These are the configuration flags that can be used on the queen to tune SSL behavior. Most queen-side flags have a corresponding client-side flag. When you change a flag on one side (client or server), you will typically have to make appropriate changes to the other side.
- disallowPeerWithoutCertificates: If this flag is set, the client cannot communicate with its peer (server) without a valid certificate. Defaults to FALSE.
- allowSelfSignedPeer: If this flag is set, Aster Database allows connections from clients with self-signed certificates. Defaults to TRUE.
- Set either trustedCAFileName or trustedCAPath, depending on whether you have one or many CA certificates:
- trustedCAFileName: The pathname of the single PEM-formatted CA certificate that Aster Database trusts. (You also have the option of trusting multiple CA certificates; see trustedCAPath, below.) Whenever the queen gets a certificate from the peer, the queen traverses the certificate chain to verify that the certificate specified by trustedCAFileName is part of the chain. If so, the peer is allowed to connect.
- trustedCAPath: Directory containing PEM-formatted CA certificates that Aster Database trusts. The files inside this directory are looked up based on the CA subject name hash value.
- sslCertificatePath: SSL certificate location.
- sslPrivateKeyPath: SSL private key location.
- sslFileType: The formatting type of the certificate. Set this to a string value of 1 for PEM-encoded certs (called “SSL_FILESYSTEM_PEM” on the client side) or 2 for ASN1-encoded certs (called “SSL_FILETYPE_ASN1” on the client side). Default is 1.
- secureMuleServer: If set to true, Aster Database will be configured to use a secure channel for its communication. If secureMuleServer is enabled, the configuration flags sslCertificatePath and sslPrivateKeyPath should be appropriately set.
- secureWrites: If set to true, encrypts communications going out to clients. Required to be true if the client is set to encrypt reads (e.g. --ssl-encrypt-reads flag is set in ACT).