Transport Layer Security (TLS)

This guide to the Aerospike Transport Layer Security (TLS) describes the Aerospike configuration settings and considerations for using TLS in Aerospike implementations. For specific information about configuring Aerospike to use TLS on your network, see TLS Configuration.

Aerospike Enterprise Edition supports TLS for the following network traffic:

Client-to-Cluster - Traffic between clients and all database nodes.
Cluster-to-Cluster - Traffic between clusters (Cross-Datacenter Replication, or XDR).
Node-to-Node - Traffic between nodes in a cluster, both fabric and heartbeat.
In server 6.3, Aerospike gains compatibility with OpenSSL 3, to support Ubuntu 22.04, RHEL 9/CentOS Stream 9, and other Linux distributions that support OpenSSL 3. The Aerospike server and clients retain compatibility with OpenSSL 1.1.
Clients: Aerospike clients' TLS implementation is specific to the language. Refer to Client Support for details.
Server configuration: refer to the Network Configuration/TLS page for details on configuring TLS.

TLS between clients and cluster

Aerospike offers 3 modes for TLS Security between clients and a cluster, selected by the tls-authenticate-client configuration parameter in the service sub-stanza:

Standard authentication (value false)
Mutual authentication (value any)
Mutual authentication with subject name validation (value is user defined, for example host.domain.com)

note

tls-authenticate-client replaces the tls-mode configuration parameter as of version 3.15.

Standard authentication

Standard authentication dictates how the client authenticates each of the nodes in the Aerospike Cluster via TLS.

TLS name and authentication

The TLS name, configured as the tls-name, authenticates each TLS socket connection against a server node, based on the certificate presented by the Aerospike server node during the initial connection handshake. The TLS name for a node is typically the node's hostname. See TLS name clarification.

In a typical connection flow:

The expected TLS name is passed in for the seed node(s).
For each TLS connection to the seed node, the TLS name match algorithm is executed against the certificate presented by the seed node.
Once matched, the client fetches from the seed node all peer nodes' connection information and each of their tls-name information, and continues TLS connections to each of the remaining peer nodes.

The TLS name match algorithm is as follows:

Seed node's tls-name matches the certificate's Subject/CN field.
Seed node's tls-name matches the certificate's X509v3 Subject Alternative Name (SAN) field.

Typical authentication setup

Following are some common standard authentication setups that a deployment may use. Aerospike recommends using the Cluster name match setup.

The common server configuration parameters are the following:

tls-authenticate-client configuration parameter must be set to false.
cert-file must be set. It is a .pem file, which contains the server's own certificate.
key-file must be set. It is the .pem file with the private key associated with the certificate.

The client must have the relevant root CA certificate configured.

Hostname match with individual server certificate

Server certificate
- Each Aerospike server node uses its own certificate.
- The certificate must have the node's system hostname defined in the Subject/CN or SAN field. For example:

Subject: C=US, ST=California, L=San Jose, O=Acme, Inc., OU=Aerospike Cluster, CN=m1.acme.com

Server configuration
- All Aerospike nodes must configure the system hostname correctly, and the name must match the value in the Subject/CN or SAN field.
- A tls sub-stanza for <hostname> must be defined in the aerospike.conf file, and the tls-name in the service sub-stanza must be specified and have the value <hostname> for the system's hostname to be read as the TLS name.
Client Configuration
- On client applications, for each seed host passed into the cluster_create() call, pass in the same <hostname> for the tls-name as the TLS name.

Hostname match with common server certificate

Server certificate
- All Aerospike server nodes use the same certificate.
- The certificate must include the x509v3 Subject Alternate Name (SAN) extension, and include the list of all the node's hostnames in the field. For example:

X509v3 extensions:
    X509v3 Subject Alternative Name:
    DNS:m1.acme.com, DNS:m2.acme.com, DNS:m3.acme.com

Server configuration
- All Aerospike nodes must configure their system's hostname correctly and the name must match what's presented in the SAN extension.
- A tls sub-stanza for <hostname> must be defined in the aerospike.conf file, and the tls-name in the service sub-stanza must be specified and have the value <hostname> for the system's hostname to be read as the TLS name.
Client configuration
- On client applications, for each seed host passed into the cluster_create() call, pass in the same <hostname> for the tls-name as the TLS name.

Wildcard hostname match

Server certificate
- All Aerospike server nodes use the same cert.
- The certificate must have a matcheable wildcard in the Subject/CN field or SAN field. For example:

Subject: C=US, ST=California, L=San Jose, O=Acme, Inc., OU=Aerospike Cluster, CN=*.aerospike-cluster.acme.com

Server configuration
- All Aerospike nodes must configure their system's hostname correctly to follow the wild card rule.
- A tls sub-stanza for <hostname> has to be defined in the aerospike.conf file and the tls-name in the service sub-stanza must be specified and have the value <hostname> in order for the system's hostname to be read as the TLS name.
Client configuration
- On client applications, for each seed host passed into the cluster_create() call, pass in the node's hostname as the TLS name.
- Wildcard hostname match is not available with the Java and C# Clients.

Cluster name match

Server Certificate
- All Aerospike server nodes use the same cert.
- The certificate must have the clustername defined in the Subject/CN field or SAN field. For example:

Subject: C=US, ST=California, L=San Jose, O=Acme, Inc., OU=Aerospike Cluster, CN=as-cluster-west

Server Configuration
- All Aerospike server nodes use the same aerospike.conf file, with the same clustername specified in the aerospike.conf file.
- A tls sub-stanza for <cluster-name> has to be defined in the aerospike.conf file and the tls-name in the service sub-stanza must be specified and have the value <cluster-name> in order for the node's configured clustername to be used as the TLS name.
- Using the clustername (cluster-name) requires using Aerospike's heartbeat-v3 protocol.
Client Configuration
- On client applications, for each seed host passed into the cluster_create() call, pass in the same <cluster-name> for the tls-name as the TLS name.

Mutual authentication

Mutual authentication requires first deciding on one of the above Standard authentication setups to allow client authentication of server nodes.

In addition, for the server to authenticate the client, the following is required:

Client certificate
- The certificate must be a valid certificate chain, and must be signed by the same certificate authority as the server.
- No additional name matching is done.
Server configuration
- The tls-authenticate-client configuration parameter must be set to any (default).
- The ca-file/ca-path must be configured to point to the client's signing CA cert.

note

There can be more than one tls-authenticate-client directive in order to accept multiple subject names. A typical example would be to use different subject names between local clients and XDR clients.

Mutual authentication with subject name validation

This is similar to Mutual authentication, the only difference being that the name matching would be done.

Client certificate
- The certificate must be a valid certificate chain, and must be signed by the same certificate authority as the server.
- Name matching is done.
Server configuration
- tls-authenticate-client configuration parameter must be set to the specific name (for example host.domain.com). This is the TLS name a cluster node expects clients to present on incoming client connections.
- ca-file/ca-path must be configured to point to the client's signing CA cert.

TLS between cluster nodes

For intra-cluster traffic (both fabric and heartbeat), all cluster nodes share the same TLS name and can thus use the same certificate. Even though intra-cluster TCP connections happen between equal peers, in terms of the TLS handshake between the cluster nodes, the connecting node plays the TLS client role and the accepting node plays the TLS server role. Therefore, the following applies:

TLS authentication between cluster nodes is always mutual. The TLS client authenticates the server and vice versa. In contrast to client-facing TLS, this isn't optional or configurable.
The subject name in a certificate is always validated. A TLS client with a given TLS name expects the accepting TLS server to present a certificate with the same subject name. A TLS server with TLS name X expects the connecting TLS client to present a certificate with subject name X. This means that all cluster nodes need to use the same TLS name.

TLS between XDR replicated clusters

TLS for XDR traffic is similar to the client-server TLS implementation:

The source cluster is the "client". It must have all relevant configurations a TLS client requires. For each datacenter:
- tls-node specifying the seed-node's IP address, the tls-name (of the remote DC), and port.
- The tls-name (of the local DC).
- The destination cluster is the "server", and must have all relevant configurations that a TLS server requires. The "service" section must be correctly set up to receive TLS traffic.

TLS name clarification

Each TLS connection has two TLS names, one on each end of the connection. Or, in TLS speak, one for the client (i.e., the end that initiated the TLS connection) and one for the server (i.e., the end that accepted the TLS connection). More precisely, "having a TLS name of X" means "presenting a certificate issued to a subject name of X". If a TLS server has a TLS name of server.aerospike.com, it will present a certificate issued to server.aerospike.com when a TLS client connects to it. Conversely, if a TLS client has a TLS name client.aerospike.com, it will present a certificate issued to client.aerospike.com to a TLS server that it connects to.

As mentioned above, all cluster nodes share the same TLS name for intra-cluster connections (heartbeat and fabric). Therefore, a cluster node will always use the same TLS name (i.e. present the same certificate), regardless of which end of the connection it is on. Only one TLS name needs to be specified for heartbeat and fabric. This is done via the tls-name directive.

For the client service and for XDR this is different. Clients are allowed to use a different TLS name than the cluster they connect to. Similarly, an XDR remote DC being replicated to from a local DC is allowed to use a different TLS name than the local DC. This requires the ability to specify two TLS names. In these cases, the tls-name directive specifies the local TLS name (the TLS name that a cluster node presents on incoming client connections or on outgoing XDR connections). This covers the first of the two TLS names. The TLS name that a cluster node expects clients to present on incoming client connections is specified via tls-authenticate-client. The TLS name that a cluster node expects the remote DC to present on XDR connections is specified via tls-node.

In summary:

Heartbeat and fabric: tls-name (for both sides of the TLS connection, client and server)
Client service: tls-name (server) and tls-authenticate-client (client)
XDR: tls-name (local DC) and tls-node (remote DC)

Client support

C-Client - uses OpenSSL
- Asynchronous libuv API supports TLS
Java Client - uses Java's built-in security library, javax.net.ssl.SSLSocket, and java.security.cert.X509Certificate
- Asynchronous API supports TLS only when using the netty async framework (as of version 4.1.10)
- Wildcard match not supported
- For running with TLS, a java application must have the appropriate certificate added to the local truststore (for standard authentication) and local keystore (for mutual authentication). When required, the relevant script should be modified to supply the location of the truststore and keystore
C# Client - uses C#'s built-in security library, System.Security.Authentication
- Asynchronous API supports TLS starting with C# client version 5.1.0
- Wildcard match not supported
Python Client - uses OpenSSL
- An OpenSSL library comes bundled with the wheel if you install using pip
- Building from source uses the system's OpenSSL library

Revoking rogue certificates

Aerospike provides an easy way to filter out rogue certificates through a black-list mechanism. If a certificate should no longer be legitimate, it should be added to the appropriate blacklist.

Refer to the cert-blacklist configuration parameter for further details.

TLS version and cipher choice

Aerospike server defaults to TLS1.2. This can be overridden through configurations both on client and server side.

Aerospike relies on the TLS handshake to determine optimal cipher suite to pick, with server as the choice preference. It is also possible to explicitly set the cipher choice through configurations both on client and server side.

Refer to the cipher-suite configuration parameter for further details.

TLS certificate rotations

Dynamically rotating ECDSA private keys and certificates as well as password-protected private keys is not supported in Aerospike server versions prior to 4.7.0.5, 4.6.0.8, 4.5.3.10, 4.5.2.10, 4.5.1.15, 4.5.0.19. More details in the FAQ on TLS.

TLS between clients and cluster​

Standard authentication​

TLS name and authentication​

Typical authentication setup​

Hostname match with individual server certificate​

Hostname match with common server certificate​

Wildcard hostname match​

Cluster name match​

Mutual authentication​

Mutual authentication with subject name validation​

TLS between cluster nodes​

TLS between XDR replicated clusters​

TLS name clarification​

Client support​

Revoking rogue certificates​

TLS version and cipher choice​

TLS certificate rotations​