All About Configuration for TLS

The Aerospike Knowledge Base has moved to https://support.aerospike.com. Content on https://discuss.aerospike.com is being migrated to either https://support.aerospike.com or https://docs.aerospike.com. Maintenance on articles stored in this repository ceased on December 31st 2022 and this article may be stale. If you have any questions, please do not hesitate to raise a case via https://support.aerospike.com.

TLS Information, FAQ’s, How-To’s, and General Information

Aerospike Basics

Resource Summary
How To Configure and Test TLS on Aerospike How to configure the tls{} stanza(s) (service, fabric, heartbeat, and XDR stanzas) to specify which certificates will be used. Explains how to add the TLS configuration to the relevant protocol stanzas, to configure the parties that would connect to the cluster using TLS, and to disable the non-TLS ports.
Step-by-step for service TLS Details the changes required to be made on the Aerospike nodes so that clients can communicate with the cluster via TLS enabled ports. Covers Standard and Mutual authentication modes of TLS with cluster name match.

More Specifics

Resource Summary
How to use multiple TLS client certificates Detailed step by step for using multiple TLS client certificates. Covers XDR scenario as well.
How to use Mutual Authentication TLS (mTLS) in Java Describes how to setup a Java application to connect to an Aerospike cluster configured to use mutual authentication TLS. Link to example GitHub project included.
How to rotate signed certificates How to update a signed certificate on the server or client. Valid for either standard or mutual authentication. Assumes that the CA ROOT certificate is not expiring.
How to replace CA certs Focuses on the CA certificate expiration and the options available to replace expiring Certificate Authority (CA) certificates. Covers configurations using either ca-file or ca-path.
How to deploy TLS certs in ramfs/tmpfs Discusses deploying certificates from the manager to Aerospike without storing them on the node hard drives, using the linux ramfs/tmpfs functionality.
How to select TLS cipher suites in Java How to explicity specify the set of cipher suites that are allowed to be used during the TLS handshake. This will ensure that cipher suites are used which get the best performance while satisfying the organizational security requirements. Assumes that some hypothetical security requirements are based on the NIST Guidelines in SP 800-52.

Non-Aerospike Specific

Resource Summary
How to generate a self-signed TLS certificate Step by step for generating a self-signed TLS certificate. Covers stanzas for server, clients, fabric, and heartbeat messages,

FAQs

Resource Summary
General TLS FAQ Default TLS protocol, certificate expiration scenario, renewal of expired certificates, mixed-mode TLS environments.
FAQ - Enable TLS for service, fabric and heartbeat traffic on an existing cluster How to enable TLS on a running cluster. Covers service, fabric, and heartbeat traffic TLS configuations. Requires rolling restarts.

Keywords

TLS TOC FAQ SSL SECURITY CONFIGURATION

Timestamp

June 2020