[druid-user] Druid TLS support

Hi Druid user Group,

I am using 0.22.1 and wan to enable TLS certificate on Druid Cluster set up through following parameters as I found on Druid forms.

druid.enablePlaintextPort=false

druid.enableTlsPort=true

druid.server.https.keyStoreType=jks

druid.server.https.keyStorePath=imply-keystore.jks

druid.server.https.keyStorePassword=imply123 # replace with your own password

druid.server.https.certAlias=druid

druid.client.https.protocol=TLSv1.2

druid.client.https.trustStoreType=jks

druid.client.https.trustStorePath=imply-truststore.jks

druid.client.https.trustStorePassword=imply123 # replace with your own password

I have few questions

1: Is Druid TLS support optional for client ? Means Druid is using different applications and if I enable the TLS certificate on Druid side then the application will work fine or not?

2: Also for “StorePath”, any specific path to store files? I have CentOS Linux ?

3: If want to enable client for TLS, are these the following parameters that are minimally required?

druid.server.https.requireClientCertificate=true

druid.server.https.requestClientCertificate=true

druid.server.https.trustStoreType=java.security.KeyStore.getDefaultType()

druid.server.https.trustStorePath

druid.server.https.trustStorePassword

Thanks

Hi,

1: Is Druid TLS support optional for client ?

I think your client will need to connect via the TLS port and will need to provide the certificate.

2: Also for “StorePath”, any specific path to store files?

Just quoting the docs for druid.server.https.trustStorePath here:

The file path or URL of the trust store containing certificates used to validate client certificates.

3: If want to enable client for TLS, are these the following parameters that are minimally required?

Those parameters should work. Just make sure that they’re set on both the broker and router.

Best,

Mark

My two cents on top of Mark’s reply.

1: If you use a CA-signed certificate, then most likely you may not face any challenges in your application. But again it depends on the kind of application. Most modern platforms/tools keep the up-to-date version of the CA certificate so you will not face any issues.

Thanks Mark and Tijo,

I have another question. Is there any way to configure TLS on different port so application/client should not impact? if yes what are the steps or any ref doc

Regards

Hi Tariq,

Mark has provided the doc reference in his earlier mail. Just
mentioning it again here. You could configure druid.tlsPort to the
port you like in each service runtime.properties file.

Mark,
As you mentioned that client needs to connect through TLS and provide certificate which is fine in my case. My other question is I dont want to enable tls for default port for broker (8082) .
What I want to do is to enable tls on another port on broker/router by using druid.tlsPort=8283. My question is if I do this then my default broker port which is 8082 will work for the application without tls or not ? or will my application which use broker port requires tls authentication or not ?
What I am planning to do is to enable TLS on Druid side on different port so application keep working with default port (8082) and later move application from default port to new tls enabled port.
Sorry If I make it complex for you :slight_smile:
Regards

Hi Tariq ,

This is not complex at all , perfectly make sense .

You may set `druid.enablePlaintextPort = true` then application
connecting to 8082 with out TLS works and over period of time once
all the apps are migrated to TLS then may be disable the plainText
port.

Hi Tijo,
Thanks for response. I think I could not explain earlier.
What I want to do is to first enable TLS by following parameters on Broker/Router

druid.tlsPort=8282 (defaul tls port for broker)

druid.plaintextPort=false

druid.enableTlsPort=true

druid.server.https.keyStoreType=jks

druid.server.https.keyStorePath=imply-keystore.jks

druid.server.https.keyStorePassword=passord456

druid.server.https.certAlias=druid

druid.client.https.protocol=TLSv1.2

druid.client.https.trustStoreType=jks

druid.client.https.trustStorePath=imply-truststore.jks

druid.client.https.trustStorePassword=password456

Then I want to know does application/client will work on default broker port (8082) or not ? and another Druid component keep working on these ports ( 8081 ,8888, 8090) ?
If application.client work then on 2nd stage I will reconfigure the app or client to work on 8282 with TLS.
Regards
-Tariq