Securing Exhibitor with mutual TLS


Securing DC/OS with a TLS enabled Exhibitor ensemble

By default, the Exhibitor HTTP service is open to any client that can reach port 8181 on a master node. This page describes a method for protecting the Exhibitor service from unauthorized access. Once enabled, HTTP clients must access Exhibitor through Admin Router; thus applying the Admin Router access control policy to the Exhibitor service.

NOTE: When accessing Exhibitor through Admin Router (https://master_host/exhibitor), authenticated users must have the dcos:adminrouter:ops:exhibitor privilege with the full action identifier

Securing Exhibitor

The strategy for securing Exhibitor is mutual TLS authentication. In order to secure Exhibitor you must first create a unique root CA certificate. This CA certificate is used to sign various end entity certificates for the Admin Router and Exhibitor services. Creating a public key infrastructure that outputs PEM and Java KeyStore formatted artifacts is not a trivial task. To make this processes easier, a simple tool has been created for producing the necessary files.

NOTE: This guide is only compatible with clusters which use static master discovery, master_http_loadbalancer is not currently supported. (/mesosphere/dcos/1.13/installing/production/advanced-configuration/configuration-reference/#master-discovery-required)

Using the tool

NOTE: A working Docker installation is required. If Docker is not available see for information on running the command natively.

Download the script from the GitHub release page and run it:

curl -LsO
chmod +x exhibitor-tls-artifacts
./exhibitor-tls-artifacts --help

The expected output is shown below:

Usage: exhibitor-tls-artifacts [OPTIONS] [NODES]...

Generates Admin Router and Exhibitor TLS artifacts. NODES should consist
of a space separated list of master IP addresses. See

-d, --output-directory TEXT  Directory to put artifacts in. This
                             output_directory must not exist.
--help                       Show this message and exit.

Generating the artifacts

To generate the TLS artifacts, run the tool with the master node IP addresses as positional arguments. Use the IP addresses found in the master_list field of the DC/OS configuration file, config.yml. If this file is not available, running /opt/mesosphere/bin/detect_ip on each master node will produce the correct address.

As an example, if your master nodes are,,, invoke the script using:


The above command will create a directory called artifacts (which must not exist prior to running the command) in the current directory. Under artifacts you will find root-cert.pem and truststore.jks. These files contain the root CA certificate in PEM and java keystore format. The artifacts directory will also contain 3 sub-directories,,, and Each containing the following files:


These directories contain all necessary files for securing each Exhibitor node.

Installing the artifacts

Copy the contents of each node’s artifact directory to /var/lib/dcos/exhibitor-tls-artifacts to the appropriate master.

For example:

scp -r artifacts/ root@
scp -r artifacts/ root@
scp -r artifacts/ root@

Restarting the services

Exhibitor and Master Admin Router must be restarted on all nodes. After all files have been copied, run the following commands on all master nodes.

WARNING: This will result in a small amount of downtime for Zookeeper and Master Admin Router.

systemctl restart dcos-exhibitor.service
systemctl restart dcos-adminrouter.service

The systemd unit scripts will detect the presence of the artifacts and set ownership and permissions accordingly.

Deploying a new cluster

Generate the artifacts and copy the files to the master servers before installing DC/OS.