| <!doctype html> |
| <html lang="en" dir="ltr" class="docs-wrapper docs-doc-page docs-version-current plugin-docs plugin-id-default docs-doc-id-operations/tls-support"> |
| <head> |
| <meta charset="UTF-8"> |
| <meta name="generator" content="Docusaurus v2.4.1"> |
| <title data-rh="true">TLS support | Apache® Druid</title><meta data-rh="true" name="viewport" content="width=device-width,initial-scale=1"><meta data-rh="true" name="twitter:card" content="summary_large_image"><meta data-rh="true" property="og:image" content="https://druid.apache.org/img/druid_nav.png"><meta data-rh="true" name="twitter:image" content="https://druid.apache.org/img/druid_nav.png"><meta data-rh="true" property="og:url" content="https://druid.apache.org/docs/latest/operations/tls-support"><meta data-rh="true" name="docusaurus_locale" content="en"><meta data-rh="true" name="docsearch:language" content="en"><meta data-rh="true" name="docusaurus_version" content="current"><meta data-rh="true" name="docusaurus_tag" content="docs-default-current"><meta data-rh="true" name="docsearch:version" content="current"><meta data-rh="true" name="docsearch:docusaurus_tag" content="docs-default-current"><meta data-rh="true" property="og:title" content="TLS support | Apache® Druid"><meta data-rh="true" name="description" content="<!--"><meta data-rh="true" property="og:description" content="<!--"><link data-rh="true" rel="icon" href="/img/favicon.png"><link data-rh="true" rel="canonical" href="https://druid.apache.org/docs/latest/operations/tls-support"><link data-rh="true" rel="alternate" href="https://druid.apache.org/docs/latest/operations/tls-support" hreflang="en"><link data-rh="true" rel="alternate" href="https://druid.apache.org/docs/latest/operations/tls-support" hreflang="x-default"><link rel="preconnect" href="https://www.google-analytics.com"> |
| <link rel="preconnect" href="https://www.googletagmanager.com"> |
| <script async src="https://www.googletagmanager.com/gtag/js?id=UA-131010415-1"></script> |
| <script>function gtag(){dataLayer.push(arguments)}window.dataLayer=window.dataLayer||[],gtag("js",new Date),gtag("config","UA-131010415-1",{})</script> |
| |
| |
| |
| |
| <link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.7.2/css/all.css"> |
| <script src="https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/2.0.4/clipboard.min.js"></script><link rel="stylesheet" href="/assets/css/styles.546f39eb.css"> |
| <link rel="preload" href="/assets/js/runtime~main.4c9a7172.js" as="script"> |
| <link rel="preload" href="/assets/js/main.3a5ab01b.js" as="script"> |
| </head> |
| <body class="navigation-with-keyboard"> |
| <script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=new URLSearchParams(window.location.search).get("docusaurus-theme")}catch(t){}return t}()||function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus"> |
| <div role="region" aria-label="Skip to main content"><a class="skipToContent_fXgn" href="#__docusaurus_skipToContent_fallback">Skip to main content</a></div><nav aria-label="Main" class="navbar navbar--fixed-top navbar--dark"><div class="navbar__inner"><div class="navbar__items"><button aria-label="Toggle navigation bar" aria-expanded="false" class="navbar__toggle clean-btn" type="button"><svg width="30" height="30" viewBox="0 0 30 30" aria-hidden="true"><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><a class="navbar__brand" href="/"><div class="navbar__logo"><img src="/img/druid_nav.png" alt="Apache® Druid" class="themedImage_ToTc themedImage--light_HNdA"><img src="/img/druid_nav.png" alt="Apache® Druid" class="themedImage_ToTc themedImage--dark_i4oU"></div></a></div><div class="navbar__items navbar__items--right"><a class="navbar__item navbar__link" href="/technology">Technology</a><a class="navbar__item navbar__link" href="/use-cases">Use Cases</a><a class="navbar__item navbar__link" href="/druid-powered">Powered By</a><a class="navbar__item navbar__link" href="/docs/latest/design/">Docs</a><a class="navbar__item navbar__link" href="/community/">Community</a><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a href="#" aria-haspopup="true" aria-expanded="false" role="button" class="navbar__link">Apache®</a><ul class="dropdown__menu"><li><a href="https://www.apache.org/" target="_blank" rel="noopener noreferrer" class="dropdown__link">Foundation<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://apachecon.com/?ref=druid.apache.org" target="_blank" rel="noopener noreferrer" class="dropdown__link">Events<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/licenses/" target="_blank" rel="noopener noreferrer" class="dropdown__link">License<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/foundation/thanks.html" target="_blank" rel="noopener noreferrer" class="dropdown__link">Thanks<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/security/" target="_blank" rel="noopener noreferrer" class="dropdown__link">Security<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/foundation/sponsorship.html" target="_blank" rel="noopener noreferrer" class="dropdown__link">Sponsorship<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li></ul></div><a class="navbar__item navbar__link" href="/downloads/">Download</a><div class="searchBox_ZlJk"><div class="navbar__search"><span aria-label="expand searchbar" role="button" class="search-icon" tabindex="0"></span><input type="search" id="search_input_react" placeholder="Loading..." aria-label="Search" class="navbar__search-input search-bar" disabled=""></div></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div></nav><div id="__docusaurus_skipToContent_fallback" class="main-wrapper mainWrapper_z2l0 docsWrapper_BCFX"><button aria-label="Scroll back to top" class="clean-btn theme-back-to-top-button backToTopButton_sjWU" type="button"></button><div class="docPage__5DB"><aside class="theme-doc-sidebar-container docSidebarContainer_b6E3"><div class="sidebarViewport_Xe31"><div class="sidebar_njMd"><nav aria-label="Docs sidebar" class="menu thin-scrollbar menu_SIkG"><ul class="theme-doc-sidebar-menu menu__list"><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/docs/latest/design/">Getting started</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/docs/latest/tutorials/tutorial-msq-extern">Tutorials</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/docs/latest/design/architecture">Design</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/docs/latest/ingestion/">Ingestion</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/docs/latest/data-management/">Data management</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/docs/latest/querying/sql">Querying</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/docs/latest/api-reference/">API reference</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/docs/latest/configuration/">Configuration</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret menu__link--active" aria-expanded="true" href="/docs/latest/operations/web-console">Operations</a></div><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/latest/operations/web-console">Web console</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/latest/operations/java">Java runtime</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/latest/operations/durable-storage">Durable storage</a></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret menu__link--active" aria-expanded="true" tabindex="0" href="/docs/latest/operations/security-overview">Security</a></div><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/latest/operations/security-overview">Security overview</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/latest/operations/security-user-auth">User authentication and authorization</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/latest/operations/auth-ldap">LDAP auth</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/latest/operations/password-provider">Password providers</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/latest/operations/dynamic-config-provider">Dynamic Config Providers</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link menu__link--active" aria-current="page" tabindex="0" href="/docs/latest/operations/tls-support">TLS support</a></li></ul></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" tabindex="0" href="/docs/latest/operations/basic-cluster-tuning">Performance tuning</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" tabindex="0" href="/docs/latest/operations/request-logging">Monitoring</a></div></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/latest/operations/high-availability">High availability</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/latest/operations/rolling-updates">Rolling updates</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/latest/operations/rule-configuration">Using rules to drop and retain data</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/latest/operations/migrate-from-firehose">Migrate from firehose</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/latest/operations/other-hadoop">Working with different versions of Apache Hadoop</a></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" tabindex="0" href="/docs/latest/operations/dump-segment">Misc</a></div></li></ul></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/docs/latest/development/overview">Development</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/docs/latest/misc/papers-and-talks">Misc</a></div></li></ul></nav></div></div></aside><main class="docMainContainer_gTbr"><div class="container padding-top--md padding-bottom--lg"><div class="row"><div class="col docItemCol_VOVn"><div class="docItemContainer_Djhp"><article><nav class="theme-doc-breadcrumbs breadcrumbsContainer_Z_bl" aria-label="Breadcrumbs"><ul class="breadcrumbs" itemscope="" itemtype="https://schema.org/BreadcrumbList"><li class="breadcrumbs__item"><a aria-label="Home page" class="breadcrumbs__link" href="/"><svg viewBox="0 0 24 24" class="breadcrumbHomeIcon_YNFT"><path d="M10 19v-5h4v5c0 .55.45 1 1 1h3c.55 0 1-.45 1-1v-7h1.7c.46 0 .68-.57.33-.87L12.67 3.6c-.38-.34-.96-.34-1.34 0l-8.36 7.53c-.34.3-.13.87.33.87H5v7c0 .55.45 1 1 1h3c.55 0 1-.45 1-1z" fill="currentColor"></path></svg></a></li><li class="breadcrumbs__item"><span class="breadcrumbs__link">Operations</span><meta itemprop="position" content="1"></li><li class="breadcrumbs__item"><span class="breadcrumbs__link">Security</span><meta itemprop="position" content="2"></li><li itemscope="" itemprop="itemListElement" itemtype="https://schema.org/ListItem" class="breadcrumbs__item breadcrumbs__item--active"><span class="breadcrumbs__link" itemprop="name">TLS support</span><meta itemprop="position" content="3"></li></ul></nav><div class="tocCollapsible_ETCw theme-doc-toc-mobile tocMobile_ITEo"><button type="button" class="clean-btn tocCollapsibleButton_TO0P">On this page</button></div><div class="theme-doc-markdown markdown"><header><h1>TLS support</h1></header><h2 class="anchor anchorWithStickyNavbar_LWe7" id="general-configuration">General configuration<a href="#general-configuration" class="hash-link" aria-label="Direct link to General configuration" title="Direct link to General configuration"></a></h2><table><thead><tr><th>Property</th><th>Description</th><th>Default</th></tr></thead><tbody><tr><td><code>druid.enablePlaintextPort</code></td><td>Enable/Disable HTTP connector.</td><td><code>true</code></td></tr><tr><td><code>druid.enableTlsPort</code></td><td>Enable/Disable HTTPS connector.</td><td><code>false</code></td></tr></tbody></table><p>Although not recommended, the HTTP and HTTPS connectors can both be enabled at a time. The respective ports are configurable using <code>druid.plaintextPort</code> |
| and <code>druid.tlsPort</code> properties on each process. Please see <code>Configuration</code> section of individual processes to check the valid and default values for these ports.</p><h2 class="anchor anchorWithStickyNavbar_LWe7" id="jetty-server-configuration">Jetty server configuration<a href="#jetty-server-configuration" class="hash-link" aria-label="Direct link to Jetty server configuration" title="Direct link to Jetty server configuration"></a></h2><p>Apache Druid uses Jetty as its embedded web server. </p><p>To get familiar with TLS/SSL, along with related concepts like keys and certificates, |
| read <a href="https://www.eclipse.org/jetty/documentation/jetty-12/operations-guide/index.html#og-protocols-ssl" target="_blank" rel="noopener noreferrer">Configuring Secure Protocols</a> in the Jetty documentation. |
| To get more in-depth knowledge of TLS/SSL support in Java in general, refer to the <a href="http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html" target="_blank" rel="noopener noreferrer">Java Secure Socket Extension (JSSE) Reference Guide</a>. |
| The <a href="https://www.eclipse.org/jetty/javadoc/jetty-11/org/eclipse/jetty/util/ssl/SslContextFactory.html" target="_blank" rel="noopener noreferrer">Class SslContextFactory</a> |
| reference doc can help in understanding TLS/SSL configurations listed below. Finally, <a href="http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html" target="_blank" rel="noopener noreferrer">Java Cryptography Architecture |
| Standard Algorithm Name Documentation for JDK 8</a> lists all possible |
| values for the configs below, among others provided by Java implementation.</p><table><thead><tr><th>Property</th><th>Description</th><th>Default</th><th>Required</th></tr></thead><tbody><tr><td><code>druid.server.https.keyStorePath</code></td><td>The file path or URL of the TLS/SSL Key store.</td><td>none</td><td>yes</td></tr><tr><td><code>druid.server.https.keyStoreType</code></td><td>The type of the key store.</td><td>none</td><td>yes</td></tr><tr><td><code>druid.server.https.certAlias</code></td><td>Alias of TLS/SSL certificate for the connector.</td><td>none</td><td>yes</td></tr><tr><td><code>druid.server.https.keyStorePassword</code></td><td>The <a href="/docs/latest/operations/password-provider">Password Provider</a> or String password for the Key Store.</td><td>none</td><td>yes</td></tr><tr><td><code>druid.server.https.reloadSslContext</code></td><td>Should Druid server detect Key Store file change and reload.</td><td>false</td><td>no</td></tr><tr><td><code>druid.server.https.reloadSslContextSeconds</code></td><td>How frequently should Druid server scan for Key Store file change.</td><td>60</td><td>yes</td></tr></tbody></table><p>The following table contains configuration options related to client certificate authentication.</p><table><thead><tr><th>Property</th><th>Description</th><th>Default</th><th>Required</th></tr></thead><tbody><tr><td><code>druid.server.https.requireClientCertificate</code></td><td>If set to true, clients must identify themselves by providing a TLS certificate, without which connections will fail.</td><td>false</td><td>no</td></tr><tr><td><code>druid.server.https.requestClientCertificate</code></td><td>If set to true, clients may optionally identify themselves by providing a TLS certificate. Connections will not fail if TLS certificate is not provided. This property is ignored if <code>requireClientCertificate</code> is set to true. If <code>requireClientCertificate</code> and <code>requestClientCertificate</code> are false, the rest of the options in this table are ignored.</td><td>false</td><td>no</td></tr><tr><td><code>druid.server.https.trustStoreType</code></td><td>The type of the trust store containing certificates used to validate client certificates. Not needed if <code>requireClientCertificate</code> and <code>requestClientCertificate</code> are false.</td><td><code>java.security.KeyStore.getDefaultType()</code></td><td>no</td></tr><tr><td><code>druid.server.https.trustStorePath</code></td><td>The file path or URL of the trust store containing certificates used to validate client certificates. Not needed if <code>requireClientCertificate</code> and <code>requestClientCertificate</code> are false.</td><td>none</td><td>yes, only if <code>requireClientCertificate</code> is true</td></tr><tr><td><code>druid.server.https.trustStoreAlgorithm</code></td><td>Algorithm to be used by TrustManager to validate client certificate chains. Not needed if <code>requireClientCertificate</code> and <code>requestClientCertificate</code> are false.</td><td><code>javax.net.ssl.TrustManagerFactory.getDefaultAlgorithm()</code></td><td>no</td></tr><tr><td><code>druid.server.https.trustStorePassword</code></td><td>The <a href="/docs/latest/operations/password-provider">password provider</a> or String password for the Trust Store. Not needed if <code>requireClientCertificate</code> and <code>requestClientCertificate</code> are false.</td><td>none</td><td>no</td></tr><tr><td><code>druid.server.https.validateHostnames</code></td><td>If set to true, check that the client's hostname matches the CN/subjectAltNames in the client certificate. Not used if <code>requireClientCertificate</code> and <code>requestClientCertificate</code> are false.</td><td>true</td><td>no</td></tr><tr><td><code>druid.server.https.crlPath</code></td><td>Specifies a path to a file containing static <a href="https://en.wikipedia.org/wiki/Certificate_revocation_list" target="_blank" rel="noopener noreferrer">Certificate Revocation Lists</a>, used to check if a client certificate has been revoked. Not used if <code>requireClientCertificate</code> and <code>requestClientCertificate</code> are false.</td><td>null</td><td>no</td></tr></tbody></table><p>The following table contains non-mandatory advanced configuration options, use caution.</p><table><thead><tr><th>Property</th><th>Description</th><th>Default</th><th>Required</th></tr></thead><tbody><tr><td><code>druid.server.https.keyManagerFactoryAlgorithm</code></td><td>Algorithm to use for creating KeyManager, more details <a href="https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#KeyManager" target="_blank" rel="noopener noreferrer">here</a>.</td><td><code>javax.net.ssl.KeyManagerFactory.getDefaultAlgorithm()</code></td><td>no</td></tr><tr><td><code>druid.server.https.keyManagerPassword</code></td><td>The <a href="/docs/latest/operations/password-provider">Password Provider</a> or String password for the Key Manager.</td><td>none</td><td>no</td></tr><tr><td><code>druid.server.https.includeCipherSuites</code></td><td>List of cipher suite names to include. You can either use the exact cipher suite name or a regular expression.</td><td>Jetty's default include cipher list</td><td>no</td></tr><tr><td><code>druid.server.https.excludeCipherSuites</code></td><td>List of cipher suite names to exclude. You can either use the exact cipher suite name or a regular expression.</td><td>Jetty's default exclude cipher list</td><td>no</td></tr><tr><td><code>druid.server.https.includeProtocols</code></td><td>List of exact protocols names to include.</td><td>Jetty's default include protocol list</td><td>no</td></tr><tr><td><code>druid.server.https.excludeProtocols</code></td><td>List of exact protocols names to exclude.</td><td>Jetty's default exclude protocol list</td><td>no</td></tr></tbody></table><h2 class="anchor anchorWithStickyNavbar_LWe7" id="internal-communication-over-tls">Internal communication over TLS<a href="#internal-communication-over-tls" class="hash-link" aria-label="Direct link to Internal communication over TLS" title="Direct link to Internal communication over TLS"></a></h2><p>Whenever possible Druid processes will use HTTPS to talk to each other. To enable this communication Druid's HttpClient needs to |
| be configured with a proper <a href="http://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLContext.html" target="_blank" rel="noopener noreferrer">SSLContext</a> that is able |
| to validate the Server Certificates, otherwise communication will fail.</p><p>Since, there are various ways to configure SSLContext, by default, Druid looks for an instance of SSLContext Guice binding |
| while creating the HttpClient. This binding can be achieved writing a <a href="/docs/latest/configuration/extensions">Druid extension</a> |
| which can provide an instance of SSLContext. Druid comes with a simple extension present <a href="/docs/latest/development/extensions-core/simple-client-sslcontext">here</a> |
| which should be useful enough for most simple cases, see <a href="/docs/latest/configuration/extensions#loading-extensions">this</a> for how to include extensions. |
| If this extension does not satisfy the requirements then please follow the extension <a href="https://github.com/apache/druid/tree/master/extensions-core/simple-client-sslcontext" target="_blank" rel="noopener noreferrer">implementation</a> |
| to create your own extension.</p><p>When Druid Coordinator/Overlord have both HTTP and HTTPS enabled and Client sends request to non-leader process, then Client is always redirected to the HTTPS endpoint on leader process. |
| So, Clients should be first upgraded to be able to handle redirect to HTTPS. Then Druid Overlord/Coordinator should be upgraded and configured to run both HTTP and HTTPS ports. Then Client configuration should be changed to refer to Druid Coordinator/Overlord via the HTTPS endpoint and then HTTP port on Druid Coordinator/Overlord should be disabled.</p><h2 class="anchor anchorWithStickyNavbar_LWe7" id="custom-certificate-checks">Custom certificate checks<a href="#custom-certificate-checks" class="hash-link" aria-label="Direct link to Custom certificate checks" title="Direct link to Custom certificate checks"></a></h2><p>Druid supports custom certificate check extensions. Please refer to the <code>org.apache.druid.server.security.TLSCertificateChecker</code> interface for details on the methods to be implemented.</p><p>To use a custom TLS certificate checker, specify the following property:</p><table><thead><tr><th>Property</th><th>Description</th><th>Default</th><th>Required</th></tr></thead><tbody><tr><td><code>druid.tls.certificateChecker</code></td><td>Type name of custom TLS certificate checker, provided by extensions. Please refer to extension documentation for the type name that should be specified.</td><td>"default"</td><td>no</td></tr></tbody></table><p>The default checker delegates to the standard trust manager and performs no additional actions or checks.</p><p>If using a non-default certificate checker, please refer to the extension documentation for additional configuration properties needed.</p></div></article><nav class="pagination-nav docusaurus-mt-lg" aria-label="Docs pages"><a class="pagination-nav__link pagination-nav__link--prev" href="/docs/latest/operations/dynamic-config-provider"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">Dynamic Config Providers</div></a><a class="pagination-nav__link pagination-nav__link--next" href="/docs/latest/operations/basic-cluster-tuning"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Basic cluster tuning</div></a></nav></div></div><div class="col col--3"><div class="tableOfContents_bqdL thin-scrollbar theme-doc-toc-desktop"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#general-configuration" class="table-of-contents__link toc-highlight">General configuration</a></li><li><a href="#jetty-server-configuration" class="table-of-contents__link toc-highlight">Jetty server configuration</a></li><li><a href="#internal-communication-over-tls" class="table-of-contents__link toc-highlight">Internal communication over TLS</a></li><li><a href="#custom-certificate-checks" class="table-of-contents__link toc-highlight">Custom certificate checks</a></li></ul></div></div></div></div></main></div></div><footer class="footer"><div class="container container-fluid"><div class="footer__bottom text--center"><div class="margin-bottom--sm"><img src="/img/favicon.png" class="themedImage_ToTc themedImage--light_HNdA footer__logo"><img src="/img/favicon.png" class="themedImage_ToTc themedImage--dark_i4oU footer__logo"></div><div class="footer__copyright">Copyright © 2023 Apache Software Foundation. Except where otherwise noted, licensed under CC BY-SA 4.0. Apache Druid, Druid, and the Druid logo are either registered trademarks or trademarks of The Apache Software Foundation in the United States and other countries.</div></div></div></footer></div> |
| <script src="/assets/js/runtime~main.4c9a7172.js"></script> |
| <script src="/assets/js/main.3a5ab01b.js"></script> |
| </body> |
| </html> |