Encrypting Connections with TLS

    Using TLS to connect to a server that verifies the client’s identity is straightforward. The client has to provide a certificate and private key. The NATS client will use these to prove it’s identity to the server. For the client to verify the server’s identity, the CA certificate is provided as well.

    Use example certificates created in self signed certificates for testing.

    1. nc, err := nats.Connect("localhost",
    2.     nats.ClientCert("client-cert.pem", "client-key.pem"),
    3.     nats.RootCAs("rootCA.pem"))
    4. if err != nil {
    5.     log.Fatal(err)
    6. }
    7. defer nc.Close()
    9. // Do something with the connection

    Java

    JavaScript

    1. let caCert = fs.readFileSync("rootCA.pem");
    2. let clientCert = fs.readFileSync("client-cert.pem");
    3. let clientKey = fs.readFileSync("client-key.pem");
    4. let nc = NATS.connect({
    5.     url: url,
    6.     tls: {
    7.         ca: [caCert],
    8.         key: [clientKey],
    9.         cert: [clientCert]
    10.     }
    11. });

    Ruby

    1. EM.run do
    3.   options = {
    4.     :servers => [
    5.       'nats://localhost:4222',
    6.     ],
    7.       :private_key_file => 'client-key.pem',
    9.       :ca_file => 'rootCA.pem'
    10.     }
    11.   }
    13.   NATS.connect(options) do |nc|
    14.     puts "#{Time.now.to_f} - Connected to NATS at #{nc.connected_server}"
    16.     nc.subscribe("hello") do |msg|
    17.       puts "#{Time.now.to_f} - Received: #{msg}"
    18.     end
    20.     nc.flush do
    21.       nc.publish("hello", "world")
    22.     end
    24.     EM.add_periodic_timer(0.1) do
    25.       next unless nc.connected?
    26.       nc.publish("hello", "hello")
    27.     end
    29.     # Set default callbacks
    30.     nc.on_error do |e|
    31.       puts "#{Time.now.to_f } - Error: #{e}"
    32.     end
    34.     nc.on_disconnect do |reason|
    35.     end
    37.     nc.on_reconnect do |nc|
    38.       puts "#{Time.now.to_f} - Reconnected to NATS server at #{nc.connected_server}"
    39.     end
    41.     nc.on_close do
    42.       puts "#{Time.now.to_f} - Connection to NATS closed"
    43.       EM.stop
    44.     end
    45.   end
    46. end

    TypeScript

    1. natsConnection      *conn      = NULL;
    2. natsOptions         *opts      = NULL;
    3. natsStatus          s          = NATS_OK;
    5. s = natsOptions_Create(&opts);
    6. if (s == NATS_OK)
    7.     s = natsOptions_LoadCertificatesChain(opts, "client-cert.pem", "client-key.pem");
    8. if (s == NATS_OK)
    9.     s = natsOptions_LoadCATrustedCertificates(opts, "rootCA.pem");
    10. if (s == NATS_OK)
    11.     s = natsConnection_Connect(&conn, opts);
    13. (...)
    15. // Destroy objects that were created
    16. natsConnection_Destroy(conn);

    Connecting with the TLS Protocol

    Clients (such as Go, Java, Javascript, Ruby and Type Script) support providing a URL containing the tls protocol to the NATS connect call. This will turn on TLS without the need for further code changes. However, in that case there is likely some form of default or environmental settings to allow the TLS libraries of your programming language to find certificate and trusted CAs. Unless these settings are taken into accounts or otherwise modified, this way of connecting is very likely to fail.