How do I set up mutual TLS authentication?
FeatureBase is configured with a PEM-encoded TLS keypair and supports Mutual TLS so client server nodes can:
- cryptographically verify each other
- establish an encrypted connection
FeatureBase clusters communicate using the memberlist go library.
Enable AES-256 encryption on your FeatureBase cluster by configuring a 32-bit shared key using the memberlist protocol.
etcd cluster communication does not currently support TLS.
Table of contents
- Before you begin
- Create a testing certificate
- Update FeatureBase configuration
Before you begin
- Learn about TLS (Transport Layer Security)
- Learn about AES (Advanced Encryption Standard)
- Learn about the Memberlist go library
- Learn how to enable FeatureBase Community authentication
Create a testing certificate
CERTSTRAP can be used for testing purposes but is NOT recommended for production environments.
Step 1 - Create a root CA
- Open a CLI and enter the following command
certstrap init --common-name "auth.mybusiness.com"
Step 2 - Create and sign a keypair for FeatureBase:
- Run the following command:
certstrap request-cert --common-name "featurebase.mybusiness.com" certstrap sign featurebase.mybusiness.com --CA auth.mybusiness.com
Step 3 - create a Memberlist 32-bit key
Create a 32-bit key to encrypt Memberlist (gossip) communication:
head -c 32 /dev/random > out/gossip.key
Step 4 - verify files have been generated
Verify the following files have been created in the
Step 5 - Update FeatureBase bind configuration
Update the FeatureBase bind configuration to use the
bind = "featurebase-hostname-or-ip:10101" bind-grpc = "featurebase-hostname-or-ip:10101"
Update FeatureBase configuration
The certificate and private keys can be added to FeatureBase configuration using environment variables, a configuration file or command line parameters.
Add certificates using environment variables
Add certificates using a
toml configuration file
[tls] certificate = "/path/to/featurebase.mybusiness.com.crt" key = "/path/to/featurebase.mybusiness.com.key"