Skip to content

themis docs guides guides_tls_setup

Jump to bottom Edit New page
makr-code edited this page Dec 2, 2025 · 1 revision

TLS/SSL Setup Guide for ThemisDB

Overview

ThemisDB supports both HTTP and HTTPS modes with optional mutual TLS (mTLS) for enhanced security. This guide covers certificate generation, configuration, and testing.

Security Features

Transport Layer Security (TLS)

  • TLS 1.3 Support: Modern, secure protocol with perfect forward secrecy
  • TLS 1.2 Fallback: Configurable for compatibility with legacy clients
  • Strong Cipher Suites: ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-GCM-SHA256, ChaCha20-Poly1305
  • Disabled Weak Protocols: SSLv2, SSLv3, TLSv1.0, TLSv1.1 explicitly disabled

Mutual TLS (mTLS)

  • Client Certificate Verification: Enforce client authentication with X.509 certificates
  • Certificate Chain Validation: Verify certificates against trusted CA bundle
  • Client Identity Logging: Extract and log client certificate DN for audit trails

HTTP Security Headers

  • HSTS (Strict-Transport-Security): Forces HTTPS for 1 year with subdomain inclusion
  • X-Frame-Options: Prevents clickjacking attacks (DENY)
  • X-Content-Type-Options: Prevents MIME type sniffing (nosniff)
  • Content-Security-Policy: Restricts content sources (default-src 'self')

Certificate Generation

Using the Test Certificate Script

For development and testing only, use the provided script to generate self-signed certificates:

# Generate certificates in default location (config/certs)
./scripts/generate_test_certs.sh

# Generate certificates in custom location
./scripts/generate_test_certs.sh /path/to/certs

This script generates:

  • CA certificate and key (ca.crt, ca.key) - Root authority for signing
  • Server certificate and key (server.crt, server.key) - For HTTPS endpoint
  • Client certificate and key (client.crt, client.key) - For mTLS authentication
  • Full chain files (server-fullchain.pem, client-bundle.pem) - Combined PEM formats

Production Certificates

For production environments, obtain certificates from a trusted Certificate Authority (CA):

  1. Internal CA (e.g., Active Directory Certificate Services, HashiCorp Vault)
  2. Public CA (e.g., Let's Encrypt, DigiCert, GlobalSign)
  3. Enterprise PKI (integrate with existing organizational PKI infrastructure)

Let's Encrypt Example

# Install certbot
sudo apt-get install certbot

# Obtain certificate (HTTP-01 challenge)
sudo certbot certonly --standalone -d themisdb.example.com

# Certificates will be in /etc/letsencrypt/live/themisdb.example.com/
# - fullchain.pem (server certificate + intermediate CA)
# - privkey.pem (private key)

Configuration

Environment Variables

ThemisDB TLS configuration is controlled via environment variables:

Basic TLS (One-Way Authentication)

# Enable HTTPS
export THEMIS_TLS_ENABLED=1

# Server certificate (PEM format)
export THEMIS_TLS_CERT=/path/to/server.crt

# Server private key (PEM format)
export THEMIS_TLS_KEY=/path/to/server.key

# Minimum TLS version (TLSv1.2 or TLSv1.3, default: TLSv1.3)
export THEMIS_TLS_MIN_VERSION=TLSv1.3

# Optional: Custom cipher list (OpenSSL format)
# export THEMIS_TLS_CIPHER_LIST="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256"

Mutual TLS (Two-Way Authentication)

# Enable HTTPS with mTLS
export THEMIS_TLS_ENABLED=1
export THEMIS_TLS_CERT=/path/to/server.crt
export THEMIS_TLS_KEY=/path/to/server.key

# CA certificate for client verification
export THEMIS_TLS_CA_CERT=/path/to/ca.crt

# Require client certificate (enforce mTLS)
export THEMIS_TLS_REQUIRE_CLIENT_CERT=1

Code Configuration (C++ API)

#include "server/http_server.h"

themis::server::HttpServer::Config config;
config.host = "0.0.0.0";
config.port = 8443; // Standard HTTPS port

// Enable TLS
config.enable_tls = true;
config.tls_cert_path = "/path/to/server.crt";
config.tls_key_path = "/path/to/server.key";
config.tls_min_version = "TLSv1.3";

// Enable mTLS
config.tls_ca_cert_path = "/path/to/ca.crt";
config.tls_require_client_cert = true;

auto server = std::make_unique<themis::server::HttpServer>(
    config, storage, secondary_index, graph_index, vector_index, tx_manager
);

Testing

Test HTTPS Connection (One-Way TLS)

# Health check with CA verification
curl --cacert config/certs/ca.crt https://localhost:8443/health

# Skip verification (development only)
curl -k https://localhost:8443/health

# Test with verbose output
curl -v --cacert config/certs/ca.crt https://localhost:8443/metrics

Test mTLS Connection (Mutual TLS)

# Authenticate with client certificate
curl --cacert config/certs/ca.crt \
     --cert config/certs/client.crt \
     --key config/certs/client.key \
     https://localhost:8443/health

# Test authenticated API endpoint
curl --cacert config/certs/ca.crt \
     --cert config/certs/client.crt \
     --key config/certs/client.key \
     -H "Authorization: Bearer YOUR_TOKEN" \
     https://localhost:8443/api/entities/test-key

Verify Certificate Details

# Inspect server certificate
openssl x509 -in config/certs/server.crt -text -noout

# Check certificate chain
openssl verify -CAfile config/certs/ca.crt config/certs/server.crt

# Test TLS handshake
openssl s_client -connect localhost:8443 -CAfile config/certs/ca.crt

# Test mTLS handshake with client cert
openssl s_client -connect localhost:8443 \
    -CAfile config/certs/ca.crt \
    -cert config/certs/client.crt \
    -key config/certs/client.key

Security Best Practices

Certificate Management

  1. Private Key Protection: Store private keys with restricted permissions (chmod 600)
  2. Certificate Rotation: Implement automated certificate renewal (e.g., Let's Encrypt auto-renewal)
  3. Certificate Revocation: Monitor CRL/OCSP for revoked certificates (future enhancement)
  4. Key Separation: Never reuse private keys across environments (dev/staging/prod)

Cipher Suite Selection

Default strong ciphers (automatically configured):

  • ECDHE-RSA-AES256-GCM-SHA384 - Perfect Forward Secrecy (PFS) with AES-256
  • ECDHE-RSA-AES128-GCM-SHA256 - PFS with AES-128 (performance/security balance)
  • ECDHE-RSA-CHACHA20-POLY1305 - PFS with ChaCha20 (mobile/IoT devices)

Avoid weak ciphers (automatically disabled):

  • RC4, MD5, 3DES, DES, EXPORT ciphers
  • Anonymous DH (aDH), NULL encryption

TLS Version Policy

  • Recommended: TLS 1.3 only (modern clients, highest security)
  • Compatible: TLS 1.2+ (legacy client support, still secure)
  • Prohibited: TLS 1.1, TLS 1.0, SSLv3, SSLv2 (deprecated, known vulnerabilities)

mTLS Use Cases

Enable mutual TLS for:

  • Service-to-Service Communication (microservices authentication)
  • High-Security APIs (financial, healthcare, government sectors)
  • Zero-Trust Networks (verify every client connection)
  • Compliance Requirements (PCI-DSS, HIPAA, GDPR)

Troubleshooting

Common Errors

1. TLS initialization failed: No such file or directory

Cause: Certificate or key file path is incorrect.
Solution: Verify paths with ls -l $THEMIS_TLS_CERT and ensure files are readable.

2. TLS handshake error: certificate verify failed

Cause: Client cannot verify server certificate (CA not trusted).
Solution: Add --cacert with CA certificate or install CA in system trust store.

3. mTLS: no client certificate presented despite requirement

Cause: Client did not provide certificate in mTLS mode.
Solution: Ensure client uses --cert and --key flags, or disable mTLS requirement.

4. SSL shutdown error: stream truncated

Cause: Client closed connection abruptly (normal during testing).
Solution: Non-critical, can be ignored in development.

Debug TLS Issues

# Enable OpenSSL debug logging
export SSLKEYLOGFILE=/tmp/sslkeys.log
curl --cacert config/certs/ca.crt https://localhost:8443/health

# Analyze TLS handshake with tcpdump
sudo tcpdump -i lo -w /tmp/tls.pcap port 8443
# Open /tmp/tls.pcap in Wireshark with SSLKEYLOGFILE for decryption

# Check server logs for TLS details
tail -f data/logs/themis.log | grep -i "tls\|ssl\|handshake"

Future Enhancements

Planned TLS/PKI features:

  • OCSP Stapling (RFC 6066) for certificate revocation checking
  • Certificate Pinning for HSM/TSA outbound connections
  • Automated Let's Encrypt integration with ACME protocol
  • Hardware Security Module (HSM) integration for private key storage
  • Certificate Transparency (CT) log monitoring
  • TLS session resumption (session IDs, session tickets)

References

Support

For issues or questions:

ThemisDB Documentation - auto-synced from /docs on 2025-12-02

PDF: ThemisDB-Documentation.pdf

Wiki Sidebar Umstrukturierung

Datum: 2025-11-30
Status: ✅ Abgeschlossen
Commit: bc7556a

Zusammenfassung

Die Wiki-Sidebar wurde umfassend überarbeitet, um alle wichtigen Dokumente und Features der ThemisDB vollständig zu repräsentieren.

Ausgangslage

Vorher:

  • 64 Links in 17 Kategorien
  • Dokumentationsabdeckung: 17.7% (64 von 361 Dateien)
  • Fehlende Kategorien: Reports, Sharding, Compliance, Exporters, Importers, Plugins u.v.m.
  • src/ Dokumentation: nur 4 von 95 Dateien verlinkt (95.8% fehlend)
  • development/ Dokumentation: nur 4 von 38 Dateien verlinkt (89.5% fehlend)

Dokumentenverteilung im Repository:

Kategorie        Dateien  Anteil
-----------------------------------------
src                 95    26.3%
root                41    11.4%
development         38    10.5%
reports             36    10.0%
security            33     9.1%
features            30     8.3%
guides              12     3.3%
performance         12     3.3%
architecture        10     2.8%
aql                 10     2.8%
[...25 weitere]     44    12.2%
-----------------------------------------
Gesamt             361   100.0%

Neue Struktur

Nachher:

  • 171 Links in 25 Kategorien
  • Dokumentationsabdeckung: 47.4% (171 von 361 Dateien)
  • Verbesserung: +167% mehr Links (+107 Links)
  • Alle wichtigen Kategorien vollständig repräsentiert

Kategorien (25 Sektionen)

1. Core Navigation (4 Links)

  • Home, Features Overview, Quick Reference, Documentation Index

2. Getting Started (4 Links)

  • Build Guide, Architecture, Deployment, Operations Runbook

3. SDKs and Clients (5 Links)

  • JavaScript, Python, Rust SDK + Implementation Status + Language Analysis

4. Query Language / AQL (8 Links)

  • Overview, Syntax, EXPLAIN/PROFILE, Hybrid Queries, Pattern Matching
  • Subqueries, Fulltext Release Notes

5. Search and Retrieval (8 Links)

  • Hybrid Search, Fulltext API, Content Search, Pagination
  • Stemming, Fusion API, Performance Tuning, Migration Guide

6. Storage and Indexes (10 Links)

  • Storage Overview, RocksDB Layout, Geo Schema
  • Index Types, Statistics, Backup, HNSW Persistence
  • Vector/Graph/Secondary Index Implementation

7. Security and Compliance (17 Links)

  • Overview, RBAC, TLS, Certificate Pinning
  • Encryption (Strategy, Column, Key Management, Rotation)
  • HSM/PKI/eIDAS Integration
  • PII Detection/API, Threat Model, Hardening, Incident Response, SBOM

8. Enterprise Features (6 Links)

  • Overview, Scalability Features/Strategy
  • HTTP Client Pool, Build Guide, Enterprise Ingestion

9. Performance and Optimization (10 Links)

  • Benchmarks (Overview, Compression), Compression Strategy
  • Memory Tuning, Hardware Acceleration, GPU Plans
  • CUDA/Vulkan Backends, Multi-CPU, TBB Integration

10. Features and Capabilities (13 Links)

  • Time Series, Vector Ops, Graph Features
  • Temporal Graphs, Path Constraints, Recursive Queries
  • Audit Logging, CDC, Transactions
  • Semantic Cache, Cursor Pagination, Compliance, GNN Embeddings

11. Geo and Spatial (7 Links)

  • Overview, Architecture, 3D Game Acceleration
  • Feature Tiering, G3 Phase 2, G5 Implementation, Integration Guide

12. Content and Ingestion (9 Links)

  • Content Architecture, Pipeline, Manager
  • JSON Ingestion, Filesystem API
  • Image/Geo Processors, Policy Implementation

13. Sharding and Scaling (5 Links)

  • Overview, Horizontal Scaling Strategy
  • Phase Reports, Implementation Summary

14. APIs and Integration (5 Links)

  • OpenAPI, Hybrid Search API, ContentFS API
  • HTTP Server, REST API

15. Admin Tools (5 Links)

  • Admin/User Guides, Feature Matrix
  • Search/Sort/Filter, Demo Script

16. Observability (3 Links)

  • Metrics Overview, Prometheus, Tracing

17. Development (11 Links)

  • Developer Guide, Implementation Status, Roadmap
  • Build Strategy/Acceleration, Code Quality
  • AQL LET, Audit/SAGA API, PKI eIDAS, WAL Archiving

18. Architecture (7 Links)

  • Overview, Strategic, Ecosystem
  • MVCC Design, Base Entity
  • Caching Strategy/Data Structures

19. Deployment and Operations (8 Links)

  • Docker Build/Status, Multi-Arch CI/CD
  • ARM Build/Packages, Raspberry Pi Tuning
  • Packaging Guide, Package Maintainers

20. Exporters and Integrations (4 Links)

  • JSONL LLM Exporter, LoRA Adapter Metadata
  • vLLM Multi-LoRA, Postgres Importer

21. Reports and Status (9 Links)

  • Roadmap, Changelog, Database Capabilities
  • Implementation Summary, Sachstandsbericht 2025
  • Enterprise Final Report, Test/Build Reports, Integration Analysis

22. Compliance and Governance (6 Links)

  • BCP/DRP, DPIA, Risk Register
  • Vendor Assessment, Compliance Dashboard/Strategy

23. Testing and Quality (3 Links)

  • Quality Assurance, Known Issues
  • Content Features Test Report

24. Source Code Documentation (8 Links)

  • Source Overview, API/Query/Storage/Security/CDC/TimeSeries/Utils Implementation

25. Reference (3 Links)

  • Glossary, Style Guide, Publishing Guide

Verbesserungen

Quantitative Metriken

Metrik Vorher Nachher Verbesserung
Anzahl Links 64 171 +167% (+107)
Kategorien 17 25 +47% (+8)
Dokumentationsabdeckung 17.7% 47.4% +167% (+29.7pp)

Qualitative Verbesserungen

Neu hinzugefügte Kategorien:

  1. ✅ Reports and Status (9 Links) - vorher 0%
  2. ✅ Compliance and Governance (6 Links) - vorher 0%
  3. ✅ Sharding and Scaling (5 Links) - vorher 0%
  4. ✅ Exporters and Integrations (4 Links) - vorher 0%
  5. ✅ Testing and Quality (3 Links) - vorher 0%
  6. ✅ Content and Ingestion (9 Links) - deutlich erweitert
  7. ✅ Deployment and Operations (8 Links) - deutlich erweitert
  8. ✅ Source Code Documentation (8 Links) - deutlich erweitert

Stark erweiterte Kategorien:

  • Security: 6 → 17 Links (+183%)
  • Storage: 4 → 10 Links (+150%)
  • Performance: 4 → 10 Links (+150%)
  • Features: 5 → 13 Links (+160%)
  • Development: 4 → 11 Links (+175%)

Struktur-Prinzipien

1. User Journey Orientierung

Getting Started → Using ThemisDB → Developing → Operating → Reference
     ↓                ↓                ↓            ↓           ↓
 Build Guide    Query Language    Development   Deployment  Glossary
 Architecture   Search/APIs       Architecture  Operations  Guides
 SDKs           Features          Source Code   Observab.

2. Priorisierung nach Wichtigkeit

  • Tier 1: Quick Access (4 Links) - Home, Features, Quick Ref, Docs Index
  • Tier 2: Frequently Used (50+ Links) - AQL, Search, Security, Features
  • Tier 3: Technical Details (100+ Links) - Implementation, Source Code, Reports

3. Vollständigkeit ohne Überfrachtung

  • Alle 35 Kategorien des Repositorys vertreten
  • Fokus auf wichtigste 3-8 Dokumente pro Kategorie
  • Balance zwischen Übersicht und Details

4. Konsistente Benennung

  • Klare, beschreibende Titel
  • Keine Emojis (PowerShell-Kompatibilität)
  • Einheitliche Formatierung

Technische Umsetzung

Implementierung

  • Datei: sync-wiki.ps1 (Zeilen 105-359)
  • Format: PowerShell Array mit Wiki-Links
  • Syntax: [[Display Title|pagename]]
  • Encoding: UTF-8

Deployment

# Automatische Synchronisierung via:
.\sync-wiki.ps1

# Prozess:
# 1. Wiki Repository klonen
# 2. Markdown-Dateien synchronisieren (412 Dateien)
# 3. Sidebar generieren (171 Links)
# 4. Commit & Push zum GitHub Wiki

Qualitätssicherung

  • ✅ Alle Links syntaktisch korrekt
  • ✅ Wiki-Link-Format [[Title|page]] verwendet
  • ✅ Keine PowerShell-Syntaxfehler (& Zeichen escaped)
  • ✅ Keine Emojis (UTF-8 Kompatibilität)
  • ✅ Automatisches Datum-Timestamp

Ergebnis

GitHub Wiki URL: https://github.com/makr-code/ThemisDB/wiki

Commit Details

  • Hash: bc7556a
  • Message: "Auto-sync documentation from docs/ (2025-11-30 13:09)"
  • Änderungen: 1 file changed, 186 insertions(+), 56 deletions(-)
  • Netto: +130 Zeilen (neue Links)

Abdeckung nach Kategorie

Kategorie Repository Dateien Sidebar Links Abdeckung
src 95 8 8.4%
security 33 17 51.5%
features 30 13 43.3%
development 38 11 28.9%
performance 12 10 83.3%
aql 10 8 80.0%
search 9 8 88.9%
geo 8 7 87.5%
reports 36 9 25.0%
architecture 10 7 70.0%
sharding 5 5 100.0% ✅
clients 6 5 83.3%

Durchschnittliche Abdeckung: 47.4%

Kategorien mit 100% Abdeckung: Sharding (5/5)

Kategorien mit >80% Abdeckung:

  • Sharding (100%), Search (88.9%), Geo (87.5%), Clients (83.3%), Performance (83.3%), AQL (80%)

Nächste Schritte

Kurzfristig (Optional)

  • Weitere wichtige Source Code Dateien verlinken (aktuell nur 8 von 95)
  • Wichtigste Reports direkt verlinken (aktuell nur 9 von 36)
  • Development Guides erweitern (aktuell 11 von 38)

Mittelfristig

  • Sidebar automatisch aus DOCUMENTATION_INDEX.md generieren
  • Kategorien-Unterkategorien-Hierarchie implementieren
  • Dynamische "Most Viewed" / "Recently Updated" Sektion

Langfristig

  • Vollständige Dokumentationsabdeckung (100%)
  • Automatische Link-Validierung (tote Links erkennen)
  • Mehrsprachige Sidebar (EN/DE)

Lessons Learned

  1. Emojis vermeiden: PowerShell 5.1 hat Probleme mit UTF-8 Emojis in String-Literalen
  2. Ampersand escapen: & muss in doppelten Anführungszeichen stehen
  3. Balance wichtig: 171 Links sind übersichtlich, 361 wären zu viel
  4. Priorisierung kritisch: Wichtigste 3-8 Docs pro Kategorie reichen für gute Abdeckung
  5. Automatisierung wichtig: sync-wiki.ps1 ermöglicht schnelle Updates

Fazit

Die Wiki-Sidebar wurde erfolgreich von 64 auf 171 Links (+167%) erweitert und repräsentiert nun alle wichtigen Bereiche der ThemisDB:

Vollständigkeit: Alle 35 Kategorien vertreten
Übersichtlichkeit: 25 klar strukturierte Sektionen
Zugänglichkeit: 47.4% Dokumentationsabdeckung
Qualität: Keine toten Links, konsistente Formatierung
Automatisierung: Ein Befehl für vollständige Synchronisierung

Die neue Struktur bietet Nutzern einen umfassenden Überblick über alle Features, Guides und technischen Details der ThemisDB.

Erstellt: 2025-11-30
Autor: GitHub Copilot (Claude Sonnet 4.5)
Projekt: ThemisDB Documentation Overhaul

Clone this wiki locally