Datacenter to datacenter Security
This feature is only available in theEnterprise Edition
This section includes information related to the _datacenter to datacenter replication_security.
For a general introduction to the datacenter to datacenter replication, pleaserefer to the Datacenter to datacenter replicationchapter.
Firewall settings
The components of ArangoSync use (TCP) network connections to communicate with each other.Below you’ll find an overview of these connections and the TCP ports that should be accessible.
The sync masters must be allowed to connect to the following componentswithin the same datacenter:
- ArangoDB agents and coordinators (default ports:
8531
and8529
) - Kafka brokers (only when using
kafka
type message queue) (default port9092
) - Sync workers (default port
8729
)Additionally the sync masters must be allowed to connect to the sync masters in the other datacenter.
- ArangoDB agents and coordinators (default ports:
By default the sync masters will operate on port 8629
.
The sync workers must be allowed to connect to the following components within the same datacenter:
- ArangoDB coordinators (default port
8529
) - Kafka brokers (only when using
kafka
type message queue) (default port9092
) - Sync masters (default port
8629
)By default the sync workers will operate on port8729
.
- ArangoDB coordinators (default port
Additionally (when using kafka
type message queue) the sync workers must be allowed toconnect to the Kafka brokers in the other datacenter.
- Kafka (when using
kafka
type message queue)
The kafka brokers must be allowed to connect to the following components within the same datacenter:
- Other kafka brokers (default port
9092
) - Zookeeper (default ports
2181
,2888
and3888
)The default port for kafka is9092
. The default kafka installation will also expose some prometheusmetrics on port7071
. To gain more insight into kafka open this port for your prometheusinstallation.
- Zookeeper (when using
kafka
type message queue)
The zookeeper agents must be allowed to connect to the following components within the same datacenter:
- Other zookeeper agentsThe setup here is a bit special as zookeeper uses 3 ports for different operations. All agents need tobe able to connect to all of these ports.
By default Zookeeper uses:
- port
2181
for client communication - port
2888
for follower communication - port
3888
for leader elections
Certificates
Digital certificates are used in many places in ArangoSync for both encryptionand authentication.
In ArangoSync all network connections are using Transport Layer Security (TLS),a set of protocols that ensure that all network traffic is encrypted.For this TLS certificates are used. The server side of the network connectionoffers a TLS certificate. This certificate is (often) verified by the client side of the networkconnection, to ensure that the certificate is signed by a trusted Certificate Authority (CA).This ensures the integrity of the server. In several places additional certificates are used for authentication. In those casesthe client side of the connection offers a client certificate (on top of an existing TLS connection).The server side of the connection uses the client certificate to authenticatethe client and (optionally) decides which rights should be assigned to the client.
Note: ArangoSync does allow the use of certificates signed by a well know CA (eg. verisign)however it is more convenient (and common) to use your own CA.
Formats
All certificates are x509 certificates with a public key, a private key andan optional chain of certificates used to sign the certificate. This chain istypically provided by the Certificate Authority (CA).Depending on their use, certificates stored in a different format.
The following formats are used:
- Public key only (
.crt
): A file that contains only the public key ofa certificate with an optional chain of parent certificates (public keys of certificatesused to signed the certificate).Since this format contains only public keys, it is not a problem if its contentsare exposed. It must still be store it in a safe place to avoid losing it. - Private key only (
.key
): A file that contains only the private key of a certificate.It is vital to protect these files and store them in a safe place. - Keyfile with public & private key (
.keyfile
): A file that contains the public key ofa certificate, an optional chain of parent certificates and a private key.Since this format also contains a private key, it is vital to protect these filesand store them in a safe place. - Java keystore (
.jks
): A file containing a set of public and private keys.It is possible to protect access to the content of this file using a keystore password.Since this format can contain private keys, it is vital to protect these filesand store them in a safe place (even when its content is protected with a keystore password).
Creating certificates
ArangoSync provides commands to create all certificates needed.
TLS server certificates
To create a certificate used for TLS servers in the keyfile format,you need the public key of the CA (—cacert
), the private key ofthe CA (—cakey
) and one or more hostnames (or IP addresses).Then run:
arangosync create tls keyfile \
--cacert=my-tls-ca.crt --cakey=my-tls-ca.key \
--host=<hostname> \
--keyfile=my-tls-cert.keyfile
Make sure to store the generated keyfile (my-tls-cert.keyfile
) in a safe place.
To create a certificate used for TLS servers in the crt & key format,you need the public key of the CA (—cacert
), the private key ofthe CA (—cakey
) and one or more hostnames (or IP addresses).Then run:
arangosync create tls certificate \
--cacert=my-tls-ca.crt --cakey=my-tls-ca.key \
--host=<hostname> \
--cert=my-tls-cert.crt \
--key=my-tls-cert.key \
Make sure to protect and store the generated files (my-tls-cert.crt
& my-tls-cert.key
) in a safe place.
Client authentication certificates
To create a certificate used for client authentication in the keyfile format,you need the public key of the CA (—cacert
), the private key ofthe CA (—cakey
) and one or more hostnames (or IP addresses) or email addresses.Then run:
arangosync create client-auth keyfile \
--cacert=my-client-auth-ca.crt --cakey=my-client-auth-ca.key \
[--host=<hostname> | --email=<emailaddress>] \
--keyfile=my-client-auth-cert.keyfile
Make sure to protect and store the generated keyfile (my-client-auth-cert.keyfile
) in a safe place.
CA certificates
To create a CA certificate used to sign TLS certificates, run:
arangosync create tls ca \
--cert=my-tls-ca.crt --key=my-tls-ca.key
Make sure to protect and store both generated files (my-tls-ca.crt
& my-tls-ca.key
) in a safe place.
To create a CA certificate used to sign client authentication certificates, run:
arangosync create client-auth ca \
--cert=my-client-auth-ca.crt --key=my-client-auth-ca.key
Make sure to protect and store both generated files (my-client-auth-ca.crt
& my-client-auth-ca.key
)in a safe place.Note: CA certificates have a much longer lifetime than normal certificates.Therefore even more care is needed to store them safely.
Renewing certificates
All certificates have meta information in them the limit their use in function,target & lifetime. A certificate created for client authentication (function) cannot be used as a TLS server certificate(same is true for the reverse). A certificate for host myserver
(target) cannot be used for host anotherserver
. A certificate that is valid until October 2017 (lifetime) cannot be used after October 2017.
If anything changes in function, target or lifetime you need a new certificate.
The procedure for creating a renewed certificate is the same as for creating a “first” certificate. After creating the renewed certificate the process(es) using them have to be updated.This mean restarting them. All ArangoSync components are designed to support stopping and startingsingle instances, but do not restart more than 1 instance at the same time.As soon as 1 instance has been restarted, give it some time to “catch up” before restartingthe next instance.