This project contains complete functional examples of connecting to Aerospike Server Enterprise with standard TLS or mutual authentication TLS (mTLS) including:
- Scripts to general self-signed certificates for testing
- Configuration to run Aerospike Server locally in Docker
- Example application in Go, Java, and Python
- A Feature Key File (
features.conf) for Aerospike Enterprise - Docker (verify with:
docker -v) - OpenSSL (verify with:
openssl version) - If you are on a Mac, install
treewithbrew install tree
Execute generate-certs.sh to generate example self-signed TLS certificates:
$ ./generate-certs.sh
- If you are getting the error “Error Loading extension section v3_ca” using macOS, add the following to your
/etc/ssl/openssl.cnf
[ v3_ca ]
basicConstraints = critical,CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
Output:
Creating 'certs' directory
Creating CA certificate
Generating a RSA private key
...................................................+++++
.....................+++++
writing new private key to 'certs/example.ca.key'
-----
Creating example.client ECDSA certificate
Signature ok
subject=CN = example.client, O = "Aerospike, Inc.", C = US
Getting CA Private Key
Creating example.server ECDSA certificate
Signature ok
subject=CN = example.server, O = "Aerospike, Inc.", C = US
Getting CA Private Key
Copying server certificate to aerospike server config directory
'certs/example.ca.crt' -> 'aerospike/etc/certs/example.ca.crt'
'certs/example.server.crt' -> 'aerospike/etc/certs/example.server.crt'
'certs/example.server.key' -> 'aerospike/etc/private/example.server.key'
---
certs
├── example.ca.crt
├── example.ca.key
├── example.client.crt
├── example.client.key
├── example.server.crt
└── example.server.key
aerospike/etc/certs/
├── example.ca.crt
└── example.server.crt
aerospike/etc/private/
└── example.server.key
Copy your features.conf file (provided by your Aerospike representative) to
aerospike/etc/features.conf.
Run Aerospike Server configured for standard TLS:
$ docker run --rm --name aerospike-tls -p 4000:4000 -v \
$(pwd)/aerospike/etc:/opt/aerospike/etc aerospike/aerospike-server-enterprise \
--config-file /opt/aerospike/etc/aerospike-tls.conf
Confirm TLS connectivity using asinfo running locally in the container:
$ docker exec aerospike-tls asinfo -h 127.0.0.1:example.server:4000 --tls-enable \
--tls-cafile=/opt/aerospike/etc/certs/example.ca.crt -v 'status'
Output:
ok
Run Aerospike Server configured for mutual TLS (mTLS):
$ docker run --rm --name aerospike-tls -p 4000:4000 -v \
$(pwd)/aerospike/etc:/opt/aerospike/etc aerospike/aerospike-server-enterprise \
--config-file /opt/aerospike/etc/aerospike-mtls.conf
Confirm mTLS connectivity using asinfo running locally in the container. Use
the server certificate as the client certificate:
$ docker exec aerospike-tls asinfo -h 127.0.0.1:example.server:4000 --tls-enable \
--tls-cafile=/opt/aerospike/etc/certs/example.ca.crt \
--tls-keyfile=/opt/aerospike/etc/private/example.server.key \
--tls-certfile=/opt/aerospike/etc/certs/example.server.crt -v 'status'
Output:
ok
Refer to the README for your preferred application language: