Securing

    When using a configuration file with multi-user authorization, you must use the —user and —pass parameters with the NATS streaming server, matching a user in the configuration file, in order to specify which user the NATS streaming server should authenticate with to it’s embedded NATS server.

    For example, if you pass the NATS Streaming server a file with a several users, you must run the streaming server as a user such as “Joe” who is defined in the configuration file.

    Using TLS

    While there are several TLS related parameters for the NATS Streaming server, securing the server’s connection is straightforward. However, bear in mind that the NATS Streaming server embeds the NATS server resulting in a client-server relationship where the NATS Streaming server is a client of it’s embedded NATS server.

    That means two sets of TLS configuration parameters must be used: TLS server parameters for the embedded NATS server, and TLS client parameters for the NATS Streaming server itself.

    These could be the same certificates used with your NATS streaming clients.

    The embedded NATS server specifies TLS server certificates with these:

    1. --tlskey <file>              Private key for server certificate
    2. --tlscacert <file>           Client certificate CA for verification

    The server parameters are used the same way you’d .

    Proper usage of the NATS Streaming Server requires the use of both client and server parameters.

    Further TLS related functionality can be found in Securing NATS > TLS. Note that if specifying cipher suites is required, a configuration file for the embedded NATS server can be passed through the -config command line parameter.

    If that is the case, it is not necessary to configure the server-side TLS parameters. You only need to specify the client-side parameters (-tls_client_cert, etc…).

    However, NATS Streaming Server uses the NATS Server command line parsing code and currently would not allow specifying the client-side parameters alone. The server would fail to start with a message similar to this:

    1. nats-streaming-server -tls_ca_cert test/certs/ca.pem

    Output

    1.  tls {
    2.    client_ca: "test/certs/ca.pem"
    3.  }

    And then start the server with this configuration file: