Updated on 2022-12-14 GMT+08:00

SSL

Scenarios

When the secure Flink cluster is required, SSL-related configuration items must be set.

Configuration Description

Configuration items include the SSL switch, certificate, password, and encryption algorithm.

For versions earlier than MRS 3.x, see Table 1.

Table 1 Parameters

Parameter

Mandatory

Default Value

Description

security.ssl.internal.enabled

Yes

The value is automatically configured according to the cluster installation mode.

  • Security mode: The default value is true.
  • Normal mode: The default value is false.

Main switch of internal communication SSL.

security.ssl.internal.keystore

Yes

-

Java keystore file.

security.ssl.internal.keystore-password

Yes

-

Password used to decrypt the keystore file.

security.ssl.internal.key-password

Yes

-

Password used to decrypt the server key in the keystore file.

security.ssl.internal.truststore

Yes

-

truststore file containing the public CA certificates.

security.ssl.internal.truststore-password

Yes

-

Password used to decrypt the truststore file.

security.ssl.protocol

Yes

TLSv1.2

SSL transmission protocol version

security.ssl.algorithms

Yes

The default value is TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256.

Supported SSL standard algorithm. For details, see the Java official website: http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#ciphersuites.

security.ssl.rest.enabled

Yes

The value is automatically configured according to the cluster installation mode.

  • Security mode: The default value is true.
  • Normal mode: The default value is false.

Main switch of external communication SSL.

security.ssl.rest.keystore

Yes

-

Java keystore file.

security.ssl.rest.keystore-password

Yes

-

Password used to decrypt the keystore file.

security.ssl.rest.key-password

Yes

-

Password used to decrypt the server key in the keystore file.

security.ssl.rest.truststore

Yes

-

truststore file containing the public CA certificates.

security.ssl.rest.truststore-password

Yes

-

Password used to decrypt the truststore file.

For configuration items for MRS 3.x or later, see Table 2.

Table 2 Parameters

Parameter

Description

Default Value

Mandatory

security.ssl.enabled

Main switch of internal communication SSL.

The value is automatically configured according to the cluster installation mode.

  • Security mode: The default value is true.
  • Non-security mode: The default value is false.

Yes

security.ssl.keystore

Java keystore file.

-

Yes

security.ssl.keystore-password

Password used to decrypt the keystore file.

-

Yes

security.ssl.key-password

Password used to decrypt the server key in the keystore file.

-

Yes

security.ssl.truststore

truststore file containing the public CA certificates.

-

Yes

security.ssl.truststore-password

Password used to decrypt the truststore file.

-

Yes

security.ssl.protocol

SSL transmission protocol version.

TLSv1.2

Yes

security.ssl.algorithms

Supported SSL standard algorithm. For details, see the Java official website: http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#ciphersuites.

The default value:

"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"

Yes