3. Client-server encryption
To enable client to server encryption, bring up the YB-TServer processes with the appropriate flags as shown below.
yb-tserverprocess requires additional flags to enable client to server encryption.
||YB-TServer||Optional, default value is
||YB-TServer||Optional, defaults to
||YB-TServer||Optional, defaults to the same directory as the server to server encryption. This directory should contain the configuration for the client to perform TLS communication with the cluster. Default value for the YB-TServers is
You can enable access control by starting the
yb-tserver processes minimally with the
--use_client_to_server_encryption=true flag as described above. This will allow both encrypted client and clients without encryption to connect to the cluster. To ensure that only clients with appropriate encryption configured are able to connect, set the
--allow_insecure_connections=false flag as well.
NoteRemember to set
--allow_insecure_connections=falseto enforce TLS communication between the YugaByte DB cluster and all the clients. Dropping this flag will allow clients to connect without encryption as well.
Your command should look similar to that shown below:
bin/yb-tserver \ --fs_data_dirs=<data directories> \ --tserver_master_addrs=<master addresses> \ --certs_for_client_dir /home/centos/tls/$NODE_IP \ --allow_insecure_connections=false \ --use_client_to_server_encryption=true &
You can read more about bringing up the YB-TServers for a deployment in the section on manual deployment of a YugaByte DB cluster.