:
      cert-file: /etc/aerospike/secret-agent/cert.pem
      key-file: /etc/aerospike/secret-agent/key.pem
      ca-file: /etc/aerospike/secret-agent/ca-file.pem

The configured certificate and key files must be readable by the Secret Agent process and must be in PEM format. The client (Aerospike server or other tools) must have the corresponding CA certificate to validate these certificates. The certificates are used during the TLS handshake. Refer to the Aerospike security configuration guide for more details on how to configure the CA certificate with Aerospike server.