Establishing TLS/HTTPS
Develop a secure strategy for SEP deployment with TLS/HTTPS configurations
Before initiating the installation of Starburst Enterprise, it's crucial to have a clear strategy regarding the necessary networking configurations for a secure setup.
This guide will provide insights into the methods for setting up secure traffic, ensuring reliable and secure communication across your nodes and services.
Configuring TLS/HTTPS
Trino, by default, operates without security, allowing connections over HTTP. To enhance security, it's important to configure TLS/HTTPS. Here are the TLS versions that are supported:
| TLS Versions | Supported |
|---|---|
| 1.2, 1.3 | Yes |
| 1.0, 1.1 | No |
| SSL Certificates | No |
There are two primary methods to configure TLS:
Using a Load Balancer or Proxy: This is the simplest and most recommended approach. Here, TLS/HTTPS is terminated at the load balancer or proxy level.
Directly Securing the Trino Server: This method involves obtaining a valid certificate and configuring the Trino coordinator directly.
Using a Load Balancer
If you have a load balancer or proxy with a valid TLS certificate, use it to manage TLS connections for your Trino server. Work with your network administrators to ensure the Trino server is positioned behind this load balancer.
The load balancer or proxy will handle the TLS connections, forwarding them to the Trino coordinator, which typically operates over HTTP on port 8080. When handling TLS connections, the load balancer adds an X-Forwarded-Proto: https HTTP header, signaling the Trino coordinator to process the request as a secure connection.
Directly Securing Trino
Obtaining a TLS Certificate
Choose a certificate that aligns with your environment:
| Certificate Type | Description |
|---|---|
| Globally Trusted Certificates | Broad compatibility, available from commercial vendors or free services like Let's Encrypt. |
| Corporate Trusted Certificates | Internally issued within your organization. |
| Self-Signed Certificates | Specific to Trino, less recommended due to trust limitations. |
Opting for a globally trusted certificate is highly advised due to its convenience. While it might necessitate some initial effort, this choice significantly reduces the need for configuring each client individually, making it a worthwhile investment in the long run.
Preparing Keys and Certificates
Ensure your keys and certificates are in a format compatible with Trino and recognized by a certificate authority:
- Supported Formats: PEM (PKCS #1 and #8), PKCS #12, JKS.
- Format Conversion: Necessary for formats like DER.
Verify the integrity and correctness of your certificates and keys. Detailed instructions are available for PEM files and JKS files.