Security options

On this page you find all the configuration options related to in-flight security of EventStoreDB.

The protocol security configuration depends a lot on the deployment topology and platform. We have created an interactive configuration tool, which also has instructions on how to generate and install the certificates and configure EventStoreDB nodes to use them.

Below you can find more details about each of the available security options.

Running without security

Unlike previous versions, EventStoreDB v20+ is secure by default. It means that you have to supply valid certificates and configuration for the database node to work.

We realise that many users want to try out the latest version with their existing applications, and also run a previous version of EventStoreDB without any security in their internal networks.

For this to work, you can use the Insecure option:

FormatSyntax
Command line--insecure
YAMLInsecure
Environment variableEVENTSTORE_INSECURE

Default: false

WARNING

When running with protocol security disabled, everything is sent unencrypted over the wire. In the previous version it included the server credentials. Sending username and password over the wire without encryption is not secure by definition, but it might give a false sense of security. In order to make things explicit, EventStoreDB v20 does not use any authentication and authorisation (including ACLs) when running insecure.

Certificates configuration

In this section, you can find settings related to protocol security (HTTPS and TLS).

Certificate common name

SSL certificates can be created with a common name (CN), which is an arbitrary string. Usually is contains the DNS name for which the certificate is issued. When cluster nodes connect to each other, they need to ensure that they indeed talk to another node and not something that pretends to be a node. Therefore, EventStoreDB expects the connecting party to have a certificate with a pre-defined CN eventstoredb-node.

When using the Event Store certificate generator, the CN is properly set by default. However, you might want to change the CN and in this case, you'd also need to tell EventStoreDB what value it should expect instead of the default one, using the setting below:

FormatSyntax
Command line--certificate-reserved-node-common-name
YAMLCertificateReservedNodeCommonName
Environment variableEVENTSTORE_CERTIFICATE_RESERVED_NODE_COMMON_NAME

Default: eventstoredb-node

WARNING

Server certificates must have the internal and external IP addresses or DNS names as subject alternative names.

Trusted root certificates

When getting an incoming connection, the server needs to ensure if the certificate used for the connection can be trusted. For this to work, the server needs to know where trusted root certificates are located.

EventStoreDB will not use the default trusted root certificates store location of the platform. So, even if you use a certificate signed by a public trusted CA, you'd need to explicitly tell the node to use the OS default root certificate store. For self-signed certificates, you just provide the path to the CA certificate file (but not the filename).

FormatSyntax
Command line--trusted-root-certificates-paths
YAMLTrustedRootCertificatesPath
Environment variableEVENTSTORE_TRUSTED_ROOT_CERTIFICATES_PATH

Default: n/a

Certificate file

The CertificateFile setting needs to point to the certificate file, which will be used by the cluster node.

FormatSyntax
Command line--certificate-file
YAMLCertificateFile
Environment variableEVENTSTORE_CERTIFICATE_FILE

If the certificate file is protected by password, you'd need to set the CertificatePassword value accordingly, so the server can load the certificate.

FormatSyntax
Command line--certificate-password
YAMLCertificatePassword
Environment variableEVENTSTORE_CERTIFICATE_PASSWORD

If the certificate file doesn't contain the certificate private key, you need to tell the node where to find the key file using the CertificatePrivateKeyFile setting.

FormatSyntax
Command line--certificate-private-key-file
YAMLCertificatePrivateKeyFile
Environment variableEVENTSTORE_CERTIFICATE_PRIVATE_KEY_FILE

RSA private key

EventStoreDB expects the private key to be in RSA format. Check the first line of the key file and ensure that it looks like this:

-----BEGIN RSA PRIVATE KEY-----
1

If you have non-RSA private key, you can use openssl to convert it:

openssl rsa -in privkey.pem -out privkeyrsa.pem
1

Certificate store (Windows)

The certificate store location is the location of the Windows certificate store, for example CurrentUser.

FormatSyntax
Command line--certificate-store-location
YAMLCertificateStoreLocation
Environment variableEVENTSTORE_CERTIFICATE_STORE_LOCATION

The certificate store name is the name of the Windows certificate store, for example My.

FormatSyntax
Command line--certificate-store-name
YAMLCertificateStoreName
Environment variableEVENTSTORE_CERTIFICATE_STORE_NAME

You need to add the certificate thumbprint setting on Windows so the server can ensure that it's using the correct certificate found in the certificates store.

FormatSyntax
Command line--certificate-thumbprint
YAMLCertificateThumbprint
Environment variableEVENTSTORE_CERTIFICATE_THUMBPRINT

Certificate Generation CLI

Event Store provides the interactive Certificate Generation CLI, which creates self-signed certificates for EventStoreDB. You can use the configuration wizard, that will provide you exact CLI commands that you need to run to generates certificates matching your configuration.

Getting Started

CLI is available as Open Source project in the Github Repository.open in new window The latest release can be found under the GitHub releases page.open in new window

We're releasing binaries for Windows, Linux and macOS. We also publish the tool as a Docker image.

Basic usage for Certificate Generation CLI:

./es-gencert-cli [options] <command> [args]
1

Getting help for a specific command:

./es-gencert-cli -help <command>
1

WARNING

If you are running EventStoreDB on Linux, remember that all certificate files should have restrictive rights, otherwise the OS won't allow using them. Usually, you'd need to change rights for each certificate file to prevent the "permissions are too open" error.

You can do it by running the following command:

chmod 600 [file]
1

Generating the CA certificate

As the first step CA certificate needs to be generated. It'll need to be trusted for each of the nodes and client environment.

By default, the tool will create the ca directory in the certs directory you created. Two keys will be generated:

  • ca.crt - public file that need to be used also for the nodes and client configuration,
  • ca.key - private key file that should be used only in the nodes configuration (Do not copy it to client environment).

CA certificate will be generated with pre-defined CN eventstoredb-node.

To generate CA certificate run:

./es-gencert-cli create-ca
1

You can customise generated cert by providing following params:

ParamDescription
-daysThe validity period of the certificate in days (default: 5 years)
-outThe output directory (default: ./ca)

Example:

./es-gencert-cli create-ca -out ./es-ca
1

Generating the Node certificate

You need to generate self-signed certificates for each node. They should be installed only on the specific node machine.

By default, the tool will create the ca directory in the certs directory you created. Two keys will be generated:

  • node.crt - the public file that needs to be also used for the nodes and client configuration,
  • node.key - the private key file that should be used only in the node's configuration (Do not copy it to client environment).

To generate node certificate run command:

./es-gencert-cli -help create_node
1

You can customise generated cert by providing following params:

ParamDescription
-ca-certificateThe path to the CA certificate file (default: ./ca/ca.crt)
-ca-keyThe path to the CA key file (default: ./ca/ca.key)
-daysThe output directory (default: ./nodeX where X is an auto-generated number)
-outThe output directory (default: ./ca)
-ip-addressesComma-separated list of IP addresses of the node
-dns-namesComma-separated list of DNS names of the node

WARNING

While generating the certificate, you need to remember to pass internal end external:

  • IP addresses to -ip-addresses: e.g. 127.0.0.1,172.20.240.1 and/or
  • DNS names to -dns-names: e.g. localhost,node1.eventstore that will match the URLs that you will be accessing EventStoreDB nodes.

Sample:

./es-gencert-cli-cli create-node -ca-certificate ./es-ca/ca.crt -ca-key ./es-ca/ca.key -out ./node1 -ip-addresses 127.0.0.1,172.20.240.1 -dns-names localhost,node1.eventstore
1

Running with Docker

You could also run the tool using Docker interactive container:

docker run --rm -i eventstore/es-gencert-cli <command> <options>
1

One useful scenario is to use the Docker Compose file tool to generate all the necessary certificates before starting cluster nodes.

Sample:

version: "3.5"

services:
  setup:
    image: eventstore/es-gencert-cli:1.0.2
    entrypoint: bash
    user: "1000:1000"
    command: >
      -c "mkdir -p ./certs && cd /certs
      && es-gencert-cli create-ca
      && es-gencert-cli create-node -out ./node1 -ip-addresses 127.0.0.1,172.20.240.1 -dns-names localhost,node1.eventstore
      && es-gencert-cli create-node -out ./node1 -ip-addresses 127.0.0.1,172.20.240.2 -dns-names localhost,node2.eventstore
      && es-gencert-cli create-node -out ./node1 -ip-addresses 127.0.0.1,172.20.240.3 -dns-names localhost,node3.eventstore
      && find . -type f -print0 | xargs -0 chmod 666"
    container_name: setup
    volumes:
      - ./certs:/certs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

See more in the complete sample of docker-compose secured cluster configuration.

Certificate installation on a client environment

To connect to EventStoreDB, you need to install generated CA public certificate on the client machine (e.g. machine where the client is hosted, or your dev environment).

Linux (Ubuntu, Debian)

  1. Copy generated CA file to dir /usr/local/share/ca-certificates/, e.g. using command:
sudo cp ca.crt /usr/local/share/ca-certificates/event_store_ca.crt
1
  1. Update the CA store:
sudo update-ca-certificates
1

Windows

  1. You can manually import it to the local CA cert store through Certificates Local Machine Management Console. To do that select Run from the Start menu, and then enter certmgr.msc. Then import certificate to Trusted Root Certification.
  2. You can also run the PowerShell script instead:
Import-Certificate -FilePath ".\certs\ca\ca.crt" -CertStoreLocation Cert:\CurrentUser\Root
1

MacOS

  1. In the Keychain Access app on your Mac, select either the login or System keychain. Drag the certificate file onto the Keychain Access app. If you're asked to provide a name and password, type the name and password for an administrator user on this computer.
  2. You can also run the bash script:
sudo security add-certificates -k /Library/Keychains/System.keychain ca.crt 
1

TCP protocol security

Although TCP is disabled by default for external connections (clients), cluster nodes still use TCP for replication. If you aren't running EventStoreDB in insecure mode, all TCP communication will use TLS using the same certificates as SSL.

You can, however, disable TLS for both internal and external TCP.

FormatSyntax
Command line--disable-internal-tcp-tls
YAMLDisableInternalTcpTls
Environment variableEVENTSTORE_DISABLE_INTERNAL_TCP_TLS

Default: false

FormatSyntax
Command line--disable-external-tcp-tls
YAMLDisableExternalTcpTls
Environment variableEVENTSTORE_DISABLE_EXTERNAL_TCP_TLS

Default: false