Encryption
hstream supported encryption between servers and clients using TLS, in this chapter, we will not introduce more details about TLS, instead, we will only show steps and configurations to enable it.
Steps
If you don't have any existed CA(Certificate Authority), you can create one locally, and TLS requires that each server have a key and the corresponding signed certificate, openssl is a good tool to generate them, after that, you need to configure the files paths in the servers and clients sides to enable it.
Create a local CA
Create or choose a directory for storing keys and certificates:
mkdir tls
cd tls
Create a database file and serial number file:
touch index.txt
echo 1000 > serial
Get the template openssl.cnf file(the template file is intended for testing and development, do not use it in the production environment directly):
wget https://raw.githubusercontent.com/hstreamdb/hstream/main/conf/openssl.cnf
Generate the CA key file:
openssl genrsa -aes256 -out ca.key.pem 4096
Generate the CA certificate file:
openssl req -config openssl.cnf -key ca.key.pem \
-new -x509 -days 7300 -sha256 -extensions v3_ca \
-out ca.cert.pem
Create key pair and sign certificate for a server
Here we only generate a key and certificate for one server, you should create them for all hstream servers that have a different hostname, or create a certificate including all hostnames(IP or DNS) in SANs.
Generate the server key file:
openssl genrsa -out server01.key.pem 2048
Generate the server certificate request, when you input Common Name, you should write the correct hostname(e.g., localhost):
openssl req -config openssl.cnf \
-key server01.key.pem -new -sha256 -out server01.csr.pem
generate the server certificate with the generated CA:
openssl ca -config openssl.cnf -extensions server_cert \
-days 1000 -notext -md sha256 \
-in server01.csr.pem -out signed.server01.cert.pem
Configure the server and clients
The options for servers:
# TLS options
#
# enable tls, which requires tls-key-path and tls-cert-path options
enable-tls: true
#
# key file path for tls, can be generated by openssl
tls-key-path: /path/to/the/server01.key.pem
# the signed certificate by CA for the key(tls-key-path)
tls-cert-path: /path/to/the/signed.server01.cert.pem
Java client:
HStreamClient.builder()
.serviceUrl(serviceUrl)
// optional, enable tls
.enableTls()
.tlsCaPath("/path/to/ca.cert.pem")
.build()