Skip to main content
Loading

Security and Authentication for Aerospike Connect for Elasticsearch

Create a TLS Keystore

To use TLS, an Aerospike Connect for Elasticsearch connector requires a public/private key pair and corresponding certificate. These must be provided in a keystore file.

The connector supports the proprietary Java Keystore format ("JKS") and the PKCS #12 format. JKS is the default for Java versions prior to 9. PKCS #12 is the default for Java 9 and later.

For development and testing, you can generate a new key pair and certificate using the JDK's keytool command line utility. The following command creates a new keystore file and key/cert pair:

keytool -keystore resources/keystore -alias connector -genkeypair -storetype PKCS12 -keyalg RSA

The keytool will prompt for a new password for the keystore file as well as some additional information about the certificate.

keytool -keystore resources/keystore -alias connector -genkeypair -storetype PKCS12 -keyalg RSA
Enter keystore password:
Re-enter new password:
What is your first and last name?
    [Unknown]:
What is the name of your organizational unit?
    [Unknown]:
What is the name of your organization?
    [Unknown]:
What is the name of your City or Locality?
    [Unknown]:
What is the name of your State or Province?
    [Unknown]:
What is the two-letter country code for this unit?
    [Unknown]:
Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
    [no]:  yes

If your existing private key and certificate (chain) are separate PEM files, you can use OpenSSL to combine them into a PKCS #12 keystore:

openssl pkcs12 -inkey ./key.pem -in ./cert.pem --export -out resources/keystore

If you have a chain of certificates because your CA is an intermediary, build the PKCS #12 file as follows:

cat ./cert.pem intermediate.pem rootCA.pem > cert-chain.pem
openssl pkcs12 -inkey ./key.pem -in ./cert-chain.pem -export -out resources/keystore

This command prompts you for an export password. It will set this as the keystore password of the newly-created keystore file. Update the tls configuration section as per above to use the test keystore.