Skip to main content Link Menu Expand (external link) Document Search Copy Copied

How do I set up mutual TLS authentication?

FeatureBase is configured with a PEM-encoded TLS keypair and supports Mutual TLS so client server nodes can:

  • cryptographically verify each other
  • establish an encrypted connection

FeatureBase clusters communicate using the memberlist go library.

Enable AES-256 encryption on your FeatureBase cluster by configuring a 32-bit shared key using the memberlist protocol.

Internal etcd cluster communication does not currently support TLS.

Table of contents

Before you begin

Create a testing certificate

CERTSTRAP can be used for testing purposes but is NOT recommended for production environments.

Step 1 - Create a root CA

  • Open a CLI and enter the following command
    certstrap init --common-name ""

Step 2 - Create and sign a keypair for FeatureBase:

  • Run the following command:
    certstrap request-cert --common-name ""
    certstrap sign --CA

Step 3 - create a Memberlist 32-bit key

Create a 32-bit key to encrypt Memberlist (gossip) communication:

    head -c 32 /dev/random > out/gossip.key

Step 4 - verify files have been generated

Verify the following files have been created in the /dev/random directory:

  • gossip.key

Step 5 - Update FeatureBase bind configuration

Update the FeatureBase bind configuration to use the https scheme.

bind = "featurebase-hostname-or-ip:10101"
bind-grpc = "featurebase-hostname-or-ip:10101"

Update FeatureBase configuration

The certificate and private keys can be added to FeatureBase configuration using environment variables, a configuration file or command line parameters.

Add certificates using environment variables

Add certificates using a toml configuration file

      certificate = "/path/to/"
      key = "/path/to/"