Security

    The ArangoDB starter provides several command to create the certificates and tokens needed to do so.

    The starter provides commands to create all certificates needed for an ArangoDB deployment with optional datacenter to datacenter replication.

    To create a certificate used for TLS servers in the keyfile format, you need the public key of the CA (), the private key of the CA (--cakey) and one or more hostnames (or IP addresses). Then run:

    Make sure to store the generated keyfile (my-tls-cert.keyfile) in a safe place.

    To create a certificate used for TLS servers in the crt & key format, you need the public key of the CA (--cacert), the private key of the CA (--cakey) and one or more hostnames (or IP addresses). Then run:

    1. arangodb create tls certificate \
    2. --cacert=my-tls-ca.crt --cakey=my-tls-ca.key \
    3. --host=<hostname> \
    4. --cert=my-tls-cert.crt \
    5. --key=my-tls-cert.key \

    Make sure to protect and store the generated files (my-tls-cert.crt & ) in a safe place.

    To create a certificate used for client authentication in the keyfile format, you need the public key of the CA (--cacert), the private key of the CA (--cakey) and one or more hostnames (or IP addresses) or email addresses. Then run:

    1. arangodb create client-auth keyfile \
    2. [--host=<hostname> | --email=<emailaddress>] \
    3. --keyfile=my-client-auth-cert.keyfile

    To create a CA certificate used to sign TLS certificates, run:

    Make sure to protect and store both generated files (my-tls-ca.crt & my-tls-ca.key) in a safe place.

    Note: CA certificates have a much longer lifetime than normal certificates. Therefore even more care is needed to store them safely.

    To create a CA certificate used to sign client authentication certificates, run:

    1. arangodb create client-auth ca \

    Make sure to protect and store both generated files (my-client-auth-ca.crt & my-client-auth-ca.key) in a safe place.

    Note: CA certificates have a much longer lifetime than normal certificates. Therefore even more care is needed to store them safely.

    JWT tokens are used to authenticate servers (within a cluster) with each other.

    1. arangodb create jwt-secret \
    2. --secret=my-secret.jwt [--length=32]

    Make sure to protect and store the generated file (my-secret.jwt) in a safe place.

    ArangoDB deployments that require authentication can be accessed through standard user+password pairs or using a JWT to get “super-user” access.

    This super-user access is needed to communicate directly with the Agency or with any server in the deployment. Note that uses super-user access for normal database access is NOT advised.

    To create a JWT from the JWT secret file specified using the --auth.jwt-secret option, use the following command:

    To create a complete HTTP Authorization header that can be passed directly to tools like curl, use the following command:

      Using curl with this command looks like this:

      1. curl -v -H "$(arangodb auth header --auth.jwt-secret=<secret-file>)" http://<database-ip>:8529/_api/version

      Note the double quotes around .