| <!DOCTYPE html> |
| <html lang="en"> |
| <head> |
| <meta charset="UTF-8" /> |
| <meta name="viewport" content="width=device-width, initial-scale=1.0"> |
| <meta name="description" content="Apache Druid"> |
| <meta name="keywords" content="druid,kafka,database,analytics,streaming,real-time,real time,apache,open source"> |
| <meta name="author" content="Apache Software Foundation"> |
| |
| <title>Druid | TLS Support</title> |
| |
| <link rel="alternate" type="application/atom+xml" href="/feed"> |
| <link rel="shortcut icon" href="/img/favicon.png"> |
| |
| <link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.7.2/css/all.css" integrity="sha384-fnmOCqbTlWIlj8LyTjo7mOUStjsKC4pOpQbqyi7RrhN7udi9RwhKkMHpvLbHG9Sr" crossorigin="anonymous"> |
| |
| <link href='//fonts.googleapis.com/css?family=Open+Sans+Condensed:300,700,300italic|Open+Sans:300italic,400italic,600italic,400,300,600,700' rel='stylesheet' type='text/css'> |
| |
| <link rel="stylesheet" href="/css/bootstrap-pure.css?v=1.1"> |
| <link rel="stylesheet" href="/css/base.css?v=1.1"> |
| <link rel="stylesheet" href="/css/header.css?v=1.1"> |
| <link rel="stylesheet" href="/css/footer.css?v=1.1"> |
| <link rel="stylesheet" href="/css/syntax.css?v=1.1"> |
| <link rel="stylesheet" href="/css/docs.css?v=1.1"> |
| |
| <script> |
| (function() { |
| var cx = '000162378814775985090:molvbm0vggm'; |
| var gcse = document.createElement('script'); |
| gcse.type = 'text/javascript'; |
| gcse.async = true; |
| gcse.src = (document.location.protocol == 'https:' ? 'https:' : 'http:') + |
| '//cse.google.com/cse.js?cx=' + cx; |
| var s = document.getElementsByTagName('script')[0]; |
| s.parentNode.insertBefore(gcse, s); |
| })(); |
| </script> |
| |
| |
| </head> |
| |
| <body> |
| <!-- Start page_header include --> |
| <script src="//ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script> |
| |
| <div class="top-navigator"> |
| <div class="container"> |
| <div class="left-cont"> |
| <a class="logo" href="/"><span class="druid-logo"></span></a> |
| </div> |
| <div class="right-cont"> |
| <ul class="links"> |
| <li class=""><a href="/technology">Technology</a></li> |
| <li class=""><a href="/use-cases">Use Cases</a></li> |
| <li class=""><a href="/druid-powered">Powered By</a></li> |
| <li class=""><a href="/docs/latest/design/">Docs</a></li> |
| <li class=""><a href="/community/">Community</a></li> |
| <li class="header-dropdown"> |
| <a>Apache</a> |
| <div class="header-dropdown-menu"> |
| <a href="https://www.apache.org/" target="_blank">Foundation</a> |
| <a href="https://www.apache.org/events/current-event" target="_blank">Events</a> |
| <a href="https://www.apache.org/licenses/" target="_blank">License</a> |
| <a href="https://www.apache.org/foundation/thanks.html" target="_blank">Thanks</a> |
| <a href="https://www.apache.org/security/" target="_blank">Security</a> |
| <a href="https://www.apache.org/foundation/sponsorship.html" target="_blank">Sponsorship</a> |
| </div> |
| </li> |
| <li class=" button-link"><a href="/downloads.html">Download</a></li> |
| </ul> |
| </div> |
| </div> |
| <div class="action-button menu-icon"> |
| <span class="fa fa-bars"></span> MENU |
| </div> |
| <div class="action-button menu-icon-close"> |
| <span class="fa fa-times"></span> MENU |
| </div> |
| </div> |
| |
| <script type="text/javascript"> |
| var $menu = $('.right-cont'); |
| var $menuIcon = $('.menu-icon'); |
| var $menuIconClose = $('.menu-icon-close'); |
| |
| function showMenu() { |
| $menu.fadeIn(100); |
| $menuIcon.fadeOut(100); |
| $menuIconClose.fadeIn(100); |
| } |
| |
| $menuIcon.click(showMenu); |
| |
| function hideMenu() { |
| $menu.fadeOut(100); |
| $menuIconClose.fadeOut(100); |
| $menuIcon.fadeIn(100); |
| } |
| |
| $menuIconClose.click(hideMenu); |
| |
| $(window).resize(function() { |
| if ($(window).width() >= 840) { |
| $menu.fadeIn(100); |
| $menuIcon.fadeOut(100); |
| $menuIconClose.fadeOut(100); |
| } |
| else { |
| $menu.fadeOut(100); |
| $menuIcon.fadeIn(100); |
| $menuIconClose.fadeOut(100); |
| } |
| }); |
| </script> |
| |
| <!-- Stop page_header include --> |
| |
| |
| <div class="container doc-container"> |
| |
| |
| |
| |
| <p> Looking for the <a href="/docs/0.20.2/">latest stable documentation</a>?</p> |
| |
| |
| <div class="row"> |
| <div class="col-md-9 doc-content"> |
| <p> |
| <a class="btn btn-default btn-xs visible-xs-inline-block visible-sm-inline-block" href="#toc">Table of Contents</a> |
| </p> |
| <!-- |
| ~ Licensed to the Apache Software Foundation (ASF) under one |
| ~ or more contributor license agreements. See the NOTICE file |
| ~ distributed with this work for additional information |
| ~ regarding copyright ownership. The ASF licenses this file |
| ~ to you under the Apache License, Version 2.0 (the |
| ~ "License"); you may not use this file except in compliance |
| ~ with the License. You may obtain a copy of the License at |
| ~ |
| ~ http://www.apache.org/licenses/LICENSE-2.0 |
| ~ |
| ~ Unless required by applicable law or agreed to in writing, |
| ~ software distributed under the License is distributed on an |
| ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| ~ KIND, either express or implied. See the License for the |
| ~ specific language governing permissions and limitations |
| ~ under the License. |
| --> |
| |
| <h1 id="tls-support">TLS Support</h1> |
| |
| <h1 id="general-configuration">General Configuration</h1> |
| |
| <table><thead> |
| <tr> |
| <th>Property</th> |
| <th>Description</th> |
| <th>Default</th> |
| </tr> |
| </thead><tbody> |
| <tr> |
| <td><code>druid.enablePlaintextPort</code></td> |
| <td>Enable/Disable HTTP connector.</td> |
| <td><code>true</code></td> |
| </tr> |
| <tr> |
| <td><code>druid.enableTlsPort</code></td> |
| <td>Enable/Disable HTTPS connector.</td> |
| <td><code>false</code></td> |
| </tr> |
| </tbody></table> |
| |
| <p>Although not recommended but both HTTP and HTTPS connectors can be enabled at a time and respective ports are configurable using <code>druid.plaintextPort</code> |
| and <code>druid.tlsPort</code> properties on each process. Please see <code>Configuration</code> section of individual processes to check the valid and default values for these ports.</p> |
| |
| <h1 id="jetty-server-tls-configuration">Jetty Server TLS Configuration</h1> |
| |
| <p>Apache Druid (incubating) uses Jetty as an embedded web server. To get familiar with TLS/SSL in general and related concepts like Certificates etc. |
| reading this <a href="http://www.eclipse.org/jetty/documentation/9.4.x/configuring-ssl.html">Jetty documentation</a> might be helpful. |
| To get more in depth knowledge of TLS/SSL support in Java in general, please refer to this <a href="http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html">guide</a>. |
| The documentation <a href="http://www.eclipse.org/jetty/documentation/9.4.x/configuring-ssl.html#configuring-sslcontextfactory">here</a> |
| can help in understanding TLS/SSL configurations listed below. This <a href="http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html">document</a> lists all the possible |
| values for the below mentioned configs among others provided by Java implementation.</p> |
| |
| <table><thead> |
| <tr> |
| <th>Property</th> |
| <th>Description</th> |
| <th>Default</th> |
| <th>Required</th> |
| </tr> |
| </thead><tbody> |
| <tr> |
| <td><code>druid.server.https.keyStorePath</code></td> |
| <td>The file path or URL of the TLS/SSL Key store.</td> |
| <td>none</td> |
| <td>yes</td> |
| </tr> |
| <tr> |
| <td><code>druid.server.https.keyStoreType</code></td> |
| <td>The type of the key store.</td> |
| <td>none</td> |
| <td>yes</td> |
| </tr> |
| <tr> |
| <td><code>druid.server.https.certAlias</code></td> |
| <td>Alias of TLS/SSL certificate for the connector.</td> |
| <td>none</td> |
| <td>yes</td> |
| </tr> |
| <tr> |
| <td><code>druid.server.https.keyStorePassword</code></td> |
| <td>The <a href="../operations/password-provider.html">Password Provider</a> or String password for the Key Store.</td> |
| <td>none</td> |
| <td>yes</td> |
| </tr> |
| </tbody></table> |
| |
| <p>The following table contains configuration options related to client certificate authentication.</p> |
| |
| <table><thead> |
| <tr> |
| <th>Property</th> |
| <th>Description</th> |
| <th>Default</th> |
| <th>Required</th> |
| </tr> |
| </thead><tbody> |
| <tr> |
| <td><code>druid.server.https.requireClientCertificate</code></td> |
| <td>If set to true, clients must identify themselves by providing a TLS certificate, without which connections will fail.</td> |
| <td>false</td> |
| <td>no</td> |
| </tr> |
| <tr> |
| <td><code>druid.server.https.requestClientCertificate</code></td> |
| <td>If set to true, clients may optionally identify themselves by providing a TLS certificate. Connections will not fail if TLS certificate is not provided. This property is ignored if <code>requireClientCertificate</code> is set to true. If <code>requireClientCertificate</code> and <code>requestClientCertificate</code> are false, the rest of the options in this table are ignored.</td> |
| <td>false</td> |
| <td>no</td> |
| </tr> |
| <tr> |
| <td><code>druid.server.https.trustStoreType</code></td> |
| <td>The type of the trust store containing certificates used to validate client certificates. Not needed if <code>requireClientCertificate</code> and <code>requestClientCertificate</code> are false.</td> |
| <td><code>java.security.KeyStore.getDefaultType()</code></td> |
| <td>no</td> |
| </tr> |
| <tr> |
| <td><code>druid.server.https.trustStorePath</code></td> |
| <td>The file path or URL of the trust store containing certificates used to validate client certificates. Not needed if <code>requireClientCertificate</code> and <code>requestClientCertificate</code> are false.</td> |
| <td>none</td> |
| <td>yes, only if <code>requireClientCertificate</code> is true</td> |
| </tr> |
| <tr> |
| <td><code>druid.server.https.trustStoreAlgorithm</code></td> |
| <td>Algorithm to be used by TrustManager to validate client certificate chains. Not needed if <code>requireClientCertificate</code> and <code>requestClientCertificate</code> are false.</td> |
| <td><code>javax.net.ssl.TrustManagerFactory.getDefaultAlgorithm()</code></td> |
| <td>no</td> |
| </tr> |
| <tr> |
| <td><code>druid.server.https.trustStorePassword</code></td> |
| <td>The <a href="../operations/password-provider.html">Password Provider</a> or String password for the Trust Store. Not needed if <code>requireClientCertificate</code> and <code>requestClientCertificate</code> are false.</td> |
| <td>none</td> |
| <td>no</td> |
| </tr> |
| <tr> |
| <td><code>druid.server.https.validateHostnames</code></td> |
| <td>If set to true, check that the client's hostname matches the CN/subjectAltNames in the client certificate. Not used if <code>requireClientCertificate</code> and <code>requestClientCertificate</code> are false.</td> |
| <td>true</td> |
| <td>no</td> |
| </tr> |
| <tr> |
| <td><code>druid.server.https.crlPath</code></td> |
| <td>Specifies a path to a file containing static <a href="https://en.wikipedia.org/wiki/Certificate_revocation_list">Certificate Revocation Lists</a>, used to check if a client certificate has been revoked. Not used if <code>requireClientCertificate</code> and <code>requestClientCertificate</code> are false.</td> |
| <td>null</td> |
| <td>no</td> |
| </tr> |
| </tbody></table> |
| |
| <p>The following table contains non-mandatory advanced configuration options, use caution.</p> |
| |
| <table><thead> |
| <tr> |
| <th>Property</th> |
| <th>Description</th> |
| <th>Default</th> |
| <th>Required</th> |
| </tr> |
| </thead><tbody> |
| <tr> |
| <td><code>druid.server.https.keyManagerFactoryAlgorithm</code></td> |
| <td>Algorithm to use for creating KeyManager, more details <a href="https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#KeyManager">here</a>.</td> |
| <td><code>javax.net.ssl.KeyManagerFactory.getDefaultAlgorithm()</code></td> |
| <td>no</td> |
| </tr> |
| <tr> |
| <td><code>druid.server.https.keyManagerPassword</code></td> |
| <td>The <a href="../operations/password-provider.html">Password Provider</a> or String password for the Key Manager.</td> |
| <td>none</td> |
| <td>no</td> |
| </tr> |
| <tr> |
| <td><code>druid.server.https.includeCipherSuites</code></td> |
| <td>List of cipher suite names to include. You can either use the exact cipher suite name or a regular expression.</td> |
| <td>Jetty's default include cipher list</td> |
| <td>no</td> |
| </tr> |
| <tr> |
| <td><code>druid.server.https.excludeCipherSuites</code></td> |
| <td>List of cipher suite names to exclude. You can either use the exact cipher suite name or a regular expression.</td> |
| <td>Jetty's default exclude cipher list</td> |
| <td>no</td> |
| </tr> |
| <tr> |
| <td><code>druid.server.https.includeProtocols</code></td> |
| <td>List of exact protocols names to include.</td> |
| <td>Jetty's default include protocol list</td> |
| <td>no</td> |
| </tr> |
| <tr> |
| <td><code>druid.server.https.excludeProtocols</code></td> |
| <td>List of exact protocols names to exclude.</td> |
| <td>Jetty's default exclude protocol list</td> |
| <td>no</td> |
| </tr> |
| </tbody></table> |
| |
| <h1 id="druids-internal-communication-over-tls">Druid's internal communication over TLS</h1> |
| |
| <p>Whenever possible Druid processes will use HTTPS to talk to each other. To enable this communication Druid's HttpClient needs to |
| be configured with a proper <a href="http://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLContext.html">SSLContext</a> that is able |
| to validate the Server Certificates, otherwise communication will fail.</p> |
| |
| <p>Since, there are various ways to configure SSLContext, by default, Druid looks for an instance of SSLContext Guice binding |
| while creating the HttpClient. This binding can be achieved writing a <a href="../development/extensions.html">Druid extension</a> |
| which can provide an instance of SSLContext. Druid comes with a simple extension present <a href="../development/extensions-core/simple-client-sslcontext.html">here</a> |
| which should be useful enough for most simple cases, see <a href="./including-extensions.html">this</a> for how to include extensions. |
| If this extension does not satisfy the requirements then please follow the extension <a href="https://github.com/apache/incubator-druid/tree/master/extensions-core/simple-client-sslcontext">implementation</a> |
| to create your own extension.</p> |
| |
| <h1 id="upgrading-clients-that-interact-with-overlord-or-coordinator">Upgrading Clients that interact with Overlord or Coordinator</h1> |
| |
| <p>When Druid Coordinator/Overlord have both HTTP and HTTPS enabled and Client sends request to non-leader process, then Client is always redirected to the HTTPS endpoint on leader process. |
| So, Clients should be first upgraded to be able to handle redirect to HTTPS. Then Druid Overlord/Coordinator should be upgraded and configured to run both HTTP and HTTPS ports. Then Client configuration should be changed to refer to Druid Coordinator/Overlord via the HTTPS endpoint and then HTTP port on Druid Coordinator/Overlord should be disabled.</p> |
| |
| <h1 id="custom-tls-certificate-checks">Custom TLS certificate checks</h1> |
| |
| <p>Druid supports custom certificate check extensions. Please refer to the <code>org.apache.druid.server.security.TLSCertificateChecker</code> interface for details on the methods to be implemented.</p> |
| |
| <p>To use a custom TLS certificate checker, specify the following property:</p> |
| |
| <table><thead> |
| <tr> |
| <th>Property</th> |
| <th>Description</th> |
| <th>Default</th> |
| <th>Required</th> |
| </tr> |
| </thead><tbody> |
| <tr> |
| <td><code>druid.tls.certificateChecker</code></td> |
| <td>Type name of custom TLS certificate checker, provided by extensions. Please refer to extension documentation for the type name that should be specified.</td> |
| <td>"default"</td> |
| <td>no</td> |
| </tr> |
| </tbody></table> |
| |
| <p>The default checker delegates to the standard trust manager and performs no additional actions or checks.</p> |
| |
| <p>If using a non-default certificate checker, please refer to the extension documentation for additional configuration properties needed.</p> |
| |
| </div> |
| <div class="col-md-3"> |
| <div class="searchbox"> |
| <gcse:searchbox-only></gcse:searchbox-only> |
| </div> |
| <div id="toc" class="nav toc hidden-print"> |
| </div> |
| </div> |
| </div> |
| </div> |
| |
| <!-- Start page_footer include --> |
| <footer class="druid-footer"> |
| <div class="container"> |
| <div class="text-center"> |
| <p> |
| <a href="/technology">Technology</a> ·  |
| <a href="/use-cases">Use Cases</a> ·  |
| <a href="/druid-powered">Powered by Druid</a> ·  |
| <a href="/docs/latest/">Docs</a> ·  |
| <a href="/community/">Community</a> ·  |
| <a href="/downloads.html">Download</a> ·  |
| <a href="/faq">FAQ</a> |
| </p> |
| </div> |
| <div class="text-center"> |
| <a title="Join the user group" href="https://groups.google.com/forum/#!forum/druid-user" target="_blank"><span class="fa fa-comments"></span></a> ·  |
| <a title="Follow Druid" href="https://twitter.com/druidio" target="_blank"><span class="fab fa-twitter"></span></a> ·  |
| <a title="GitHub" href="https://github.com/apache/druid" target="_blank"><span class="fab fa-github"></span></a> |
| </div> |
| <div class="text-center license"> |
| Copyright © 2020 <a href="https://www.apache.org/" target="_blank">Apache Software Foundation</a>.<br> |
| Except where otherwise noted, licensed under <a rel="license" href="http://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA 4.0</a>.<br> |
| Apache Druid, Druid, and the Druid logo are either registered trademarks or trademarks of The Apache Software Foundation in the United States and other countries. |
| </div> |
| </div> |
| </footer> |
| |
| <script async src="https://www.googletagmanager.com/gtag/js?id=UA-131010415-1"></script> |
| <script> |
| window.dataLayer = window.dataLayer || []; |
| function gtag(){dataLayer.push(arguments);} |
| gtag('js', new Date()); |
| gtag('config', 'UA-131010415-1'); |
| </script> |
| <script> |
| function trackDownload(type, url) { |
| ga('send', 'event', 'download', type, url); |
| } |
| </script> |
| <script src="//code.jquery.com/jquery.min.js"></script> |
| <script src="//maxcdn.bootstrapcdn.com/bootstrap/3.2.0/js/bootstrap.min.js"></script> |
| <script src="/assets/js/druid.js"></script> |
| <!-- stop page_footer include --> |
| |
| |
| <script> |
| $(function() { |
| $(".toc").load("/docs/0.15.1-incubating/toc.html"); |
| |
| // There is no way to tell when .gsc-input will be async loaded into the page so just try to set a placeholder until it works |
| var tries = 0; |
| var timer = setInterval(function() { |
| tries++; |
| if (tries > 300) clearInterval(timer); |
| var searchInput = $('input.gsc-input'); |
| if (searchInput.length) { |
| searchInput.attr('placeholder', 'Search'); |
| clearInterval(timer); |
| } |
| }, 100); |
| }); |
| </script> |
| </body> |
| </html> |