+ # Config of akka.remote.artery.tcp.ssl.RotatingKeysSSLEngineProvider
+ # This engine provider reads PEM files from a mount point shared with the secret
+ # manager. The constructed SSLContext is cached some time (configurable) so when
+ # the credentials rotate the new credentials are eventually picked up.
+ # By default mTLS is enabled.
+ # This provider also includes a verification phase that runs after the TLS handshake
+ # phase. In this verification, both peers run an authorization and verify they are
+ # part of the same akka cluster. The verification happens via comparing the subject
+ # names in the peer's certificate with the name on the own certificate so if you
+ # use this SSLEngineProvider you should make sure all nodes on the cluster include
+ # at least one common subject name (CN or SAN).
+ # The Key setup this implementation supports has some limitations:
+ # 1. the private key must be provided on a PKCS#1 or a non-encrypted PKCS#8 PEM-formatted file
+ # 2. the private key must be be of an algorythm supported by `akka-pki` tools (e.g. "RSA", not "EC")
+ # 3. the node certificate must be issued by a root CA (not an intermediate CA)
+ # 4. both the node and the CA certificates must be provided in PEM-formatted files
+ rotating-keys-engine {
+
+ # This is a convention that people may follow if they wish to save themselves some configuration
+ secret-mount-point = /var/run/secrets/akka-tls/rotating-keys-engine
+
+ # The absolute path the PEM file with the private key.
+ key-file = ${akka.remote.artery.ssl.rotating-keys-engine.secret-mount-point}/tls.key
+ # The absolute path to the PEM file of the certificate for the private key above.
+ cert-file = ${akka.remote.artery.ssl.rotating-keys-engine.secret-mount-point}/tls.crt
+ # The absolute path to the PEM file of the certificate of the CA that emited
+ # the node certificate above.
+ ca-cert-file = ${akka.remote.artery.ssl.rotating-keys-engine.secret-mount-point}/ca.crt
+
+ # There are two options, and the default SecureRandom is recommended:
+ # "" or "SecureRandom" => (default)
+ # "SHA1PRNG" => Can be slow because of blocking issues on Linux
+ #
+ # Setting a value here may require you to supply the appropriate cipher
+ # suite (see enabled-algorithms section)
+ random-number-generator = ""
+
+ # Example: ["TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
+ # "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+ # "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
+ # "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"]
+ # If you use a JDK 8 prior to 8u161 you need to install
+ # the JCE Unlimited Strength Jurisdiction Policy Files to use AES 256.
+ # More info here:
+ # https://www.oracle.com/java/technologies/javase-jce-all-downloads.html
+ enabled-algorithms = ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"]
+
+ # Protocol to use for SSL encryption.
+ protocol = "TLSv1.2"
+
+ # How long should an SSLContext instance be cached. When rotating keys and certificates,
+ # there must a time overlap between the old certificate/key and the new ones. The
+ # value of this setting should be lower than duration of that overlap.
+ ssl-context-cache-ttl = 5m
+ }