Google Git
Sign in
apache / druid-website-src / fe9bf43cbd4ee63e6f11002e4c741eef24c6d2e3 / . / published_versions / docs / 27.0.0 / operations / tls-support / index.html
blob: c2a9d32b6449ca20c3ac8d85736d7f4f1394401d [file] [log] [blame]
<!doctype html>
<html lang="en" dir="ltr" class="docs-wrapper docs-doc-page docs-version-current plugin-docs plugin-id-default docs-doc-id-operations/tls-support">
<head>
<meta charset="UTF-8">
<meta name="generator" content="Docusaurus v2.4.1">
<title data-rh="true">TLS support | Apache® Druid</title><meta data-rh="true" name="viewport" content="width=device-width,initial-scale=1"><meta data-rh="true" name="twitter:card" content="summary_large_image"><meta data-rh="true" property="og:image" content="https://druid.apache.org/img/druid_nav.png"><meta data-rh="true" name="twitter:image" content="https://druid.apache.org/img/druid_nav.png"><meta data-rh="true" property="og:url" content="https://druid.apache.org/docs/27.0.0/operations/tls-support"><meta data-rh="true" name="docusaurus_locale" content="en"><meta data-rh="true" name="docsearch:language" content="en"><meta data-rh="true" name="docusaurus_version" content="current"><meta data-rh="true" name="docusaurus_tag" content="docs-default-current"><meta data-rh="true" name="docsearch:version" content="current"><meta data-rh="true" name="docsearch:docusaurus_tag" content="docs-default-current"><meta data-rh="true" property="og:title" content="TLS support | Apache® Druid"><meta data-rh="true" name="description" content="&lt;!--"><meta data-rh="true" property="og:description" content="&lt;!--"><link data-rh="true" rel="icon" href="/img/favicon.png"><link data-rh="true" rel="canonical" href="https://druid.apache.org/docs/27.0.0/operations/tls-support"><link data-rh="true" rel="alternate" href="https://druid.apache.org/docs/27.0.0/operations/tls-support" hreflang="en"><link data-rh="true" rel="alternate" href="https://druid.apache.org/docs/27.0.0/operations/tls-support" hreflang="x-default"><link rel="preconnect" href="https://www.google-analytics.com">
<link rel="preconnect" href="https://www.googletagmanager.com">
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-131010415-1"></script>
<script>function gtag(){dataLayer.push(arguments)}window.dataLayer=window.dataLayer||[],gtag("js",new Date),gtag("config","UA-131010415-1",{})</script>
<link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.7.2/css/all.css">
<script src="https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/2.0.4/clipboard.min.js"></script><link rel="stylesheet" href="/assets/css/styles.f80751b3.css">
<link rel="preload" href="/assets/js/runtime~main.5371e784.js" as="script">
<link rel="preload" href="/assets/js/main.832012d1.js" as="script">
</head>
<body class="navigation-with-keyboard">
<script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=new URLSearchParams(window.location.search).get("docusaurus-theme")}catch(t){}return t}()||function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
<div role="region" aria-label="Skip to main content"><a class="skipToContent_fXgn" href="#__docusaurus_skipToContent_fallback">Skip to main content</a></div><nav aria-label="Main" class="navbar navbar--fixed-top navbar--dark"><div class="navbar__inner"><div class="navbar__items"><button aria-label="Toggle navigation bar" aria-expanded="false" class="navbar__toggle clean-btn" type="button"><svg width="30" height="30" viewBox="0 0 30 30" aria-hidden="true"><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><a class="navbar__brand" href="/"><div class="navbar__logo"><img src="/img/druid_nav.png" alt="Apache® Druid" class="themedImage_ToTc themedImage--light_HNdA"><img src="/img/druid_nav.png" alt="Apache® Druid" class="themedImage_ToTc themedImage--dark_i4oU"></div></a></div><div class="navbar__items navbar__items--right"><a class="navbar__item navbar__link" href="/technology">Technology</a><a class="navbar__item navbar__link" href="/use-cases">Use Cases</a><a class="navbar__item navbar__link" href="/druid-powered">Powered By</a><a class="navbar__item navbar__link" href="/docs/27.0.0/design/">Docs</a><a class="navbar__item navbar__link" href="/community/">Community</a><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a href="#" aria-haspopup="true" aria-expanded="false" role="button" class="navbar__link">Apache®</a><ul class="dropdown__menu"><li><a href="https://www.apache.org/" target="_blank" rel="noopener noreferrer" class="dropdown__link">Foundation<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://apachecon.com/?ref=druid.apache.org" target="_blank" rel="noopener noreferrer" class="dropdown__link">Events<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/licenses/" target="_blank" rel="noopener noreferrer" class="dropdown__link">License<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/foundation/thanks.html" target="_blank" rel="noopener noreferrer" class="dropdown__link">Thanks<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/security/" target="_blank" rel="noopener noreferrer" class="dropdown__link">Security<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/foundation/sponsorship.html" target="_blank" rel="noopener noreferrer" class="dropdown__link">Sponsorship<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li></ul></div><a class="navbar__item navbar__link" href="/downloads/">Download</a><div class="searchBox_ZlJk"><div class="navbar__search"><span aria-label="expand searchbar" role="button" class="search-icon" tabindex="0"></span><input type="search" id="search_input_react" placeholder="Loading..." aria-label="Search" class="navbar__search-input search-bar" disabled=""></div></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div></nav><div id="__docusaurus_skipToContent_fallback" class="main-wrapper mainWrapper_z2l0 docsWrapper_BCFX"><button aria-label="Scroll back to top" class="clean-btn theme-back-to-top-button backToTopButton_sjWU" type="button"></button><div class="docPage__5DB"><aside class="theme-doc-sidebar-container docSidebarContainer_b6E3"><div class="sidebarViewport_Xe31"><div class="sidebar_njMd"><nav aria-label="Docs sidebar" class="menu thin-scrollbar menu_SIkG"><ul class="theme-doc-sidebar-menu menu__list"><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/docs/27.0.0/design/">Getting started</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/docs/27.0.0/tutorials/tutorial-msq-extern">Tutorials</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/docs/27.0.0/design/architecture">Design</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/docs/27.0.0/ingestion/">Ingestion</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/docs/27.0.0/data-management/">Data management</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/docs/27.0.0/querying/sql">Querying</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/docs/27.0.0/api-reference/">API reference</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/docs/27.0.0/configuration/">Configuration</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret menu__link--active" aria-expanded="true" href="/docs/27.0.0/operations/web-console">Operations</a></div><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/27.0.0/operations/web-console">Web console</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/27.0.0/operations/java">Java runtime</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/27.0.0/operations/durable-storage">Durable storage</a></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret menu__link--active" aria-expanded="true" tabindex="0" href="/docs/27.0.0/operations/security-overview">Security</a></div><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/27.0.0/operations/security-overview">Security overview</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/27.0.0/operations/security-user-auth">User authentication and authorization</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/27.0.0/operations/auth-ldap">LDAP auth</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/27.0.0/operations/password-provider">Password providers</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/27.0.0/operations/dynamic-config-provider">Dynamic Config Providers</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link menu__link--active" aria-current="page" tabindex="0" href="/docs/27.0.0/operations/tls-support">TLS support</a></li></ul></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" tabindex="0" href="/docs/27.0.0/operations/basic-cluster-tuning">Performance tuning</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" tabindex="0" href="/docs/27.0.0/operations/request-logging">Monitoring</a></div></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/27.0.0/operations/high-availability">High availability</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/27.0.0/operations/rolling-updates">Rolling updates</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/27.0.0/operations/rule-configuration">Using rules to drop and retain data</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/27.0.0/operations/migrate-from-firehose">Migrate from firehose</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/27.0.0/operations/other-hadoop">Working with different versions of Apache Hadoop</a></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" tabindex="0" href="/docs/27.0.0/operations/dump-segment">Misc</a></div></li></ul></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/docs/27.0.0/development/overview">Development</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/docs/27.0.0/misc/papers-and-talks">Misc</a></div></li></ul></nav></div></div></aside><main class="docMainContainer_gTbr"><div class="container padding-top--md padding-bottom--lg"><div class="row"><div class="col docItemCol_VOVn"><div class="docItemContainer_Djhp"><article><nav class="theme-doc-breadcrumbs breadcrumbsContainer_Z_bl" aria-label="Breadcrumbs"><ul class="breadcrumbs" itemscope="" itemtype="https://schema.org/BreadcrumbList"><li class="breadcrumbs__item"><a aria-label="Home page" class="breadcrumbs__link" href="/"><svg viewBox="0 0 24 24" class="breadcrumbHomeIcon_YNFT"><path d="M10 19v-5h4v5c0 .55.45 1 1 1h3c.55 0 1-.45 1-1v-7h1.7c.46 0 .68-.57.33-.87L12.67 3.6c-.38-.34-.96-.34-1.34 0l-8.36 7.53c-.34.3-.13.87.33.87H5v7c0 .55.45 1 1 1h3c.55 0 1-.45 1-1z" fill="currentColor"></path></svg></a></li><li class="breadcrumbs__item"><span class="breadcrumbs__link">Operations</span><meta itemprop="position" content="1"></li><li class="breadcrumbs__item"><span class="breadcrumbs__link">Security</span><meta itemprop="position" content="2"></li><li itemscope="" itemprop="itemListElement" itemtype="https://schema.org/ListItem" class="breadcrumbs__item breadcrumbs__item--active"><span class="breadcrumbs__link" itemprop="name">TLS support</span><meta itemprop="position" content="3"></li></ul></nav><div class="tocCollapsible_ETCw theme-doc-toc-mobile tocMobile_ITEo"><button type="button" class="clean-btn tocCollapsibleButton_TO0P">On this page</button></div><div class="theme-doc-markdown markdown"><header><h1>TLS support</h1></header><h2 class="anchor anchorWithStickyNavbar_LWe7" id="general-configuration">General configuration<a href="#general-configuration" class="hash-link" aria-label="Direct link to General configuration" title="Direct link to General configuration"></a></h2><table><thead><tr><th>Property</th><th>Description</th><th>Default</th></tr></thead><tbody><tr><td><code>druid.enablePlaintextPort</code></td><td>Enable/Disable HTTP connector.</td><td><code>true</code></td></tr><tr><td><code>druid.enableTlsPort</code></td><td>Enable/Disable HTTPS connector.</td><td><code>false</code></td></tr></tbody></table><p>Although not recommended, the HTTP and HTTPS connectors can both be enabled at a time. The respective ports are configurable using <code>druid.plaintextPort</code>
and <code>druid.tlsPort</code> properties on each process. Please see <code>Configuration</code> section of individual processes to check the valid and default values for these ports.</p><h2 class="anchor anchorWithStickyNavbar_LWe7" id="jetty-server-configuration">Jetty server configuration<a href="#jetty-server-configuration" class="hash-link" aria-label="Direct link to Jetty server configuration" title="Direct link to Jetty server configuration"></a></h2><p>Apache Druid uses Jetty as its embedded web server. </p><p>To get familiar with TLS/SSL, along with related concepts like keys and certificates,
read <a href="https://www.eclipse.org/jetty/documentation/jetty-12/operations-guide/index.html#og-protocols-ssl" target="_blank" rel="noopener noreferrer">Configuring Secure Protocols</a> in the Jetty documentation.
To get more in-depth knowledge of TLS/SSL support in Java in general, refer to the <a href="http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html" target="_blank" rel="noopener noreferrer">Java Secure Socket Extension (JSSE) Reference Guide</a>.
The <a href="https://www.eclipse.org/jetty/javadoc/jetty-11/org/eclipse/jetty/util/ssl/SslContextFactory.html" target="_blank" rel="noopener noreferrer">Class SslContextFactory</a>
reference doc can help in understanding TLS/SSL configurations listed below. Finally, <a href="http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html" target="_blank" rel="noopener noreferrer">Java Cryptography Architecture
Standard Algorithm Name Documentation for JDK 8</a> lists all possible
values for the configs below, among others provided by Java implementation.</p><table><thead><tr><th>Property</th><th>Description</th><th>Default</th><th>Required</th></tr></thead><tbody><tr><td><code>druid.server.https.keyStorePath</code></td><td>The file path or URL of the TLS/SSL Key store.</td><td>none</td><td>yes</td></tr><tr><td><code>druid.server.https.keyStoreType</code></td><td>The type of the key store.</td><td>none</td><td>yes</td></tr><tr><td><code>druid.server.https.certAlias</code></td><td>Alias of TLS/SSL certificate for the connector.</td><td>none</td><td>yes</td></tr><tr><td><code>druid.server.https.keyStorePassword</code></td><td>The <a href="/docs/27.0.0/operations/password-provider">Password Provider</a> or String password for the Key Store.</td><td>none</td><td>yes</td></tr><tr><td><code>druid.server.https.reloadSslContext</code></td><td>Should Druid server detect Key Store file change and reload.</td><td>false</td><td>no</td></tr><tr><td><code>druid.server.https.reloadSslContextSeconds</code></td><td>How frequently should Druid server scan for Key Store file change.</td><td>60</td><td>yes</td></tr></tbody></table><p>The following table contains configuration options related to client certificate authentication.</p><table><thead><tr><th>Property</th><th>Description</th><th>Default</th><th>Required</th></tr></thead><tbody><tr><td><code>druid.server.https.requireClientCertificate</code></td><td>If set to true, clients must identify themselves by providing a TLS certificate, without which connections will fail.</td><td>false</td><td>no</td></tr><tr><td><code>druid.server.https.requestClientCertificate</code></td><td>If set to true, clients may optionally identify themselves by providing a TLS certificate. Connections will not fail if TLS certificate is not provided. This property is ignored if <code>requireClientCertificate</code> is set to true. If <code>requireClientCertificate</code> and <code>requestClientCertificate</code> are false, the rest of the options in this table are ignored.</td><td>false</td><td>no</td></tr><tr><td><code>druid.server.https.trustStoreType</code></td><td>The type of the trust store containing certificates used to validate client certificates. Not needed if <code>requireClientCertificate</code> and <code>requestClientCertificate</code> are false.</td><td><code>java.security.KeyStore.getDefaultType()</code></td><td>no</td></tr><tr><td><code>druid.server.https.trustStorePath</code></td><td>The file path or URL of the trust store containing certificates used to validate client certificates. Not needed if <code>requireClientCertificate</code> and <code>requestClientCertificate</code> are false.</td><td>none</td><td>yes, only if <code>requireClientCertificate</code> is true</td></tr><tr><td><code>druid.server.https.trustStoreAlgorithm</code></td><td>Algorithm to be used by TrustManager to validate client certificate chains. Not needed if <code>requireClientCertificate</code> and <code>requestClientCertificate</code> are false.</td><td><code>javax.net.ssl.TrustManagerFactory.getDefaultAlgorithm()</code></td><td>no</td></tr><tr><td><code>druid.server.https.trustStorePassword</code></td><td>The <a href="/docs/27.0.0/operations/password-provider">password provider</a> or String password for the Trust Store. Not needed if <code>requireClientCertificate</code> and <code>requestClientCertificate</code> are false.</td><td>none</td><td>no</td></tr><tr><td><code>druid.server.https.validateHostnames</code></td><td>If set to true, check that the client&#x27;s hostname matches the CN/subjectAltNames in the client certificate. Not used if <code>requireClientCertificate</code> and <code>requestClientCertificate</code> are false.</td><td>true</td><td>no</td></tr><tr><td><code>druid.server.https.crlPath</code></td><td>Specifies a path to a file containing static <a href="https://en.wikipedia.org/wiki/Certificate_revocation_list" target="_blank" rel="noopener noreferrer">Certificate Revocation Lists</a>, used to check if a client certificate has been revoked. Not used if <code>requireClientCertificate</code> and <code>requestClientCertificate</code> are false.</td><td>null</td><td>no</td></tr></tbody></table><p>The following table contains non-mandatory advanced configuration options, use caution.</p><table><thead><tr><th>Property</th><th>Description</th><th>Default</th><th>Required</th></tr></thead><tbody><tr><td><code>druid.server.https.keyManagerFactoryAlgorithm</code></td><td>Algorithm to use for creating KeyManager, more details <a href="https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#KeyManager" target="_blank" rel="noopener noreferrer">here</a>.</td><td><code>javax.net.ssl.KeyManagerFactory.getDefaultAlgorithm()</code></td><td>no</td></tr><tr><td><code>druid.server.https.keyManagerPassword</code></td><td>The <a href="/docs/27.0.0/operations/password-provider">Password Provider</a> or String password for the Key Manager.</td><td>none</td><td>no</td></tr><tr><td><code>druid.server.https.includeCipherSuites</code></td><td>List of cipher suite names to include. You can either use the exact cipher suite name or a regular expression.</td><td>Jetty&#x27;s default include cipher list</td><td>no</td></tr><tr><td><code>druid.server.https.excludeCipherSuites</code></td><td>List of cipher suite names to exclude. You can either use the exact cipher suite name or a regular expression.</td><td>Jetty&#x27;s default exclude cipher list</td><td>no</td></tr><tr><td><code>druid.server.https.includeProtocols</code></td><td>List of exact protocols names to include.</td><td>Jetty&#x27;s default include protocol list</td><td>no</td></tr><tr><td><code>druid.server.https.excludeProtocols</code></td><td>List of exact protocols names to exclude.</td><td>Jetty&#x27;s default exclude protocol list</td><td>no</td></tr></tbody></table><h2 class="anchor anchorWithStickyNavbar_LWe7" id="internal-communication-over-tls">Internal communication over TLS<a href="#internal-communication-over-tls" class="hash-link" aria-label="Direct link to Internal communication over TLS" title="Direct link to Internal communication over TLS"></a></h2><p>Whenever possible Druid processes will use HTTPS to talk to each other. To enable this communication Druid&#x27;s HttpClient needs to
be configured with a proper <a href="http://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLContext.html" target="_blank" rel="noopener noreferrer">SSLContext</a> that is able
to validate the Server Certificates, otherwise communication will fail.</p><p>Since, there are various ways to configure SSLContext, by default, Druid looks for an instance of SSLContext Guice binding
while creating the HttpClient. This binding can be achieved writing a <a href="/docs/27.0.0/configuration/extensions">Druid extension</a>
which can provide an instance of SSLContext. Druid comes with a simple extension present <a href="/docs/27.0.0/development/extensions-core/simple-client-sslcontext">here</a>
which should be useful enough for most simple cases, see <a href="/docs/27.0.0/configuration/extensions#loading-extensions">this</a> for how to include extensions.
If this extension does not satisfy the requirements then please follow the extension <a href="https://github.com/apache/druid/tree/master/extensions-core/simple-client-sslcontext" target="_blank" rel="noopener noreferrer">implementation</a>
to create your own extension.</p><p>When Druid Coordinator/Overlord have both HTTP and HTTPS enabled and Client sends request to non-leader process, then Client is always redirected to the HTTPS endpoint on leader process.
So, Clients should be first upgraded to be able to handle redirect to HTTPS. Then Druid Overlord/Coordinator should be upgraded and configured to run both HTTP and HTTPS ports. Then Client configuration should be changed to refer to Druid Coordinator/Overlord via the HTTPS endpoint and then HTTP port on Druid Coordinator/Overlord should be disabled.</p><h2 class="anchor anchorWithStickyNavbar_LWe7" id="custom-certificate-checks">Custom certificate checks<a href="#custom-certificate-checks" class="hash-link" aria-label="Direct link to Custom certificate checks" title="Direct link to Custom certificate checks"></a></h2><p>Druid supports custom certificate check extensions. Please refer to the <code>org.apache.druid.server.security.TLSCertificateChecker</code> interface for details on the methods to be implemented.</p><p>To use a custom TLS certificate checker, specify the following property:</p><table><thead><tr><th>Property</th><th>Description</th><th>Default</th><th>Required</th></tr></thead><tbody><tr><td><code>druid.tls.certificateChecker</code></td><td>Type name of custom TLS certificate checker, provided by extensions. Please refer to extension documentation for the type name that should be specified.</td><td>&quot;default&quot;</td><td>no</td></tr></tbody></table><p>The default checker delegates to the standard trust manager and performs no additional actions or checks.</p><p>If using a non-default certificate checker, please refer to the extension documentation for additional configuration properties needed.</p></div></article><nav class="pagination-nav docusaurus-mt-lg" aria-label="Docs pages"><a class="pagination-nav__link pagination-nav__link--prev" href="/docs/27.0.0/operations/dynamic-config-provider"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">Dynamic Config Providers</div></a><a class="pagination-nav__link pagination-nav__link--next" href="/docs/27.0.0/operations/basic-cluster-tuning"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Basic cluster tuning</div></a></nav></div></div><div class="col col--3"><div class="tableOfContents_bqdL thin-scrollbar theme-doc-toc-desktop"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#general-configuration" class="table-of-contents__link toc-highlight">General configuration</a></li><li><a href="#jetty-server-configuration" class="table-of-contents__link toc-highlight">Jetty server configuration</a></li><li><a href="#internal-communication-over-tls" class="table-of-contents__link toc-highlight">Internal communication over TLS</a></li><li><a href="#custom-certificate-checks" class="table-of-contents__link toc-highlight">Custom certificate checks</a></li></ul></div></div></div></div></main></div></div><footer class="footer"><div class="container container-fluid"><div class="footer__bottom text--center"><div class="margin-bottom--sm"><img src="/img/favicon.png" class="themedImage_ToTc themedImage--light_HNdA footer__logo"><img src="/img/favicon.png" class="themedImage_ToTc themedImage--dark_i4oU footer__logo"></div><div class="footer__copyright">Copyright © 2023 Apache Software Foundation. Except where otherwise noted, licensed under CC BY-SA 4.0. Apache Druid, Druid, and the Druid logo are either registered trademarks or trademarks of The Apache Software Foundation in the United States and other countries.</div></div></div></footer></div>
<script src="/assets/js/runtime~main.5371e784.js"></script>
<script src="/assets/js/main.832012d1.js"></script>
</body>
</html>