SSL

Axon Server supports TLS/SSL (Transport Layer Security/Secure Sockets Layer) to encrypt all of Axon Server's network traffic - From Axon Framework client applications to Axon Server (SE/EE) as well as between Axon Server nodes within a cluster (EE only).

Axon Server (SE/EE) has two ports (HTTP/gRPC) that need to be enabled for SSL and hence there are two different groups of settings to use, one for each port. The HTTP port uses the generic Spring Boot configuration settings, and requires a Java compatible keystore. For the gRPC port we use standard PEM files.

The following properties need to be setup in axonserver.properties for both SE and EE:

Port Type

Property Name

Description

SSL (Axon Server - HTTP Port)

security.require-ssl

Determines whether the server has ssl enabled on the HTTP port.

server.ssl.key-store-type

Keystore type. (should be PKCS12)

server.ssl.key-store

Location of the keystore.

server.ssl.key-store-password

Password to access the keystore.

server.ssl.key-alias

Alias to be used to access the keystore.

SSL (Axon Server - gRPC Port)

axoniq.axonserver.ssl.enabled

Determines whether the server has ssl enabled on the gRPC port.

axoniq.axonserver.ssl.cert-chain-file

Location of the public certificate file.

axoniq.axonserver.ssl.private-key-file

Location of the private key file.

axoniq.axonserver.ssl.internal-cert-chain-file

File containing the full certificate chain to be used in internal communication between Axon Server nodes.

(Axon EE only)

axoniq.axonserver.ssl.internal-trust-manager-file

Trusted certificates for verifying the other AxonServer's certificate.

(Axon EE only)

With Axon Server EE we have two extra settings for the internal gRPC port; “...ssl.internal-cert-chain-file” and “...ssl.internal-trust-manager-file”.

The first is for the PEM certificate to be used for cluster-internal traffic, if it is different from the one used for client connections. The most common reason is when the nodes use a different DNS name for internal (cluster node to cluster node) communication than for external connections.

The second is for a (PEM) keystore that certifies the other certificates, which may be needed when they are signed using an authority that is not available from the Java JDK’s CA keystore.

Downtime Considerations

A thing to remember is that enabling SSL on an Axon Server cluster will require downtime, as the “...ssl.enabled” setting controls both server and client side code. This is intentional, as it is unreasonable to expect all nodes to have individual settings per node showing which ones communicate using SSL and which do not, so it is recommended to get this done in the beginning during the installation phase of Axon Server.