Securing XDR with access control, LDAP, and TLS
Authorized user and password file
For either access control or LDAP, if the target cluster has security enabled, on the source cluster add the following parameters:
auth-modespecifies the mode of authentication.auth-userspecifies the name of a user with read/write permissions on the target cluster. Must be accompanied byauth-password-fileandauth-modeauth-password-fileparameter to point to a file that contains the password of the username specified inauth-user. Alternatively, the value ofauth-password-filecan be stored in HashiCorp Vault. See Optional security with Vault integration.- In version server 6.4 and later, the value of
auth-password-filecan be fetched using the Secret Agent. See Integrating with secrets management services.
Make sure this file is adequately secured.
See examples of this parameter in Securing with access control and Securing with LDAP.
Example contents of security configuration file
$ less /private/security-credentials-DC1.txt
passwordOnDestination
Securing with access control
For background on configuring Aerospike's local-to-the-server user access control, see Configuring Access Control.
For an explanation of the auth-user and auth-password-file parameters, see Authorized user and password file.
Example dc sub-stanza for access control
xdr {
dc dataCenter1 {
node-address-port someIpAdress1 somePort1
...
auth-mode internal
auth-user somebodyOnDestination1
# auth-user must be accompanied by auth-password-file
auth-password-file /private/security-credentials-DC1.txt
namespace someNamespace {
...
}
}
dc dataCenter2 {
node-address-port someIpAdress2 somePort2
...
auth-mode internal
auth-user somebodyOnDestination2
# auth-user must be accompanied by auth-password-file
auth-password-file /private/security-credentials-DC2.txt
namespace someNamespace {
...
}
}
}
Securing with access control using PKI (versions 5.7+)
The following example secures the connection with a TLS certificate and uses the common name (CN) in the certificate as username to authenticate at the destination cluster. No need to specify password in this mode as the TLS certificate validity is used to authenticate the user.
xdr {
dc dataCenter1 {
node-address-port someIpAdress1 somePort1 someTlsNameDefinition1
tls-name localTls
auth-mode pki
namespace someNamespace {
...
}
}
...
}
Securing with LDAP
For background about configuring LDAP, see Configuring LDAP.
- For an explanation of the
auth-userandauth-password-fileparameter is, see Authorized user and password file. - As of Aerospike version 4.7, if you are using LDAP authentication, the
auth-modeparameter should be set toexternal.
Aerospike strongly recommends that you do not set auth-mode to external-insecure.
Example dc sub-stanza for LDAP with auth-mode external
xdr {
dc dataCenter1 {
node-address-port someIpAdress1 somePort1
...
auth-mode external
auth-user somebodyOnDestination1
auth-password-file /private/security-credentials-DC1.txt
namespace someNamespace {
...
}
}
}
Securing with TLS
Consider implementing TLS among the cluster nodes. For details, see TLS Configuration.
- TLS is configured in the
tlsstanza of the configuration file. This stanza defines variable names based on TLS certificates. In this example for XDR, the variable namessomeTlsNameDefinition...andlocalTlsare variable references to TLS certificates you have installed on your system and configured in thetlsstanza. - The
xdrstanza only refers to those TLS variable name definitions. - Those TLS variable name definitions come after the port number of the
node-address-portparameter.
The following example secures the connection with a TLS certificate and with LDAP user authentication auth-mode external.
xdr {
dc dataCenter1 {
node-address-port someIpAdress1 somePort1 someTlsNameDefinition1
tls-name localTls
auth-mode external
auth-user somebodyOnDestination1
auth-password-file /private/security-credentials-DC1.txt
namespace someNamespace {
...
}
}
...
}