TOPICS
LANGUAGE

API HTTPS Endpoint and Admin Tool Encryption

Note: This section applies only to FaunaDB Enterprise.

Setting up SSL termination is done primarily through the faunadb.yml file. Below you will find all the requirements and instructions for getting encryption up and running.

Dependencies

First, ensure that you have installed the unrestricted Java Cryptography Extension policy files on each node in your FaunaDB Enterprise cluster. Download the JCE policy files for Java 8.

A signed SSL private key. The key file must contain the private key and the signed certificate.

Terminating SSL for the API Endpoint

FaunaDB can be configured to encrypt the HTTP API endpoint using TLS/SSL.

Add the following settings to your faunadb.yml configuration:

  • http_ssl_key_file: The path to the signed private key.
  • http_ssl_password: The password for the private key. (Note: this can be set as an environment variable FAUNADB_HTTP_SSL_PASSWORD)

FaunaDB can be configured to do client authentication using certificates. Client certificates not signed by the trust certificate will be rejected.

Add the trust file used to sign client certificates to the faunadb.yml configuration file.

  • http_ssl_trust_file: The trust certificate used to sign client certificates.

Verify HTTP API SSL Termination

To verify SSL termination is working, try to ping the API endpoint with HTTPS enabled, using the trust certificate used to sign the server key.

$ curl --cacert [trust cert] 'https://localhost:8443/ping'

If client certification authentication is being used, ping the API endpoint with the signed client key.

$ curl --cacert [trust cert] --cert [signed client cert] 'https://localhost:8443/ping'

Terminating SSL for the Admin Tool

By default, admin commands are sent unencrypted over HTTP. If this is not secure enough, FaunaDB can be configured to encrypt admin communication with TLS/SSL.

Add the following settings to your faunadb.yml configuration:

  • admin_ssl_key_file: The path to the signed private key.
  • admin_ssl_password: The password for the private key. (Note: this can be set as an environment variable FAUNADB_ADMIN_SSL_PASSWORD)
  • admin_ssl_trust_file: The trust certificate used to sign certificates.