Skip to main content
Loading
Version: Graph 2.0.0

TLS Setup for Graph

Aerospike Graph supports Transport Layer Security (TLS) for encrypting network traffic between Graph and the underlying Aerospike Database server.

Procedure

  1. Set up TLS on your Aerospike Database server

    Refer to the server documentation for help with setting up TLS on Aerospike.

    Once all your certificates are in place, edit your Aerospike configuration file (located at /etc/aerospike/aerospike.conf by default). The following sample network context shows the required parameters for enabling TLS. Be sure to replace the placeholder <HOSTNAME> with the signed hostname of the SSL certificate.

    network {
        tls <HOSTNAME> {
          cert-file /opt/aerospike/etc/aerospike_server.crt
          key-file /opt/aerospike/etc/aerospike_server.key
          ca-file /opt/aerospike/etc/ca.crt
          protocols TLSv1.2
        }
        service {
            address any
            access-address 172.17.0.1
            alternate-access-address 127.0.0.1
            access-port 3000
            port 3000
            tls-address any
            tls-port 4303
            tls-authenticate-client false
            tls-name <HOSTNAME>

            # Uncomment the following to set the `access-address` parameter to the
            # IP address of the Docker host. This will the allow the server to correctly
            # publish the address which applications and other nodes in the cluster to
            # use when addressing this node.
            # access-address <IPADDR>
        }
    }
    info

    The tls-name parameter must be the cluster name (CN) that the certificate on the Aerospike server is signed for, and Graph must be able to resolve it as a DNS hostname. The DNS hostname must resolve to the IP address of the Aerospike server.

  2. Set up certificates for your Graph instances

    Your Graph SSL certificates require:

    • A Certificate Authority (CA)
    • Two signed certificate/key pairs (one for the Aerospike server and one for each of your Graph instances)

    Put the CA and a certificate/key pair in a Java KeyStore and the CA in a Java TrustStore. Both files should use the extension .jks.

  3. Configure Graph for TLS

    If you use a configuration file to start your graph server, edit the file to include the parameter tls=true. Otherwise, use the command-line argument -e TLS=true when starting the Graph Docker image.

  4. Set up the JAVA_OPTIONS environment variable

    The JAVA_OPTIONS environment variable holds the path and password information for your KeyStore and TrustStore. The path information should be the paths to the files within the Docker container where you run the Graph Docker image. The following example shows usage:

    JAVA_OPTIONS=-Djavax.net.ssl.trustStore=/path/to/trust-store.jks -Djavax.net.ssl.keyStore=/path/to/key-store.jks -Djavax.net.ssl.trustStorePassword=abc123 -Djavax.net.ssl.keyStorePassword=abc123

  5. Start the Graph Docker image

    Include the JAVA_OPTIONS environment variable when starting the Graph Docker image.

    -e JAVA_OPTIONS
Tags:
Last updated on