Configure Services for Aerospike Connect for Elasticsearch

The service section of the aerospike-elasticsearch-outbound.yaml file configures the source connector's listening ports, TLS, and network interface.

The following options are available:

Option	Required	Default	Description	Details
`protocol`	no	TCP	The incoming protocol for the source connector.	Valid values are `TCP` when the change notification source is Aerospike server 5.0 or later, or `HTTP_1_1` when the change notification source is Aerospike server prior to 5.0. `TCP` is the default.
`port`	no	8080	The list of ports the source connector listens to.
`address`	no	0.0.0.0	The list of interface IP addresses the source connector binds to.	Use 0.0.0.0 for all interfaces.
`tls`	Required, if port not specified.	N/A	See TLS.
`io-threads`	no	# of processors	The number of IO threads to read, parse incoming XDR requests and to write acknowledgments to XDR.
`worker-threads`	no	# of processors	The number of threads that will invoke the connector to dispatch a record.
`max-concurrent-records`	no	32768	The maximum number of XDR records to concurrently process in the source connector.
`manage`	no	N/A	See Metrics and Logs.
`cluster-name`	no	product-name	Group or cluster this connector instance belongs to.	Used for grouping instances in Prometheus.
`enable-tcp-xdr-ack-buffering` introduced in `2.2.0`	no	true	Enables buffering of XDR acks for protocol TCP.

Protocols

The incoming protocol for the connector. Valid values are:

Protocol	Description
`TCP`	The change notification source is Aerospike server 5.0 or later. This is the default.
`HTTP_1_1`	The change notification source is Aerospike server prior to 5.0 version.

Metrics and Logs

Use the Management and Metrics API to query and manage the source (outbound) server metrics and logs via a REST endpoint. These settings are for using the manage subsection of the service section to specify the endpoint and (optionally) TLS settings for securing connections.

Option	Required	Default	Description
port	no	none	The list of ports a `manage` service listens to.
address	no	0.0.0.0	The list of interface IP addresses the connector binds to. Use 0.0.0.0 for all interfaces.
tls	Required if `port` is not specified.	N/A	See TLS.

TLS

The tls option of the service section and the manage section specifies TLS settings for making secure connections.

Option	Required	Default	Description
port	no		The list of HTTPS/TLS ports the server listens to.
key-store	no		The keystore configuration containing the server-side certificate and key. See TLS Store.
trust-store	no	Default java trust store.	The keystore configuration containing the trusted CA certificates. See TLS Store.
protocols	no	TLSv1.2	List of allowed TLS protocols.
ciphers	no	Default java ciphers	List of allowed ciphers.
revoke-certificates	no		Reject TLS certificates with the serial numbers specified in this list
allowed-peer-names	no		List of client (Aerospike server nodes) peer names for mutual authentication. If set, only those clients (Aerospike server nodes) that present certificates matching the peer names are allowed to connect.
mutual-auth	no	false	Specifies whether the source connector must perform mutual authentication with the Aerospike cluster.

TLS store

The key-store and trust-store options describe how TLS keystores and truststores are configured. All relative file paths are considered relative to the directory in which the configuration file is located. See Setting Up TLS Keystores for Aerospike Connect for information about creating keystores.

Option	Required	Default	Description
`store-file`	yes		The store file.
`store-password-file`	yes		Read store password from this file.
`key-password-file`	no		Read key password from this file.
`store-type`	no	JKS	The keystore type. Valid values are JKS, JCEKS, PKCS12, PKCS11, DKS, Windows_MY, BKS, PEM [1]

[1] NOTE PEM format files are supported. See configure a key store and configure a trust store for details.

TLS Key store with PEM files

OpenSSL default format and PKCS #8 format are supported for private keys.

Option	Required	Description
`store-type`	Yes	Value should be PEM.
`store-file`	Yes	The Private Key in PEM format. Can be in encrypted or cleartext format.
`store-password-file`	Optional	The password that protects the private key specified as the value of the `store-file` parameter.
`certificate-chain-files`	Yes	List of files containing X.509 certificate chain corresponding to the private key specified in `store-file`. Multiple entries in each certificate file are allowed. All entries from all files are concatenated in order, with the first X.509 certificate from the first file being added at index 0, and the last X.509 certificate from the last file being added last. The chain must be ordered and contain a X.509 certificate at index 0 corresponding to the Private Key specified in `store-file`. Any entries not corresponding to a X.509 Certificate are ignored when reading the PEM format Certificate files

Examples

...
service:
  ...
  tls:
    ...
    key-store:
      store-type: PEM
      store-file: key.pem # Cleartext private key.
      certificate-chain-files: # Certificate chain in multiple PEM files.
        - cert-1.pem
        - cert-2.pem
    ...
  ...
...

...
service:
  ...
  tls:
    ...
    key-store:
      store-type: PEM
      store-file: key.pem
      store-password-file: storepass # Password protecting key.pem.
      certificate-chain-files: certchain.pem
    ...
  ...
...

TLS Trust store with PEM files

OpenSSL default format and PKCS #8 format are supported for private keys.

Option	Required	Description
`store-type`	Yes	The value must be PEM.
`certificate-files`	Yes	The X.509 certificates to trust. All X.509 PEM entries in all the files are added to the trust store. Any entries not corresponding to X.509 certificate are ignored.

Examples

...
service:
  ...
  tls:
    ...
    trust-store:
      store-type: PEM
      certificate-files: certs.pem
    ...
  ...
...

...
service:
  ...
  tls:
    ...
    trust-store:
      store-type: PEM
      certificate-files:
        - certs-1.pem
        - certs-2.pem
    ...
  ...
...

Examples

Clear-text only

...
service:
  port: 8080
  address: 192.168.5.154
  manage:
    address: 0.0.0.0
    port: 8902
...

TLS only

...
service:
  tls:
    port: 8443
    allowed-peer-names:
      - asd.aerospike.com
    protocols:
      - tlsv1.3
    trust-store:
      store-file: tls/ca.aerospike.com.truststore.jks
      store-password-file: tls/storepass
    key-store:
      store-file: tls/connector.aerospike.com.keystore.jks
      store-password-file: tls/storepass
      key-password-file: tls/keypass
  manage:
    tls:
      port: 8903
      trust-store:
        store-file: tls/ca.aerospike.com.truststore.jks
        store-password-file: tls/storepass
      key-store:
        store-file: tls/connector.aerospike.com.keystore.jks
        store-password-file: tls/storepass
        key-password-file: tls/keypass
...

Clear text and TLS

...
service:
  port: 8080
  address: 192.168.5.154
  tls:
    port: 8443
    allowed-peer-names:
      - asd.aerospike.com
    protocols:
      - tlsv1.3
    trust-store:
      store-file: tls/ca.aerospike.com.truststore.jks
      store-password-file: tls/storepass
    key-store:
      store-file: tls/connector.aerospike.com.keystore.jks
      store-password-file: tls/storepass
      key-password-file: tls/keypass
  manage:
    address: 0.0.0.0
    port: 8902
    tls:
      port: 8903
      trust-store:
        store-file: tls/ca.aerospike.com.truststore.jks
        store-password-file: tls/storepass
      key-store:
        store-file: tls/connector.aerospike.com.keystore.jks
        store-password-file: tls/storepass
        key-password-file: tls/keypass
...

Protocols​

Metrics and Logs​

TLS​

TLS store​

TLS Key store with PEM files​

Examples​

TLS Trust store with PEM files​

Examples​

Examples​

Clear-text only​

TLS only​

Clear text and TLS​

Protocols

Metrics and Logs

TLS

TLS store

TLS Key store with PEM files

Examples

TLS Trust store with PEM files

Examples

Examples

Clear-text only

TLS only

Clear text and TLS