Enable server-to-server encryption

Enable server-to-server encryption

Enable server-to-server encryption (using TLS) for intranode communication.

Prerequisites

Before you can enable and use server-to-server encryption, you need to create and configure server certificates for each node of your YugabyteDB cluster. For information, see Create server certificates.

Configure YB-Master and YB-TServer nodes

To enable server-to-server encryption using TLS, start your YB-Master and YB-TServer nodes using the following flags.

Flag Node Description
use_node_to_node_encryption YB-Master, YB-TServer Set to true to enable encryption between YugabyteDB nodes. Default value is false.
allow_insecure_connections YB-Master, YB-TServer Set to false to disallow any service with unencrypted communication from joining this cluster. Default value is true. Note that this flag requires --use_node_to_node_encryption to be enabled.
certs_dir YB-Master, YB-TServer Optional. Directory containing the certificates created for this node to perform encrypted communication with the other nodes. See Create server certificates. Default for YB-Masters is <data drive>/yb-data/master/data/certs and for YB-TServers is <data drive>/yb-data/tserver/data/certs.

Start the YB-Masters

You can enable access control by starting the yb-master services with the --use_node_to_node_encryption=true flag as described above. Your command should look similar to this:

bin/yb-master                               \
    --fs_data_dirs=<data directories>       \
    --master_addresses=<master addresses>   \
    --certs_dir=/home/centos/tls/$NODE_IP   \
    --allow_insecure_connections=false      \
    --use_node_to_node_encryption=true

For information on starting YB-Master nodes for a deployment, see Start YB-Masters.

Start the YB-TServers

You can enable access control by starting the yb-tserver services using the --use_node_to_node_encryption=true flag described above. Your command should look similar to this:

bin/yb-tserver                                  \
    --fs_data_dirs=<data directories>           \
    --tserver_master_addrs=<master addresses>   \
    --certs_dir /home/centos/tls/$NODE_IP       \
    --use_node_to_node_encryption=true &

For information on starting YB-TServers for a deployment, see start YB-TServers.

Connect to the cluster

Because you have only enabled server-to-server encryption and not client-to-server encryption, you can now connect to this cluster using the YSQL shell (ysqlsh) or the YCQL shell (ycqlsh) without enabling encryption as shown here.

YSQL

$ ./bin/ysqlsh
ysqlsh (11.2-YB-2.0.11.0-b0)
Type "help" for help

yugabyte=#

YCQL

$ ./bin/ycqlsh
Connected to local cluster at 127.0.0.1:9042.
[ycqlsh 5.0.1 | Cassandra 3.9-SNAPSHOT | CQL spec 3.4.2 | Native protocol v4]
Use HELP for help.

ycqlsh>