How do I set up mutual TLS authentication?
FeatureBase is configured with a PEM-encoded TLS keypair and supports Mutual TLS so client server nodes can:
- cryptographically verify each other
- establish an encrypted connection
FeatureBase clusters communicate using the memberlist go library.
Enable AES-256 encryption on your FeatureBase cluster by configuring a 32-bit shared key using the memberlist protocol.
Internal etcd cluster communication does not currently support TLS.
Table of contents
Before you begin
- Learn about TLS (Transport Layer Security)
- Learn about AES (Advanced Encryption Standard)
- Learn about the Memberlist go library
- Learn how to enable FeatureBase Community authentication
Create a testing certificate
CERTSTRAP can be used for testing purposes but is NOT recommended for production environments.
Step 1 - Create a root CA
- Open a CLI and enter the following command
certstrap init --common-name "auth.mybusiness.com"
Step 2 - Create and sign a keypair for FeatureBase:
- Run the following command:
certstrap request-cert --common-name "featurebase.mybusiness.com"
certstrap sign featurebase.mybusiness.com --CA auth.mybusiness.com
Step 3 - create a Memberlist 32-bit key
Create a 32-bit key to encrypt Memberlist (gossip) communication:
head -c 32 /dev/random > out/gossip.key
Step 4 - verify files have been generated
Verify the following files have been created in the /dev/random directory:
- auth.mybusiness.com.crl
- auth.mybusiness.com.crt
- auth.mybusiness.com.key
- featurebase.mybusiness.com.crt
- featurebase.mybusiness.com.csr
- featurebase.mybusiness.com.key
- gossip.key
Step 5 - Update FeatureBase bind configuration
Update the FeatureBase bind configuration to use the https scheme.
bind = "featurebase-hostname-or-ip:10101"
bind-grpc = "featurebase-hostname-or-ip:10101"
Update FeatureBase configuration
The certificate and private keys can be added to FeatureBase configuration using environment variables, a configuration file or command line parameters.
Add certificates using environment variables
Add certificates using a toml configuration file
[tls]
certificate = "/path/to/featurebase.mybusiness.com.crt"
key = "/path/to/featurebase.mybusiness.com.key"