Axon Server supports TLS/SSL (Transport Layer Security/Secure Sockets Layer) to encrypt all of Axon Server's network traffic - From Axon Framework client applications to Axon Server (SE/EE) as well as between Axon Server nodes within a cluster (EE only).
Axon Server (SE/EE) has two ports (HTTP/gRPC) that need to be enabled for SSL and hence there are two different groups of settings to use, one for each port. The HTTP port uses the generic Spring Boot configuration settings, and requires a Java compatible keystore. For the gRPC port we use standard PEM files.
The following properties need to be setup in
axonserver.propertiesfor both SE and EE:
With Axon Server EE SSL is also used for the communication between the Axon Server nodes. If the internal host names of the Axon Server nodes differ from the host names as they are used by clients, it is required to use another certificate (bound to the internal hostname). If this is the case, you can specify the certificate used for cluster-internal traffic using the “...ssl.internal-cert-chain-file” property.
The certificate used by internal traffic may be generated using its own private key. If this is the case, you must specify the location of this key file in the property "...ssl.internal-private-key-file".
If the certificates used for internal traffic are self-signed certificates, you must ensure that these are trusted by the other nodes. In this case you add the certificates (or the root certificate) in the (PEM) keystore specified by the “...ssl.internal-trust-manager-file” property.
The following properties are available for Axon client applications to use TLS/SSL for the traffic to Axon Server:
A thing to remember is that enabling SSL on an Axon Server cluster will require downtime, as the “...ssl.enabled” setting controls both server and client side code. This is intentional, as it is unreasonable to expect all nodes to have individual settings per node showing which ones communicate using SSL and which do not, so it is recommended to get this done in the beginning during the installation phase of Axon Server.