This documentation is for an out-of-date version of Apache Flink. We recommend you use the latest stable version.

SSL Setup

This page provides instructions on how to enable SSL for the network communication between different Flink components.

SSL Configuration

SSL can be enabled for all network communication between Flink components. SSL keystores and truststore has to be deployed on each Flink node and configured (conf/flink-conf.yaml) using keys in the security.ssl.* namespace (Please see the configuration page for details). SSL can be selectively enabled/disabled for different transports using the following flags. These flags are only applicable when security.ssl.enabled is set to true.

  • SSL flag for data communication between task managers
  • blob.service.ssl.enabled: SSL flag for blob service client/server communication
  • akka.ssl.enabled: SSL flag for akka based control connection between the Flink client, jobmanager and taskmanager
  • jobmanager.web.ssl.enabled: Flag to enable https access to the jobmanager’s web frontend

Complete List of SSL Options

Key Default Description
"TLS_RSA_WITH_AES_128_CBC_SHA" The comma separated list of standard SSL algorithms to be supported. Read more <a href="">here</a>.
-1 The timeout (in ms) for flushing the `close_notify` that was triggered by closing a channel. If the `close_notify` was not flushed in the given timeout the channel will be closed forcibly. (-1 = use system default)
false Turns on SSL for internal network communication. This can be optionally overridden by flags defined in different transport modules.
-1 The timeout (in ms) during SSL handshake. (-1 = use system default)
(none) The secret to decrypt the server key in the keystore.
(none) The Java keystore file to be used by the flink endpoint for its SSL Key and Certificate.
(none) The secret to decrypt the keystore file.
"TLSv1.2" The SSL protocol version to be supported for the ssl transport. Note that it doesn’t support comma separated list.
-1 The size of the cache used for storing SSL session objects. According to, you should always set this to an appropriate number to not run into a bug with stalling IO threads during garbage collection. (-1 = use system default).
-1 The timeout (in ms) for the cached SSL session objects. (-1 = use system default)
(none) The truststore file containing the public CA certificates to be used by flink endpoints to verify the peer’s certificate.
(none) The secret to decrypt the truststore.
true Flag to enable peer’s hostname verification during ssl handshake.

Deploying Keystores and Truststores

You need to have a Java Keystore generated and copied to each node in the Flink cluster. The common name or subject alternative names in the certificate should match the node’s hostname and IP address. Keystores and truststores can be generated using the keytool utility. All Flink components should have read access to the keystore and truststore files.

Example: Creating self signed CA and keystores for a two-node cluster

Execute the following keytool commands to create a truststore with a self signed CA.

keytool -genkeypair -alias ca -keystore ca.keystore -dname "CN=Sample CA" -storepass password -keypass password -keyalg RSA -ext bc=ca:true
keytool -keystore ca.keystore -storepass password -alias ca -exportcert > ca.cer
keytool -importcert -keystore ca.truststore -alias ca -storepass password -noprompt -file ca.cer

Now create keystores for each node with certificates signed by the above CA. Let and be the hostnames with IPs and respectively

Node 1

keytool -genkeypair -alias node1 -keystore node1.keystore -dname "" -ext,ip: -storepass password -keypass password -keyalg RSA
keytool -certreq -keystore node1.keystore -storepass password -alias node1 -file node1.csr
keytool -gencert -keystore ca.keystore -storepass password -alias ca -ext,ip: -infile node1.csr -outfile node1.cer
keytool -importcert -keystore node1.keystore -storepass password -file ca.cer -alias ca -noprompt
keytool -importcert -keystore node1.keystore -storepass password -file node1.cer -alias node1 -noprompt

Node 2

keytool -genkeypair -alias node2 -keystore node2.keystore -dname "" -ext,ip: -storepass password -keypass password -keyalg RSA
keytool -certreq -keystore node2.keystore -storepass password -alias node2 -file node2.csr
keytool -gencert -keystore ca.keystore -storepass password -alias ca -ext,ip: -infile node2.csr -outfile node2.cer
keytool -importcert -keystore node2.keystore -storepass password -file ca.cer -alias ca -noprompt
keytool -importcert -keystore node2.keystore -storepass password -file node2.cer -alias node2 -noprompt

Standalone Deployment

Configure each node in the standalone cluster to pick up the keystore and truststore files present in the local file system.

Example: Two-node cluster

  • Generate two keystores, one for each node, and copy them to the filesystem on the respective node. Also copy the public key of the CA (which was used to sign the certificates in the keystore) as a Java truststore on both the nodes.
  • Configure conf/flink-conf.yaml to pick up these files.

Node 1

security.ssl.enabled: true
security.ssl.keystore: /usr/local/node1.keystore
security.ssl.keystore-password: password
security.ssl.key-password: password
security.ssl.truststore: /usr/local/ca.truststore
security.ssl.truststore-password: password

Node 2

security.ssl.enabled: true
security.ssl.keystore: /usr/local/node2.keystore
security.ssl.keystore-password: password
security.ssl.key-password: password
security.ssl.truststore: /usr/local/ca.truststore
security.ssl.truststore-password: password
  • Restart the Flink components to enable SSL for all of Flink’s internal communication
  • Verify by accessing the jobmanager’s UI using https url. The taskmanager’s path in the UI should show akka.ssl.tcp:// as the protocol
  • The blob server and taskmanager’s data communication can be verified from the log files

YARN Deployment

The keystores and truststore can be deployed in a YARN setup in multiple ways depending on the cluster setup. Following are two ways to achieve this.

1. Deploy keystores before starting the YARN session

The keystores and truststore should be generated and deployed on all nodes in the YARN setup where Flink components can potentially be executed. The same Flink config file from the Flink YARN client is used for all the Flink components running in the YARN cluster. Therefore we need to ensure the keystore is deployed and accessible using the same filepath in all the YARN nodes.

Example config

security.ssl.enabled: true
security.ssl.keystore: /usr/local/node.keystore
security.ssl.keystore-password: password
security.ssl.key-password: password
security.ssl.truststore: /usr/local/ca.truststore
security.ssl.truststore-password: password

Now you can start the YARN session from the CLI like you would normally do.

2. Use YARN CLI to deploy the keystores and truststore

We can use the YARN client’s ship files option (-yt) to distribute the keystores and truststore. Since the same keystore will be deployed at all nodes, we need to ensure a single certificate in the keystore can be served for all nodes. This can be done by either using the Subject Alternative Name (SAN) extension in the certificate and setting it to cover all nodes (hostname and ip addresses) in the cluster or by using wildcard subdomain names (if the cluster is setup accordingly).


  • Supply the following parameters to the keytool command when generating the keystore: -ext,ip:,,ip:
  • Copy the keystore and the CA’s truststore into a local directory (at the CLI’s working directory), say deploy-keys/
  • Update the configuration to pick up the files from a relative path
security.ssl.enabled: true
security.ssl.keystore: deploy-keys/node.keystore
security.ssl.keystore-password: password
security.ssl.key-password: password
security.ssl.truststore: deploy-keys/ca.truststore
security.ssl.truststore-password: password
  • Start the YARN session using the -yt parameter
flink run -m yarn-cluster -yt deploy-keys/ TestJob.jar

When deployed using YARN, Flink’s web dashboard is accessible through YARN proxy’s Tracking URL. To ensure that the YARN proxy is able to access Flink’s https url you need to configure YARN proxy to accept Flink’s SSL certificates. Add the custom CA certificate into Java’s default truststore on the YARN Proxy node.

Back to top