Articles in this section

How to setup XDR with PKI authentication

Tasneem

Context

How to statically configure XDR with PKI authentication.

Method

  1. Configure the tls{} stanza(s), to specify which certificates will be used.

  2. Add the TLS configuration to the relevant protocol stanzas, specifying which TLS name to use.

  3. Configure the parties that would connect to the cluster (XDR / client), if required, to use TLS.

  4. (OPTIONAL) Disable the non-TLS ports. This step may be omitted if you want to use TLS for XDR and not client connections, or vice versa.

Examples for source cluster

tls stanza

network {
    tls tls1 {
        ca-file /etc/aerospike/ssl/tls1/cacert.pem
        cert-file /etc/aerospike/ssl/tls1/cert.pem
        key-file /etc/aerospike/ssl/tls1/key.pem
    }

    tls admin { // the cert and key files must be generated from the same CA on the destination
        ca-file /etc/aerospike/ssl/admin/cacert.pem
        cert-file /etc/aerospike/ssl/admin/cert.pem
        key-file /etc/aerospike/ssl/admin/key.pem
    }

“admin” should be a user on the destination cluster with its certs generated using the same CA on the destination. 

 

xdr stanza

xdr {
    dc dest_dc {
        auth-mode pki
        namespace namespace_name {
        }
        node-address-port 10.88.0.5 4333 tls1 // tls name of source cluster
        tls-name admin // some user on the destination with write permissions
    }
}

The tls-name specified in node-address-port is what the source cluster expects to receive in a certificate from the destination (standard authentication - as the destination is the server). This (source) cluster will need the ca-file for that tls-name in the tls{} stanza, so it can authenticate the server. The server (destination cluster) will need this TLS name in the service{} stanza specified with key-file and cert-file.

 

The name specified in the tls-name part is the TLS name that will be used for mutual authentication (if the server, i.e. destination cluster, has the tls-authenticate-client specified, to be either ‘any’ or this TLS name in its service{} stanza). Since this part is used for client (i.e. source cluster) authentication, the TLS name specified here will need the cert-file and key-file. The destination cluster will need the ca-file of this TLS name to authenticate the client.

Applies To Earliest Version

5.7

Applies To Latest Version

Current Version
Was this article helpful?
0 out of 0 found this helpful