SslAndMtls.md

Main page

SSL and mTLS usage examples

Iproto over SSL or mTLS supported only in Tarantool Enterprise Edition or Tarantool Data Grid.

First of all, we need to have certificates and keys to use SSL. For example we can generate them using gen.sh

Set up SSL

To start Tarantool with SSL specify the transport type and path to ssl key and to the ssl certificate. If you use a single Tarantool instance you can type them in box.cfg:

cartridge-java/src/test/resources/org/testcontainers/containers/enterprise/ssl/ssl_server.lua

Lines 1 to 8 in a24657e

	box.cfg { listen = {
	uri = 3301,
	params = {
	transport = 'ssl',
	ssl_key_file = 'key.pem',
	ssl_cert_file = 'certificate.crt'
	}
	} }

A connector client should be prepared for SSL connection.
Generating SslContext:

cartridge-java/src/test/java/io/tarantool/driver/integration/ssl/SslClientITEnterprise.java

Lines 123 to 127 in a24657e

	private static SslContext getSslContext() throws SSLException {
	return SslContextBuilder.forClient()
	.trustManager(InsecureTrustManagerFactory.INSTANCE)
	.build();
	}

Setting SslContext using withSslContext method:

cartridge-java/src/test/java/io/tarantool/driver/integration/ssl/SslClientITEnterprise.java

Lines 104 to 112 in a24657e

	final TarantoolClientBuilder tarantoolClientBuilder = TarantoolClientFactory.createClient()
	.withAddress(containerWithSsl.getHost(), containerWithSsl.getMappedPort(3301))
	.withCredentials("test_user", "test_password")
	.withSslContext(getSslContext());
	final TarantoolClient<TarantoolTuple, TarantoolResult<TarantoolTuple>> clientWithSsl =
	tarantoolClientBuilder.build();
	final TarantoolClient<TarantoolTuple, TarantoolResult<TarantoolTuple>> client =
	tarantoolClientBuilder.withSecure(false).build();

Set up mTLS

To start Tarantool with mTLS we need to set ssl_ca_file beside the previous parameters:

cartridge-java/src/test/resources/org/testcontainers/containers/enterprise/ssl/mtls/mtls_server.lua

Lines 4 to 7 in a24657e

	transport = 'ssl',
	ssl_key_file = 'server.key',
	ssl_cert_file = 'server.crt',
	ssl_ca_file = 'ca.crt'

Generating SslContext with mTLS:

cartridge-java/src/test/java/io/tarantool/driver/integration/ssl/SslClientMTlsITEnterprise.java

Lines 108 to 130 in a24657e

	private static SslContext getSslContextWithCA() throws Exception {
	ClassLoader classloader = Thread.currentThread().getContextClassLoader();
	final File keyCertChainFile = new File(classloader
	.getResource("org/testcontainers/containers/enterprise/ssl/mtls/ca.crt").toURI());
	final File keyFile = new File(classloader
	.getResource("org/testcontainers/containers/enterprise/ssl/mtls/ca.key").toURI());
	String keyStoreFilePassword = "12345678";
	KeyStore keyStore = KeyStore.getInstance("PKCS12");
	InputStream trustStore = classloader
	.getResourceAsStream("org/testcontainers/containers/enterprise/ssl/mtls/trustStoreFile");
	keyStore.load(trustStore, keyStoreFilePassword.toCharArray());
	TrustManagerFactory trustManagerFactory = TrustManagerFactory
	.getInstance(TrustManagerFactory.getDefaultAlgorithm());
	trustManagerFactory.init(keyStore);
	return SslContextBuilder.forClient()
	.trustManager(trustManagerFactory)
	.keyManager(keyCertChainFile, keyFile)
	.build();
	}

Setting SslContext using withSslContext method:

cartridge-java/src/test/java/io/tarantool/driver/integration/ssl/SslClientMTlsITEnterprise.java

Lines 75 to 80 in a24657e

	final TarantoolClient<TarantoolTuple, TarantoolResult<TarantoolTuple>> clientWithSsl =
	TarantoolClientFactory.createClient()
	.withAddress(containerWithSsl.getHost(), containerWithSsl.getMappedPort(3301))
	.withCredentials("test_user", "test_password")
	.withSslContext(getSslContextWithCA())
	.build();

Also, data in params can be set through environment variables starting with TARANTOOL_ for example params.transport can be specified by setting export TARANTOOL_TRANSPORT=ssl.