Druid TLS support

[Tariq Hasan]

Hi Druid user Group,

I am using 0.22.1 and wan to enable TLS certificate on Druid Cluster set up through following parameters as I found on Druid forms.

druid.enablePlaintextPort=false

druid.enableTlsPort=true

druid.server.https.keyStoreType=jks

druid.server.https.keyStorePath=imply-keystore.jks

druid.server.https.keyStorePassword=imply123 # replace with your own password

druid.server.https.certAlias=druid

druid.client.https.protocol=TLSv1.2

druid.client.https.trustStoreType=jks

druid.client.https.trustStorePath=imply-truststore.jks

druid.client.https.trustStorePassword=imply123  # replace with your own password

I have few questions

1: Is Druid TLS support  optional for client ? Means Druid is using different applications and if I enable the TLS certificate on Druid side then the application will work fine or not? 

2: Also for “StorePath”, any specific path to store files? I have CentOS Linux ?

3:  If want to enable client for TLS, are these the following parameters that are minimally required? 

druid.server.https.requireClientCertificate=true

druid.server.https.requestClientCertificate=true

druid.server.https.trustStoreType=java.security.KeyStore.getDefaultType()

druid.server.https.trustStorePath

druid.server.https.trustStorePassword

Thanks

[Mark Herrera]

Hi,

1: Is Druid TLS support  optional for client ?

I think your client will need to connect via the TLS port and will need to provide the certificate.

2: Also for “StorePath”, any specific path to store files?

Just quoting the docs for druid.server.https.trustStorePath here:

The file path or URL of the trust store containing certificates used to validate client certificates.

3:  If want to enable client for TLS, are these the following parameters that are minimally required?

Those parameters should work. Just make sure that they're set on both the broker and router.

Best,

Mark

[Tijo Thomas]

My two cents on top of  Mark's reply. 

1: If you use a CA-signed certificate, then most likely you may not face any challenges in your application. But again it depends on the kind of application. Most modern platforms/tools keep the up-to-date version of the CA certificate so you will not face any issues. 

--
You received this message because you are subscribed to the Google Groups "Druid User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to druid-user+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/druid-user/26e7f93f-4e77-4a3c-8e32-cea2e19912bfn%40googlegroups.com.

--

Tijo Thomas

Solutions Architect  | => Imply , Bangalore , India  

[Tariq Hasan]

Thanks Mark and Tijo,

I have another question. Is there any way to configure TLS on different port so application/client should not impact? if yes what are the steps or any ref doc

Regards

To view this discussion on the web visit https://groups.google.com/d/msgid/druid-user/CADQcQ%3D8vxutiHRNmdEKpK5CFHLFwqE4ce81U%2BjTp3HSCB%3D7Njw%40mail.gmail.com.

[Tijo Thomas]

Hi Tariq,

Mark has provided the doc reference in his earlier mail. Just
mentioning it again here. You could configure druid.tlsPort to the
port you like in each service runtime.properties file.

> To view this discussion on the web visit https://groups.google.com/d/msgid/druid-user/CAHeYafv_9_WGYt32enSP8cL%2Bdhm6c4yLO4SMctzft2HZdXMSWw%40mail.gmail.com.

[Tariq Hasan]

Mark,

As you mentioned that client needs to connect through TLS and provide certificate  which is fine in my case. My other question is I dont want to enable tls for default port for broker (8082) .

What  I want to do is to enable tls on another port  on broker/router  by using  druid.tlsPort=8283. My question is if I do this then my default broker port which is 8082 will work for the application without tls  or not ? or will my application which use broker port requires tls authentication or not ? 

What I am planning  to do is to enable TLS on Druid side on different port so application keep working with default port (8082) and later move application from default port to new tls enabled port. 

Sorry If I make it complex for you :)

Regards

[Tijo Thomas]

Hi Tariq ,

This is not complex at all , perfectly make sense .

You may set `druid.enablePlaintextPort = true` then application
connecting to 8082 with out TLS works and over period of time once
all the apps are migrated to TLS then may be disable the plainText
port.

> --
> You received this message because you are subscribed to the Google Groups "Druid User" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to druid-user+...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/druid-user/d862bfc4-8dbb-4fad-9f75-8ae66a30b8f1n%40googlegroups.com.

[Tariq Hasan]

Hi Tijo,

Thanks for response. I think I could not explain earlier. 

What I want to do  is to first enable TLS by following parameters on Broker/Router

druid.tlsPort=8282 (defaul tls port for broker)

druid.plaintextPort=false

druid.enableTlsPort=true

druid.server.https.keyStoreType=jks

druid.server.https.keyStorePath=imply-keystore.jks

druid.server.https.keyStorePassword=passord456

druid.server.https.certAlias=druid

druid.client.https.protocol=TLSv1.2

druid.client.https.trustStoreType=jks

druid.client.https.trustStorePath=imply-truststore.jks

druid.client.https.trustStorePassword=password456

Then I want to know does application/client will work on default broker port  (8082) or not ? and another Druid component keep working on these ports ( 8081 ,8888,  8090) ?

If application.client work then on 2nd stage I will reconfigure the app or client to work on 8282 with TLS. 

Regards

-Tariq