Secured communications (SSL/TLS)

You can encrypt the internal communication between CrateDB nodes and the external communication with HTTP and PostgreSQL clients. When you configure encryption, CrateDB secures connections using Transport Layer Security (TLS).

You can enable SSL on a per-protocol basis:

  • If you enable SSL for HTTP, all connections will require HTTPS.

  • By default, if you enable SSL for the PostgreSQL wire protocol, clients can negotiate on a per-connection basis whether to use SSL. However, you can enforce SSL via Host-Based Authentication.

  • If you enable SSL for the CrateDB transport protocol (used for intra-node communication), nodes only accept SSL connections (ssl.transport.mode set to on).

Tip

You can use on SSL mode to configure a multi-zone cluster to ensure encryption for nodes communicating between zones. Please note, that SSL has to be on in all nodes as communication is point-2-point, and intra-zone communication will also be encrypted.

Table of contents

SSL/TLS configuration

To enable SSL a keystore and a few configuration changes are necessary. These changes need to be made in the crate.yml file on each node that should have secure communications enabled.

Skip to Generate Keystore with a private key for a step-by-step instruction on how to create a keystore.

Once the keystore (and optional truststore) is created, continue with the following steps:

Note

CrateDB monitors SSL files such as keystore and truststore that are configured as values of the node settings. If any of these files are updated CrateDB dynamically reloads them. The polling frequency of the files is set via the ssl.resource_poll_interval setting.

Configuring the Keystore

SSL/TLS needs a keystore. The keystore holds the node certificate(s) which should be signed by a certificate authority (CA). A third-party CA or your organization’s existing CA can be used.

When a client connects to a node using SSL/TLS, the client receives the certificate provided by the node and will determine if the node’s certificate is valid, trusted, and matches the hostname or IP address it is trying to connect to.

Caution

Technically, it’s possible to disable CA checks for certificates on the client. It is strongly recommended however to use certificates signed by an official CA or by a private CA (company PKI) that is also known to the client. This will help to ensure that establishing trust is as painless as possible.

See Generate Keystore with a private key for information about how to create a keystore.

Once the keystore is prepared, define the absolute file path to the keystore .jks file on the node using ssl.keystore_filepath setting.

Note

Make sure that the keystore file has the right permissions and is accessible by the system user crate.

Also, define the password needed to decrypt the keystore by using the ssl.keystore_password setting.

Use ssl.keystore_key_password setting to define the key password used when creating the Keystore.

For a full list of the settings needed to configure SSL/TLS, refer to SSL configuration reference.

Configuring a separate Truststore

Trusted CA certificates can be stored in a node’s keystore or a separate truststore can be used to store them.

If you want to use a separate truststore, create a node truststore and import the CA certificate(s) you want to trust. Once the truststore is prepared, define the absolute file path of the truststore .jks file on the node using the ssl.truststore_filepath setting.

Note

Make sure that the truststore file has the right permissions and is accessible by the system user crate.

Also define the password needed to decrypt the keystore by using the ssl.truststore_password setting.

For a full list of the settings needed to configure SSL/TLS, refer to SSL configuration reference.

Connecting to a CrateDB node using HTTPS

Connect to a CrateDB node using the Admin UI

Crate’s HTTP endpoint remains unchanged. When you have turned on secure communication, it will use HTTPS instead of plain HTTP. Simply point your browser to the same URL you used before but changing the protocol to HTTPS:

For example, https://localhost:4200 becomes https://localhost:4200. If you have not configured the CrateDB node’s keystore with a signed certificate from a Certificate Authority (CA), then you will get something like the following: NET::ERR_CERT_AUTHORITY_INVALID. You either need to get your certificate signed from one of the CAs included in your browser or import your owned certificates into the browser. A third option is storing an exception for the CrateDB node certification in your browser after verifying that this is indeed a certificate you trust.

Connect to a CrateDB node using Crash

You can connect to a CrateDB node using a secure communication:

crash --hosts https://localhost:4200

To validate the provided certificates, please see the options --verify-ssl and --key-file.

Connect to a CrateDB node using REST

Issue your REST requests to the node using the https:// protocol. You may have to configure your client to validate the received certificate accordingly.

Connecting to a CrateDB node using the PostgreSQL wire protocol with SSL/TLS

Connect to a CrateDB node using JDBC

JDBC needs to validate the CrateDB node’s identity by checking that the node certificate is signed by a trusted authority. If the certificate is signed by a certificate authority (CA) that is known to the Java runtime, there is nothing further to do (as Java comes with copies of the most common CA’s certificates).

If you have a certificate that is signed by a CA not known to the Java runtime, you need to configure a truststore which contains the node’s certificate and provide the path to the truststore file along with the password when starting your Java application:

java -Djavax.net.ssl.trustStore=mystore -Djavax.net.ssl.trustStorePassword=mypassword com.mycompany.MyApp

In case you face any issues extra debugging information is available by adding -Djavax.net.debug=ssl to your command line.

Last but not least, the connection parameter ssl=true must be added to the connection URL so that the JDBC driver will try and establish an SSL connection.

For further information, visit JDBC SSL documentation.

Connect to a CrateDB node using psql

By default, psql attempts to use SSL if available on the node. For further information including the different SSL modes please visit the PSQL documentation.

Setting up a Keystore/Truststore with a certificate chain

In case you need to setup a Keystore or a Truststore, here are the commands to get you started. All the commands use a validity of 36500 days (about 100 years). You might want to use less.

Generate Keystore with a private key

The first step is to create a Keystore with a private key using the RSA algorithm. The “first and last name” is the common name (CN) which should overlap with the URL the service it is used with.

Command:

keytool -keystore keystore -genkey -keyalg RSA -alias server -validity 36500

Output:

Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  ssl.crate.io
What is the name of your organizational unit?
  [Unknown]:  Cryptography Department
What is the name of your organization?
  [Unknown]:  Crate.io GmbH
What is the name of your City or Locality?
  [Unknown]:  Berlin
What is the name of your State or Province?
  [Unknown]:  Berlin
What is the two-letter country code for this unit?
  [Unknown]:  DE
Is CN=ssl.crate.io, OU=Cryptography Department, O=Crate.io GmbH, L=Berlin, ST=Berlin, C=DE correct?
  [no]:  yes

Enter key password for <server>
    (RETURN if same as keystore password):
Re-enter new password:

Generate a certificate signing request

To establish trust for this key, we need to sign it. This is done by generating a certificate signing request.

If you have access to a certificate authority (CA), you can skip the next steps and get the signed certificate from the CA using the signing request which we will generate with the command below. If you don’t have access to a CA, then follow the optional steps after this step to establish your own CA.

Command:

keytool -keystore keystore -certreq -alias server -keyalg RSA -file server.csr

Output:

Enter keystore password:
Enter key password for <server>

Optional: Use a self-signed certificate to act as a Certificate Authority (CA)

Note

Only follow these optional steps if you want to create your own Certificate Authority (CA). Otherwise, please request a signed certificate from one of the CAs bundled with Java.

Generate a self-signed certificate

If you don’t get your certificate signed from one of the official CAs, you might want to create your own CA with a self-signed certificate. The common name (CN) should overlap with the CN of the server key generated in the first step. For example, ssl.crate.io overlaps with *.crate.io.

Note

In this step by step guide it is shown how to create a server certificate. If you want to create a client certificate the steps are almost the same with the exception of providing a common name that is equivalent to the crate username as described in client certificate authentication method.

Command:

openssl req -x509 -sha256 -nodes -days 36500 -newkey rsa:2048 \
    -keyout rootCA.key -out rootCA.crt

Output:

Generating a 2048 bit RSA private key
.......................................................................+++
.............................................................+++
writing new private key to 'rootCA.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AT
State or Province Name (full name) [Some-State]:Vorarlberg
Locality Name (eg, city) []:Dornbirn
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Crate.io
Organizational Unit Name (eg, section) []:Cryptography Department
Common Name (e.g. server FQDN or YOUR name) []:*.crate.io
Email Address []:info@crate.io

Generate a signed cert

In order that the server can prove itself to have a valid and trusted domain it is required that the server certificate contains subjectAltName.

Create a file called ssl.ext with the following content. In section [alt_names] list valid domain names of the server:

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = www.example.com

Now you can generate a signed cert from our certificate signing request.

Command:

openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key \
    -CAcreateserial -out server.crt -sha256 -days 36500 -extfile ssl.ext

Output:

Signature ok
subject=/C=DE/ST=Berlin/L=Berlin/O=Crate.io GmbH/OU=Cryptography Department/CN=ssl.crate.io
Getting CA Private Key

Import the CA certificate into the Keystore

The CA needs to be imported to the Keystore for the certificate chain to be available when we import our signed certificate.

Command:

keytool -import -keystore keystore -file rootCA.crt -alias theCARoot

Output:

Enter keystore password:
Owner: EMAILADDRESS=info@crate.io, CN=*.crate.io, OU=Cryptography Department, O=Crate.io, L=Dornbirn, ST=Vorarlberg, C=AT
Issuer: EMAILADDRESS=info@crate.io, CN=*.crate.io, OU=Cryptography Department, O=Crate.io, L=Dornbirn, ST=Vorarlberg, C=AT
Serial number: f13562ec6184401e
Valid from: Mon Jun 12 13:09:17 CEST 2017 until: Wed May 19 13:09:17 CEST 2117
Certificate fingerprints:
     MD5:  BB:A1:79:53:FE:71:EC:61:2A:19:81:E8:0E:E8:C9:81
     SHA1: 96:66:C1:01:49:17:D1:19:FB:DB:83:86:50:3D:3D:AD:DA:F7:C6:A9
     SHA256: 69:82:C5:24:9A:A1:AE:DF:80:29:7A:26:92:C1:A5:9F:AF:7D:03:56:CC:C3:E9:73:3B:FD:85:66:35:D6:8A:9B
     Signature algorithm name: SHA256withRSA
     Version: 3

Extensions:

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: CD 29 4E 07 3D C3 7C D0   16 45 FB 0A CE 8D B4 98  .)N.=....E......
0010: B7 A8 4C 79                                        ..Ly
]
[EMAILADDRESS=info@crate.io, CN=*.crate.io, OU=Cryptography Department, O=Crate.io, L=Dornbirn, ST=Vorarlberg, C=AT]
SerialNumber: [    f13562ec 6184401e]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: CD 29 4E 07 3D C3 7C D0   16 45 FB 0A CE 8D B4 98  .)N.=....E......
0010: B7 A8 4C 79                                        ..Ly
]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore

Import CA into Truststore

If we are using our own CA, we should also import the certificate to the Truststore, such that it is available for clients which want to verify signatures.

Command:

keytool -import -keystore truststore -file rootCA.crt -alias theCARoot

Output:

Enter keystore password:
Re-enter new password:
Owner: EMAILADDRESS=info@crate.io, CN=*.crate.io, OU=Cryptography Department, O=Crate.io, L=Dornbirn, ST=Vorarlberg, C=AT
Issuer: EMAILADDRESS=info@crate.io, CN=*.crate.io, OU=Cryptography Department, O=Crate.io, L=Dornbirn, ST=Vorarlberg, C=AT
Serial number: f13562ec6184401e
Valid from: Mon Jun 12 13:09:17 CEST 2017 until: Wed May 19 13:09:17 CEST 2117
Certificate fingerprints:
     MD5:  BB:A1:79:53:FE:71:EC:61:2A:19:81:E8:0E:E8:C9:81
     SHA1: 96:66:C1:01:49:17:D1:19:FB:DB:83:86:50:3D:3D:AD:DA:F7:C6:A9
     SHA256: 69:82:C5:24:9A:A1:AE:DF:80:29:7A:26:92:C1:A5:9F:AF:7D:03:56:CC:C3:E9:73:3B:FD:85:66:35:D6:8A:9B
     Signature algorithm name: SHA256withRSA
     Version: 3

Extensions:

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: CD 29 4E 07 3D C3 7C D0   16 45 FB 0A CE 8D B4 98  .)N.=....E......
0010: B7 A8 4C 79                                        ..Ly
]
[EMAILADDRESS=info@crate.io, CN=*.crate.io, OU=Cryptography Department, O=Crate.io, L=Dornbirn, ST=Vorarlberg, C=AT]
SerialNumber: [    f13562ec 6184401e]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: CD 29 4E 07 3D C3 7C D0   16 45 FB 0A CE 8D B4 98  .)N.=....E......
0010: B7 A8 4C 79                                        ..Ly
]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore

Import the signed certificate

Now we have a signed certificate, signed by either from a official CA or from our own CA. Let’s import it to the Keystore.

Command:

keytool -import -keystore keystore -file server.crt -alias server

Output:

Enter keystore password:
Enter key password for <server>
Certificate reply was installed in keystore

Configuring CrateDB

Finally, you want to supply the Keystore/Truststore in the CrateDB configuration, see Secured communications (SSL/TLS).