Secured communications (SSL/TLS)¶
You can encrypt the internal communication between CrateDB nodes and the external communication with HTTP and PostgreSQL clients. When you configure encryption, CrateDB secures connections using Transport Layer Security (TLS).
You can enable SSL on a per-protocol basis:
If you enable SSL for HTTP, all connections will require HTTPS.
By default, if you enable SSL for the PostgreSQL wire protocol, clients can negotiate on a per-connection basis whether to use SSL. However, you can enforce SSL via Host-Based Authentication.
If you enable SSL for the CrateDB transport protocol (used for intra-node communication), nodes only accept SSL connections (ssl.transport.mode set to
on
).
Tip
You can use on
SSL mode to configure a multi-zone cluster to ensure
encryption for nodes communicating between zones. Please note, that SSL has
to be on
in all nodes as communication is point-2-point, and intra-zone
communication will also be encrypted.
Table of contents
SSL/TLS configuration¶
To enable SSL a keystore
and a few configuration changes are necessary.
These changes need to be made in the crate.yml
file on each node that
should have secure communications enabled.
Skip to Generate Keystore with a private key for a step-by-step instruction on how to
create a keystore
.
Once the keystore
(and optional truststore
) is created, continue with
the following steps:
Set
ssl.psql.enabled
orssl.http.enabled
totrue
.Set
ssl.transport.mode
toon
.(Optional) Configuring a separate Truststore
Note
CrateDB monitors SSL files such as keystore and truststore that are configured as values of the node settings. If any of these files are updated CrateDB dynamically reloads them. The polling frequency of the files is set via the ssl.resource_poll_interval setting.
Configuring the Keystore¶
SSL/TLS needs a keystore. The keystore holds the node certificate(s) which should be signed by a certificate authority (CA). A third-party CA or your organization’s existing CA can be used.
When a client connects to a node using SSL/TLS, the client receives the certificate provided by the node and will determine if the node’s certificate is valid, trusted, and matches the hostname or IP address it is trying to connect to.
Caution
Technically, it’s possible to disable CA checks for certificates on the client. It is strongly recommended however to use certificates signed by an official CA or by a private CA (company PKI) that is also known to the client. This will help to ensure that establishing trust is as painless as possible.
See Generate Keystore with a private key for information about how to create a keystore.
Once the keystore is prepared, define the absolute file path to the keystore
.jks
file on the node using ssl.keystore_filepath
setting.
Note
Make sure that the keystore file has the right permissions and is
accessible by the system user crate
.
Also, define the password needed to decrypt the keystore by using the
ssl.keystore_password
setting.
Use ssl.keystore_key_password
setting to define the key password used when
creating the Keystore.
For a full list of the settings needed to configure SSL/TLS, refer to SSL configuration reference.
Configuring a separate Truststore¶
Trusted CA certificates can be stored in a node’s keystore or a separate truststore can be used to store them.
If you want to use a separate truststore, create a node truststore and import
the CA certificate(s) you want to trust. Once the truststore is prepared,
define the absolute file path of the truststore .jks
file on the node
using the ssl.truststore_filepath
setting.
Note
Make sure that the truststore file has the right permissions and is
accessible by the system user crate
.
Also define the password needed to decrypt the keystore by using the
ssl.truststore_password
setting.
For a full list of the settings needed to configure SSL/TLS, refer to SSL configuration reference.
Connecting to a CrateDB node using HTTPS¶
Connect to a CrateDB node using the Admin UI¶
Crate’s HTTP endpoint remains unchanged. When you have turned on secure communication, it will use HTTPS instead of plain HTTP. Simply point your browser to the same URL you used before but changing the protocol to HTTPS:
For example, https://localhost:4200
becomes https://localhost:4200
.
If you have not configured the CrateDB node’s keystore with a signed
certificate from a Certificate Authority (CA), then you will get something
like the following: NET::ERR_CERT_AUTHORITY_INVALID
. You either need to
get your certificate signed from one of the CAs included in your browser or
import your owned certificates into the browser. A third option is storing
an exception for the CrateDB node certification in your browser after
verifying that this is indeed a certificate you trust.
Connect to a CrateDB node using Crash¶
You can connect to a CrateDB node using a secure communication:
crash --hosts https://localhost:4200
To validate the provided certificates, please see the options
--verify-ssl
and --key-file
.
Connect to a CrateDB node using REST¶
Issue your REST requests to the node using the https://
protocol. You
may have to configure your client to validate the received certificate
accordingly.
Connecting to a CrateDB node using the PostgreSQL wire protocol with SSL/TLS¶
Connect to a CrateDB node using JDBC¶
JDBC needs to validate the CrateDB node’s identity by checking that the node certificate is signed by a trusted authority. If the certificate is signed by a certificate authority (CA) that is known to the Java runtime, there is nothing further to do (as Java comes with copies of the most common CA’s certificates).
If you have a certificate that is signed by a CA not known to the Java runtime, you need to configure a truststore which contains the node’s certificate and provide the path to the truststore file along with the password when starting your Java application:
java -Djavax.net.ssl.trustStore=mystore -Djavax.net.ssl.trustStorePassword=mypassword com.mycompany.MyApp
In case you face any issues extra debugging information is available by adding
-Djavax.net.debug=ssl
to your command line.
Last but not least, the connection parameter ssl=true
must be added to the
connection URL so that the JDBC driver will try and establish an SSL
connection.
For further information, visit JDBC SSL documentation.
Connect to a CrateDB node using psql
¶
By default, psql
attempts to use SSL if available on the node. For further
information including the different SSL modes please visit the
PSQL documentation.
Setting up a Keystore/Truststore with a certificate chain¶
In case you need to setup a Keystore or a Truststore, here are the commands to get you started. All the commands use a validity of 36500 days (about 100 years). You might want to use less.
Generate Keystore with a private key¶
The first step is to create a Keystore with a private key using the RSA algorithm. The “first and last name” is the common name (CN) which should overlap with the URL the service it is used with.
Command:
keytool -keystore keystore -genkey -keyalg RSA -alias server -validity 36500
Output:
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: ssl.crate.io
What is the name of your organizational unit?
[Unknown]: Cryptography Department
What is the name of your organization?
[Unknown]: Crate.io GmbH
What is the name of your City or Locality?
[Unknown]: Berlin
What is the name of your State or Province?
[Unknown]: Berlin
What is the two-letter country code for this unit?
[Unknown]: DE
Is CN=ssl.crate.io, OU=Cryptography Department, O=Crate.io GmbH, L=Berlin, ST=Berlin, C=DE correct?
[no]: yes
Enter key password for <server>
(RETURN if same as keystore password):
Re-enter new password:
Generate a certificate signing request¶
To establish trust for this key, we need to sign it. This is done by generating a certificate signing request.
If you have access to a certificate authority (CA), you can skip the next steps and get the signed certificate from the CA using the signing request which we will generate with the command below. If you don’t have access to a CA, then follow the optional steps after this step to establish your own CA.
Command:
keytool -keystore keystore -certreq -alias server -keyalg RSA -file server.csr
Output:
Enter keystore password:
Enter key password for <server>
Optional: Use a self-signed certificate to act as a Certificate Authority (CA)¶
Note
Only follow these optional steps if you want to create your own Certificate Authority (CA). Otherwise, please request a signed certificate from one of the CAs bundled with Java.
Generate a self-signed certificate¶
If you don’t get your certificate signed from one of the official CAs,
you might want to create your own CA with a self-signed certificate.
The common name (CN) should overlap with the CN of the server key
generated in the first step. For example, ssl.crate.io
overlaps
with *.crate.io
.
Note
In this step by step guide it is shown how to create a server certificate. If you want to create a client certificate the steps are almost the same with the exception of providing a common name that is equivalent to the crate username as described in client certificate authentication method.
Command:
openssl req -x509 -sha256 -nodes -days 36500 -newkey rsa:2048 \
-keyout rootCA.key -out rootCA.crt
Output:
Generating a 2048 bit RSA private key
.......................................................................+++
.............................................................+++
writing new private key to 'rootCA.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AT
State or Province Name (full name) [Some-State]:Vorarlberg
Locality Name (eg, city) []:Dornbirn
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Crate.io
Organizational Unit Name (eg, section) []:Cryptography Department
Common Name (e.g. server FQDN or YOUR name) []:*.crate.io
Email Address []:info@crate.io
Generate a signed cert¶
In order that the server can prove itself to have a valid and trusted domain it is required that the server certificate contains subjectAltName.
Create a file called ssl.ext
with the following content. In section
[alt_names]
list valid domain names of the server:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.example.com
Now you can generate a signed cert from our certificate signing request.
Command:
openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key \
-CAcreateserial -out server.crt -sha256 -days 36500 -extfile ssl.ext
Output:
Signature ok
subject=/C=DE/ST=Berlin/L=Berlin/O=Crate.io GmbH/OU=Cryptography Department/CN=ssl.crate.io
Getting CA Private Key
Import the CA certificate into the Keystore¶
The CA needs to be imported to the Keystore for the certificate chain to be available when we import our signed certificate.
Command:
keytool -import -keystore keystore -file rootCA.crt -alias theCARoot
Output:
Enter keystore password:
Owner: EMAILADDRESS=info@crate.io, CN=*.crate.io, OU=Cryptography Department, O=Crate.io, L=Dornbirn, ST=Vorarlberg, C=AT
Issuer: EMAILADDRESS=info@crate.io, CN=*.crate.io, OU=Cryptography Department, O=Crate.io, L=Dornbirn, ST=Vorarlberg, C=AT
Serial number: f13562ec6184401e
Valid from: Mon Jun 12 13:09:17 CEST 2017 until: Wed May 19 13:09:17 CEST 2117
Certificate fingerprints:
MD5: BB:A1:79:53:FE:71:EC:61:2A:19:81:E8:0E:E8:C9:81
SHA1: 96:66:C1:01:49:17:D1:19:FB:DB:83:86:50:3D:3D:AD:DA:F7:C6:A9
SHA256: 69:82:C5:24:9A:A1:AE:DF:80:29:7A:26:92:C1:A5:9F:AF:7D:03:56:CC:C3:E9:73:3B:FD:85:66:35:D6:8A:9B
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: CD 29 4E 07 3D C3 7C D0 16 45 FB 0A CE 8D B4 98 .)N.=....E......
0010: B7 A8 4C 79 ..Ly
]
[EMAILADDRESS=info@crate.io, CN=*.crate.io, OU=Cryptography Department, O=Crate.io, L=Dornbirn, ST=Vorarlberg, C=AT]
SerialNumber: [ f13562ec 6184401e]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: CD 29 4E 07 3D C3 7C D0 16 45 FB 0A CE 8D B4 98 .)N.=....E......
0010: B7 A8 4C 79 ..Ly
]
]
Trust this certificate? [no]: yes
Certificate was added to keystore
Import CA into Truststore¶
If we are using our own CA, we should also import the certificate to the Truststore, such that it is available for clients which want to verify signatures.
Command:
keytool -import -keystore truststore -file rootCA.crt -alias theCARoot
Output:
Enter keystore password:
Re-enter new password:
Owner: EMAILADDRESS=info@crate.io, CN=*.crate.io, OU=Cryptography Department, O=Crate.io, L=Dornbirn, ST=Vorarlberg, C=AT
Issuer: EMAILADDRESS=info@crate.io, CN=*.crate.io, OU=Cryptography Department, O=Crate.io, L=Dornbirn, ST=Vorarlberg, C=AT
Serial number: f13562ec6184401e
Valid from: Mon Jun 12 13:09:17 CEST 2017 until: Wed May 19 13:09:17 CEST 2117
Certificate fingerprints:
MD5: BB:A1:79:53:FE:71:EC:61:2A:19:81:E8:0E:E8:C9:81
SHA1: 96:66:C1:01:49:17:D1:19:FB:DB:83:86:50:3D:3D:AD:DA:F7:C6:A9
SHA256: 69:82:C5:24:9A:A1:AE:DF:80:29:7A:26:92:C1:A5:9F:AF:7D:03:56:CC:C3:E9:73:3B:FD:85:66:35:D6:8A:9B
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: CD 29 4E 07 3D C3 7C D0 16 45 FB 0A CE 8D B4 98 .)N.=....E......
0010: B7 A8 4C 79 ..Ly
]
[EMAILADDRESS=info@crate.io, CN=*.crate.io, OU=Cryptography Department, O=Crate.io, L=Dornbirn, ST=Vorarlberg, C=AT]
SerialNumber: [ f13562ec 6184401e]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: CD 29 4E 07 3D C3 7C D0 16 45 FB 0A CE 8D B4 98 .)N.=....E......
0010: B7 A8 4C 79 ..Ly
]
]
Trust this certificate? [no]: yes
Certificate was added to keystore
Import the signed certificate¶
Now we have a signed certificate, signed by either from a official CA or from our own CA. Let’s import it to the Keystore.
Command:
keytool -import -keystore keystore -file server.crt -alias server
Output:
Enter keystore password:
Enter key password for <server>
Certificate reply was installed in keystore
Configuring CrateDB¶
Finally, you want to supply the Keystore/Truststore in the CrateDB configuration, see Secured communications (SSL/TLS).