Enable server-to-server encryption

Prerequisites

Before you can enable and use server-to-server encryption, you need to create and configure server certificates for each node of your YugabyteDB cluster. For information, see Create server certificates.

Configure YB-Master and YB-TServer nodes

To enable server-to-server encryption using TLS, start your YB-Master and YB-TServer nodes using the following configuration options.

Configuration option (flag)NodeDescription
use_node_to_node_encryptionYB-Master, YB-TServerSet to true to enable encryption between YugabyteDB nodes. Default value is false.
allow_insecure_connectionsYB-Master onlySet to false to disallow any service with unencrypted communication from joining this cluster. Default value is true. Note that this option requires —use_node_to_node_encryption to be enabled.
certs_dirYB-Master, YB-TServerOptional. This directory should contain the configuration that was prepared in the a step for this node to perform encrypted communication with the other nodes. Default value for YB-Masters is <data drive>/yb-data/master/data/certs and for YB-TServers this location is <data drive>/yb-data/tserver/data/certs

Start the YB-Masters

You can enable access control by starting the yb-master services with the —use_node_to_node_encryption=true option as described above. Your command should look similar to this:

  1. bin/yb-master                               \
  2.     --fs_data_dirs=<data directories>       \
  3.     --master_addresses=<master addresses>   \
  4.     --certs_dir=/home/centos/tls/$NODE_IP   \
  5.     --allow_insecure_connections=false      \
  6.     --use_node_to_node_encryption=true

For information on starting YB-Master nodes for a deployment, see Start YB-Masters.

Start the YB-TServers

You can enable access control by starting the yb-tserver services using the —use_node_to_node_encryption=true option described above. Your command should look similar to this:

  1. bin/yb-tserver                                  \
  2.     --fs_data_dirs=<data directories>           \
  3.     --tserver_master_addrs=<master addresses>   \
  4.     --certs_dir /home/centos/tls/$NODE_IP       \
  5.     --use_node_to_node_encryption=true &

For information on starting YB-TServers for a deployment, see start YB-TServers.

Connect to the cluster

Because you have only enabled server-to-server encryption and not client-to-server encryption, you can now connect to this cluster using the YSQL shell (ysqlsh) or the YCQL shell (cqlsh) without enabling encryption as shown here.

YSQL

  1. $ ./bin/ysqlsh
  1. ysqlsh (11.2-YB-2.0.11.0-b0)
  2. Type "help" for help
  4. yugabyte=#

YCQL

  1. $ ./bin/cqlsh
  1. Connected to local cluster at 127.0.0.1:9042.
  2. [cqlsh 5.0.1 | Cassandra 3.9-SNAPSHOT | CQL spec 3.4.2 | Native protocol v4]
  3. Use HELP for help.
  5. cqlsh>