Network connections into the Event Streams deployment are secured using TLS. By default, data within the Event Streams deployment is not encrypted. To secure this data, you must ensure that any storage and communication channels are encrypted as follows:
- Encrypt data at rest by using disk encryption or encrypting volumes using dm-crypt.
- Encrypt internal network traffic by using TLS encryption for communication between pods.
- Encrypt messages in applications.
Enabling encryption between pods
By default, TLS encryption for communication between pods is disabled. You can enable it when installing Event Streams, or you can enable it later as described in this section.
To enable TLS encryption for your existing Event Streams installation, use the UI or the command line.
- To enable TLS by using the UI, follow the instructions in modifying installation settings, and set the Pod to pod encryption field of the Global install settings section to Enabled.
-
To enable TLS by using the command line, follow the instructions in modifying installation settings, and set the
global.security.tlsInternalparameter toenabledas follows:helm upgrade --reuse-values --set global.security.tlsInternal=enabled <release_name> <charts.tgz> --tlsFor example:
helm upgrade --reuse-values --set global.security.tlsInternal=enabled eventstreams ibm-eventstreams-prod-1.4.0.tgz --tls
Warning: If you enable TLS encryption between pods, the message browser will not display message data from before the upgrade.
Important: Enabling TLS encryption between pods might impact the connection to Event Streams.