SSL/TLS support

Several Flume components support the SSL/TLS protocols in order to communicate with other systemssecurely.

ComponentSSL server or client
Avro Sourceserver
Avro Sinkclient
Thrift Sourceserver
Thrift Sinkclient
Kafka Sourceclient
Kafka Channelclient
Kafka Sinkclient
HTTP Sourceserver
JMS Sourceclient
Syslog TCP Sourceserver
Multiport Syslog TCP Sourceserver

The SSL compatible components have several configuration parameters to set up SSL, likeenable SSL flag, keystore / truststore parameters (location, password, type) and additionalSSL parameters (eg. disabled protocols).

Enabling SSL for a component is always specified at component level in the agent configuration file.So some components may be configured to use SSL while others not (even with the same component type).

The keystore / truststore setup can be specified at component level or globally.

In case of the component level setup, the keystore / truststore is configured in the agentconfiguration file through component specific parameters. The advantage of this method is that thecomponents can use different keystores (if this would be needed). The disadvantage is that thekeystore parameters must be copied for each component in the agent configuration file.The component level setup is optional, but if it is defined, it has higher precedence thanthe global parameters.

With the global setup, it is enough to define the keystore / truststore parameters onceand use the same settings for all components, which means less and more centralized configuration.

The global setup can be configured either through system properties or through environment variables.

System propertyEnvironment variableDescription
javax.net.ssl.keyStoreFLUME_SSL_KEYSTORE_PATHKeystore location
javax.net.ssl.keyStorePasswordFLUME_SSL_KEYSTORE_PASSWORDKeystore password
javax.net.ssl.keyStoreTypeFLUME_SSL_KEYSTORE_TYPEKeystore type (by default JKS)
javax.net.ssl.trustStoreFLUME_SSL_TRUSTSTORE_PATHTruststore location
javax.net.ssl.trustStorePasswordFLUME_SSL_TRUSTSTORE_PASSWORDTruststore password
javax.net.ssl.trustStoreTypeFLUME_SSL_TRUSTSTORE_TYPETruststore type (by default JKS)
flume.ssl.include.protocolsFLUME_SSL_INCLUDE_PROTOCOLSProtocols to include when calculating enabled protocols. A comma (,) separated list.Excluded protocols will be excluded from this list if provided.
flume.ssl.exclude.protocolsFLUME_SSL_EXCLUDE_PROTOCOLSProtocols to exclude when calculating enabled protocols. A comma (,) separated list.
flume.ssl.include.cipherSuitesFLUME_SSL_INCLUDE_CIPHERSUITESCipher suites to include when calculating enabled cipher suites. A comma (,) separated list.Excluded cipher suites will be excluded from this list if provided.
flume.ssl.exclude.cipherSuitesFLUME_SSL_EXCLUDE_CIPHERSUITESCipher suites to exclude when calculating enabled cipher suites. A comma (,) separated list.

The SSL system properties can either be passed on the command line or by setting the JAVAOPTSenvironment variable in _conf/flume-env.sh. (Although, using the command line is inadvisable becausethe commands including the passwords will be saved to the command history.)

  1. export JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStore=/path/to/keystore.jks"
  2. export JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStorePassword=password"

Flume uses the system properties defined in JSSE (Java Secure Socket Extension), so this isa standard way for setting up SSL. On the other hand, specifying passwords in system propertiesmeans that the passwords can be seen in the process list. For cases where it is not acceptable,it is also be possible to define the parameters in environment variables. Flume initializesthe JSSE system properties from the corresponding environment variables internally in this case.

The SSL environment variables can either be set in the shell environment beforestarting Flume or in conf/flume-env.sh. (Although, using the command line is inadvisable becausethe commands including the passwords will be saved to the command history.)

  1. export FLUME_SSL_KEYSTORE_PATH=/path/to/keystore.jks
  2. export FLUME_SSL_KEYSTORE_PASSWORD=password

Please note:

  • SSL must be enabled at component level. Specifying the global SSL parameters alone will nothave any effect.
  • If the global SSL parameters are specified at multiple levels, the priority is thefollowing (from higher to lower):
    • component parameters in agent config
    • system properties
    • environment variables
  • If SSL is enabled for a component, but the SSL parameters are not specified in any of the waysdescribed above, then
    • in case of keystores: configuration error
    • in case of truststores: the default truststore will be used (jssecacerts / cacerts in Oracle JDK)
  • The trustore password is optional in all cases. If not specified, then no integrity check will beperformed on the truststore when it is opened by the JDK.