AeroLab can assist you in configuring TLS between client and server, as well as between server nodes.
First generate the configuration file with tls
stanza.
aerolab conf generate
Select the “enabled” and “service” under “network-tls” portion and hit CTRL+X to save the file as aerospike.conf
in your current directory.
Note: you can download the template configuration file from this repository, in the templates directory.
aerolab cluster create -o aerospike.conf -c 2 -n mytest
aerolab tls generate -n mytest
aerolab aerospike restart -n mytest
Note: if using Docker Desktop, first run aerolab cluster list
and grab the ExposedPort
for node 1. Use that instead of 4333
.
aerolab attach shell -n mytest
# mutual auth off
aql --tls-enable --tls-cafile=/etc/aerospike/ssl/tls1/cacert.pem -h 127.0.0.1:tls1:4333
# mutual auth on
aql --tls-enable --tls-cafile=/etc/aerospike/ssl/tls1/cacert.pem --tls-keyfile=/etc/aerospike/ssl/tls1/key.pem --tls-certfile=/etc/aerospike/ssl/tls1/cert.pem -h 127.0.0.1:tls1:4333
tls generate
will put certificates in the following path in the containers:
/etc/aerospike/{TLS_NAME}/cert.pem
/etc/aerospike/{TLS_NAME}/cacert.pem
/etc/aerospike/{TLS_NAME}/key.pem
As such, you can create and use multiple TLS names in your Aerospike config. For example:
network {
tls tls1 {
cert-file /etc/aerospike/ssl/tls1/cert.pem
key-file /etc/aerospike/ssl/tls1/key.pem
ca-file /etc/aerospike/ssl/tls1/cacert.pem
}
tls bob.domain.why.not {
cert-file /etc/aerospike/ssl/bob.domain.why.not/cert.pem
key-file /etc/aerospike/ssl/bob.domain.why.not/key.pem
ca-file /etc/aerospike/ssl/bob.domain.why.not/cacert.pem
}
If you use that in your template configuration file, snipped to make-cluster with the -o parameter, simply generate separate certificates for those 2 TLS names as follows:
aerolab tls generate -t tls1
aerolab tls generate -t bob.domain.why.not
TLS generation allows for multiple CA certificates. If a CA cert already exists with the given name, it will be reused. If it doesn’t, a new CA with that name will be generated.
AeroLab also has tls copy
as a handy way to copy TLS certificates from one node to another (or one cluster to another).