ArangoDB v3.13 is under development and not released yet. This documentation is not final and potentially incomplete.
HTTP interfaces for security features
The security-related endpoints let you can configure audit logging, encryption at rest, and encryption in transit
Audit logging
You can get and set the log level for the audit-*
log topics using the regular
endpoints for the log levels. See Logs.
The audit logging feature can otherwise only be configured using startup options. See Audit logging.
Encryption in transit
Get the TLS data
Return a summary of the TLS data. The JSON response will contain a field
result
with the following components:
keyfile
: Information about the key file.clientCA
: Information about the Certificate Authority (CA) for client certificate verification.
If server name indication (SNI) is used and multiple key files are
configured for different server names, then there is an additional
attribute SNI
, which contains for each configured server name
the corresponding information about the key file for that server name.
In all cases the value of the attribute will be a JSON object, which has a subset of the following attributes (whatever is appropriate):
sha256
: The value is a string with the SHA256 of the whole input file.certificates
: The value is a JSON array with the public certificates in the chain in the file.privateKeySha256
: In cases where there is a private key (keyfile
but notclientCA
), this field is present and contains a JSON string with the SHA256 of the private key.
This API requires authentication.
Reload the TLS data
This API call triggers a reload of all the TLS data (server key, client-auth CA) and then returns a summary. The JSON response is exactly as in the corresponding GET request.
This is a protected API and can only be executed with superuser rights.
Encryption at rest
Rotate the encryption at rest key
Change the user-supplied encryption at rest key by sending a request without
payload to this endpoint. The file supplied via --rocksdb.encryption-keyfolder
will be reloaded and the internal encryption key will be re-encrypted with the
new user key.
This is a protected API and can only be executed with superuser rights. This API is not available on Coordinator nodes.