How To Enable Mutual TLS
FeatureBase supports Mutual TLS, which allows both the client and server to cryptographically verify each other and establish an encrypted connection. To enable encryption on every connection, FeatureBase is configured with a PEM-encoded TLS keypair. In addition, nodes in a FeatureBase cluster internally communicate over the Memberlist protocol, which can be configured with a shared 32-bit key to enable AES-256 symmetric encryption within the cluster.
In order to enable TLS, you will need to generate a TLS keypair for FeatureBase. For testing in a development environment, we recommend using Certstrap to generate the necessary keys. We do not recommend certstrap for production usage. Setting up a secure public key infrastructure is outside of the scope of this document, but the following examples will use Certstrap to bootstrap a certificate authority and create signed TLS keypairs for the purpose of demonstration.
Create a root CA for testing purposes:
certstrap init --common-name "auth.mybusiness.com"
Create and sign a keypair for FeatureBase:
certstrap request-cert --common-name "featurebase.mybusiness.com" certstrap sign featurebase.mybusiness.com --CA auth.mybusiness.com
Create a 32-bit key to encrypt Memberlist (gossip) communication:
head -c 32 /dev/random > out/gossip.key
After running the previous commands, you should have the following files in a directory called “out”:
auth.mybusiness.com.crl auth.mybusiness.com.crt auth.mybusiness.com.key featurebase.mybusiness.com.crt featurebase.mybusiness.com.csr featurebase.mybusiness.com.key gossip.key
FeatureBase must be configured with the certificate and private key using environment variables, a configuration file, or command line parameters. Internal etcd cluster communication does not currently support TLS, but that’s coming soon.
[tls] certificate = "/path/to/featurebase.mybusiness.com.crt" key = "/path/to/featurebase.mybusiness.com.key"
You must also update your bind configuration to use the
bind = "https://YOUR-DOMAIN-HERE:10101" bind-grpc = "https://YOUR-DOMAIN-HERE:20101"
© 2022 Molecula Corp. (DBA FeatureBase). All rights reserved.