All About Configuration for TLS

TLS Information, FAQ’s, How-To’s, and General Information

Aerospike Basics

Resource Summary
How To Configure and Test TLS on Aerospike How to configure the tls{} stanza(s) (service, fabric, heartbeat, and XDR stanzas) to specify which certificates will be used. Explains how to add the TLS configuration to the relevant protocol stanzas, to configure the parties that would connect to the cluster using TLS, and to disable the non-TLS ports.
Step-by-step for service TLS Details the changes required to be made on the Aerospike nodes so that clients can communicate with the cluster via TLS enabled ports. Covers Standard and Mutual authentication modes of TLS with cluster name match.

More Specifics

Resource Summary
How to use multiple TLS client certificates Detailed step by step for using multiple TLS client certificates. Covers XDR scenario as well.
How to use Mutual Authentication TLS (mTLS) in Java Describes how to setup a Java application to connect to an Aerospike cluster configured to use mutual authentication TLS. Link to example GitHub project included.
How to rotate signed certificates How to update a signed certificate on the server or client. Valid for either standard or mutual authentication. Assumes that the CA ROOT certificate is not expiring.
How to replace CA certs Focuses on the CA certificate expiration and the options available to replace expiring Certificate Authority (CA) certificates. Covers configurations using either ca-file or ca-path.
How to deploy TLS certs in ramfs/tmpfs Discusses deploying certificates from the manager to Aerospike without storing them on the node hard drives, using the linux ramfs/tmpfs functionality.
How to select TLS cipher suites in Java How to explicity specify the set of cipher suites that are allowed to be used during the TLS handshake. This will ensure that cipher suites are used which get the best performance while satisfying the organizational security requirements. Assumes that some hypothetical security requirements are based on the NIST Guidelines in SP 800-52.

Non-Aerospike Specific

Resource Summary
How to generate a self-signed TLS certificate Step by step for generating a self-signed TLS certificate. Covers stanzas for server, clients, fabric, and heartbeat messages,


Resource Summary
General TLS FAQ Default TLS protocol, certificate expiration scenario, renewal of expired certificates, mixed-mode TLS environments.
FAQ - Enable TLS for service, fabric and heartbeat traffic on an existing cluster How to enable TLS on a running cluster. Covers service, fabric, and heartbeat traffic TLS configuations. Requires rolling restarts.




June 2020

© 2015 Copyright Aerospike, Inc. | All rights reserved. Creators of the Aerospike Database.