SSL Configuration for TCDB using java keytool

SSL Configuration for TCDB using java keytool:

Terracotta supports the SSL/TLS-based security, which secures the entire cluster with encrypted connections using Transport Layer Security (TLS) protocol (formerly known as Secure Sockets Layer (SSL) Protocol), and provides two-way verification of the identities of the two hosts involved in the communication. This includes securing communication across the servers in the cluster, as well as between clients and the cluster.

This document only describes SSL/TLS security configuration in TerracottaDB and following are the steps to configure:

  1. Create DIR in the machine where TCDB server is running.



For Example:



  1. Generate Keystore

>keytool -genkey -alias terracotta_security_alias -keyalg RSA -keypass terracotta_security_password -storepass terracotta_security_password -keystore C:\SAG\terracotta\ssl\<keystoreName>.jks

What is your first and last name?

  [Unknown]:  < INPUT YOUR DATA >

What is the name of your organizational unit?

  [Unknown]:  < INPUT YOUR DATA >

What is the name of your organization?

  [Unknown]:  < INPUT YOUR DATA >

What is the name of your City or Locality?

  [Unknown]:  < INPUT YOUR DATA >

What is the name of your State or Province?

  [Unknown]:  < INPUT YOUR DATA >

What is the two-letter country code for this unit?

  [Unknown]:  < INPUT YOUR DATA >

Is CN=******, OU=****, O=****, L=***, ST=****, C=*** correct?

  [no]:  Yes

  1. Export the generated certificate to <keystoreName>.cer file.

>keytool -export -alias terracotta_security_alias -storepass terracotta_security_password -file C:\SAG\terracotta\ssl\<certificateName>.cer -keystore C:\SAG\terracotta\ssl\<keystoreName>.jks

  1. Add the certificate to the trust store file <truststoreName>.jks

keytool -import -v -trustcacerts -alias terracotta_security_alias -file C:\SAG\terracotta\ssl\<keystoreName>.cer -keystore C:\SAG\terracotta\ssl\<truststoreName>.jks -keypass terracotta_security_password -storepass terracotta_security_password

  1. Verify if the certificate was successfully added into the keystore.

keytool -list -v -keystore C:\SAG\terracotta\ssl\<keystoreName>.jks

  1. Validate if the certificate was successfully added into the trust store.

keytool -list -keystore C:\SAG\terracotta\ssl\<truststoreName>.jks

  1. Change the host name in the tc-config.xml



<server host=%Hostname% name="server-1">


  1. Add the below tag in <InstallDir>\TerracottaDB\server\conf\tc-config.xml

security-root-directory: C:\SAG\terracotta\ssl

When only SSL/TLS based security is needed:


  <security xmlns="">






  1. Copy key store and certificate into identity folder and copy trust store into trusted-authority
  2. Start terracotta server and it should come up fine. Verify the below message for confirmation.

2018-05-09 13:01:32,097 INFO - Terracotta Server instance has started up as ACTIVE node on 0:0:0:0:0:0:0:0:9410 successfully, and is now ready for work.