Join us on
Star us on
Get Started
Slack
GitHub
Get Started
v2.5 (latest) v2.2 (stable) v2.1 (earlier version) v2.0 (earlier version) v1.3 (earlier version)
  • GET STARTED
    • Quick start
      • 1. Install YugabyteDB
      • 2. Create a local cluster
      • 3. Explore YSQL
      • 4. Build an application
        • Java
        • NodeJS
        • Go
        • Python
        • Ruby
        • C#
        • PHP
        • C++
        • C
    • Introduction
    • Explore core
      • 1. Linear scalability
      • 2. Fault tolerance
      • 3. Global distribution
      • 4. Auto sharding
      • 5. Tunable reads
      • 6. Observability
  • USER GUIDES
    • Develop
      • Learn app development
        • 1. SQL vs NoSQL
        • 2. Data modeling
        • 3. Data types
        • 4. ACID transactions
        • 5. Aggregations
        • 6. Batch operations
        • 7. Date and time
        • 8. Strings and text
      • Ecosystem integrations
        • Apache Kafka
        • Apache Spark
        • JanusGraph
        • KairosDB
        • Presto
        • Metabase
      • Real-world examples
        • E-Commerce App
        • IoT Fleet Management
        • Retail Analytics
      • Explore sample applications
    • Deploy
      • Checklist
      • Manual deployment
        • 1. System configuration
        • 2. Install software
        • 3. Start YB-Masters
        • 4. Start YB-TServers
        • 5. Verify deployment
      • Kubernetes
        • Helm Chart
        • Helm configuration
        • Local SSD
      • Docker
      • Public clouds
        • Amazon Web Services
        • Google Cloud Platform
        • Microsoft Azure
      • Pivotal Cloud Foundry
      • Yugabyte Platform
        • 1. Prepare cloud environment
        • 2. Install Admin Console
        • 3. Configure Admin Console
        • 4. Configure Cloud Providers
    • Benchmark
      • Performance
      • YCSB
      • Large datasets
    • Secure
      • Security checklist
      • Authentication
      • Authorization
        • 1. RBAC Model
        • 2. Create Roles
        • 3. Grant permissions
      • TLS encryption
        • 1. Prepare nodes
        • 2. Server-server encryption
        • 3. Client-server encryption
        • 4. Connect to cluster
      • Encryption at Rest
    • Manage
      • Backup and restore
        • Backing up data
        • Restoring data
      • Data migration
        • Bulk import
        • Bulk export
      • Change cluster config
      • Upgrade deployment
      • Diagnostics reporting
      • Yugabyte Platform
        • Create universe - Multi-zone
        • Create universe - Multi-region
        • Edit universe
        • Edit config flags
        • Health checking and alerts
        • Create and edit instance tags
        • Node status and actions
        • Read replicas
        • Back up and restore
        • Upgrade universe
        • Delete universe
    • Troubleshoot
      • Troubleshooting overview
      • Cluster level issues
        • YCQL connection issues
        • YEDIS connection Issues
      • Node level issues
        • Check processes
        • Inspect logs
        • System statistics
      • Yugabyte Platform
        • Troubleshoot universes
  • REFERENCE
    • APIs
      • YSQL
        • Statements
          • ABORT
          • ALTER DATABASE
          • ALTER DOMAIN
          • ALTER TABLE
          • BEGIN
          • COMMENT
          • COMMIT
          • COPY
          • CREATE DATABASE
          • CREATE DOMAIN
          • CREATE INDEX
          • CREATE SCHEMA
          • CREATE SEQUENCE
          • CREATE TABLE
          • CREATE TABLE AS
          • CREATE TYPE
          • CREATE USER
          • CREATE VIEW
          • DEALLOCATE
          • DELETE
          • DROP DATABASE
          • DROP DOMAIN
          • DROP SEQUENCE
          • DROP TABLE
          • DROP TYPE
          • END
          • EXECUTE
          • EXPLAIN
          • GRANT
          • INSERT
          • LOCK
          • PREPARE
          • RESET
          • REVOKE
          • ROLLBACK
          • SELECT
          • SET
          • SET CONSTRAINTS
          • SET TRANSACTION
          • SHOW
          • SHOW TRANSACTION
          • TRUNCATE
          • UPDATE
        • Data types
          • Binary
          • Boolean
          • Character
          • Date-time
          • Json
          • Money
          • Numeric
          • Serial
          • UUID
        • Expressions
          • currval()
          • lastval()
          • nextval()
        • Keywords
        • Reserved Names
      • YCQL
        • Quick Start YCQL
        • ALTER KEYSPACE
        • ALTER ROLE
        • ALTER TABLE
        • CREATE INDEX
        • CREATE KEYSPACE
        • CREATE ROLE
        • CREATE TABLE
        • CREATE TYPE
        • DROP INDEX
        • DROP KEYSPACE
        • DROP ROLE
        • DROP TABLE
        • DROP TYPE
        • GRANT PERMISSION
        • GRANT ROLE
        • REVOKE PERMISSION
        • REVOKE ROLE
        • USE
        • INSERT
        • SELECT
        • UPDATE
        • DELETE
        • TRANSACTION
        • TRUNCATE
        • Simple Value
        • Subscript
        • Function Call
        • Operator Call
        • BLOB
        • BOOLEAN
        • MAP, SET, LIST
        • FROZEN
        • INET
        • Integer & Counter
        • Non-Integer
        • TEXT
        • Date & Time Types
        • UUID & TIMEUUID
        • JSONB
        • Date and time functions
    • CLIs
      • yb-ctl
      • yb-docker-ctl
      • yb-master
      • yb-tserver
      • ysqlsh
      • cqlsh
    • Sample data
      • Chinook
      • Northwind
      • PgExercises
      • SportsDB
    • Tools
      • TablePlus
  • RELEASES
    • Release history
      • v1.3.1
      • v1.3.0
      • v1.2.12
      • v1.2.11
      • v1.2.10
      • v1.2.9
      • v1.2.8
      • v1.2.6
      • v1.2.5
      • v1.2.4
  • CONCEPTS
    • Architecture
      • Design goals
      • Layered architecture
      • Basic concepts
        • Universe
        • YB-TServer
        • YB-Master
        • Acknowledgements
      • Query layer
        • Overview
      • DocDB store
        • Sharding
        • Replication
        • Persistence
        • Performance
      • DocDB transactions
        • Isolation Levels
        • Single row transactions
        • Distributed transactions
        • Transactional IO path
  • FAQ
    • Comparisons
      • CockroachDB
      • Google Cloud Spanner
      • MongoDB
      • FoundationDB
      • Amazon DynamoDB
      • Azure Cosmos DB
      • Apache Cassandra
      • Redis in-memory store
      • Apache HBase
    • Other FAQs
      • Product
      • Architecture
      • Yugabyte Platform
      • API compatibility
  • CONTRIBUTOR GUIDES
    • Get involved
  • Misc
    • YEDIS
      • Quick start
      • Develop
        • Client drivers
          • C
          • C++
          • C#
          • Go
          • Java
          • NodeJS
          • Python
      • API reference
        • APPEND
        • AUTH
        • CONFIG
        • CREATEDB
        • DELETEDB
        • LISTDB
        • SELECT
        • DEL
        • ECHO
        • EXISTS
        • EXPIRE
        • EXPIREAT
        • FLUSHALL
        • FLUSHDB
        • GET
        • GETRANGE
        • GETSET
        • HDEL
        • HEXISTS
        • HGET
        • HGETALL
        • HINCRBY
        • HKEYS
        • HLEN
        • HMGET
        • HMSET
        • HSET
        • HSTRLEN
        • HVALS
        • INCR
        • INCRBY
        • KEYS
        • MONITOR
        • PEXPIRE
        • PEXPIREAT
        • PTTL
        • ROLE
        • SADD
        • SCARD
        • RENAME
        • SET
        • SETEX
        • PSETEX
        • SETRANGE
        • SISMEMBER
        • SMEMBERS
        • SREM
        • STRLEN
        • ZRANGE
        • TSADD
        • TSCARD
        • TSGET
        • TSLASTN
        • TSRANGEBYTIME
        • TSREM
        • TSREVRANGEBYTIME
        • TTL
        • ZADD
        • ZCARD
        • ZRANGEBYSCORE
        • ZREM
        • ZREVRANGE
        • ZSCORE
        • PUBSUB
        • PUBLISH
        • SUBSCRIBE
        • UNSUBSCRIBE
        • PSUBSCRIBE
        • PUNSUBSCRIBE
> Secure > TLS encryption >

1. Prepare nodes

Attention

This page documents an earlier version. Go to the latest (v2.3) version.
  • Basic setup
    • Create a secure data directory
    • Prepare a IP_ADDRESSES environment variable
    • Create a directory for configuration data of each node
    • Create the OpenSSL CA configuration
    • Set up the necessary files
  • Generate root configuration
  • Generate per-node configuration
    • Generate configuration for each node
    • Generate private key for each node
    • Generate the node certificates
  • Copy configuration files to the nodes

This page describes how to prepare each node in a YugabyteDB cluster to enable TLS encryption.

Basic setup

Create a secure data directory

We will generate and store the secure info such as the root certificate in the secure-data directory. Once the setup is done, we will copy this data in a secure location and delete this directory.

$ mkdir secure-data

Prepare a IP_ADDRESSES environment variable

In this example, we assume a 3 node cluster, with the variables ip1, ip2 and ip3 representing the ip addresses for the three nodes. Create a variable IP_ADDRESSES is a space-separated list of the IP addresses of the various nodes. We will use this variable to loop over all the nodes when needed.

$ export IP_ADDRESSES="$ip1 $ip2 $ip3 ..."

Tip

Add the desired set of IP addresses or node names into the IP_ADDRESSES variable as shown above. Remember to add exactly one entry for each node in the cluster.

Create a directory for configuration data of each node

We will create one directory per node and put all the required data in that directory. This directory will eventually be copied into the respective nodes.

$ for node in $IP_ADDRESSES;
do
  mkdir $node
done

Create the OpenSSL CA configuration

Create the file ca.conf in the secure-data directory with the OpenSSL CA configuration.

$ cat > secure-data/ca.conf

Paste the following example config into the file.

################################
# Example CA configuration file
################################

[ ca ]
default_ca = my_ca

[ my_ca ]
# Validity of the signed certificate in days.
default_days = 3650


# Text file with next hex serial number to use.
serial = ./serial.txt

# Text database file to use, initially empty.
database = ./index.txt

# Message digest algorithm. Do not use MD5.
default_md = sha256

# a section with a set of variables corresponding to DN fields
policy = my_policy

[ my_policy ]

# Policy for nodes and users. If the value is "match" then 
# field value must match the same field in the CA certificate.
# If the value is "supplied" then it must be present. Optional
# means it may be present.
organizationName = supplied
commonName = supplied

[req]
prompt=no
distinguished_name = my_distinguished_name
x509_extensions = my_extensions

[ my_distinguished_name ]
organizationName = Yugabyte
commonName = CA for YugabyteDB

[ my_extensions ]
keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment,keyCertSign
basicConstraints = critical,CA:true,pathlen:1

Set up the necessary files

Delete the existing index and database files.

$ rm -f index.txt serial.txt

Create the index and database file.

$ touch index.txt ; echo '01' > serial.txt

Generate root configuration

In this section, we will generate the root key file ca.key and the root certificate ca.crt.

We will generate the root private key file ca.key in the secure-data directory using the openssl genrsa command as shown below.

$ openssl genrsa -out secure-data/ca.key 2048

Change the permissions of the generated private key as follows.

$ chmod 400 secure-data/ca.key

Now generate the root certificate.

$ openssl req -new                         \
            -x509                        \
            -config secure-data/ca.conf  \
            -key secure-data/ca.key      \
            -out secure-data/ca.crt

You can verify the root certificate by doing the following:

$ openssl x509 -in secure-data/ca.crt -text -noout

You should see output that looks as follows:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 9342236890667368184 (0x81a64af46bc73ef8)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=Yugabyte, CN=CA for YugabyteDB
        Validity
            Not Before: Dec 20 05:16:11 2018 GMT
            Not After : Jan 19 05:16:11 2019 GMT
        Subject: O=Yugabyte, CN=CA for YugabyteDB
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:9e:c2:99:c8:10:38:12:a3:24:1b:2e:d5:de:30:
                    ...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment, Certificate Sign
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:1
    Signature Algorithm: sha256WithRSAEncryption
         51:b2:9c:4f:3d:7c:42:fc:93:e6:7b:f0:16:46:d2:21:4f:33:
         ...

Copy the generated root certificate file ca.crt to all the node directories.

$ for node in $IP_ADDRESSES;
do
  cp secure-data/ca.crt $node/;
done

Generate per-node configuration

In this section, we will generate the node key node.key and node certificate node.crt for each node.

Generate configuration for each node

Repeat the steps in this section once for each node.

tip

The IP address of each node is denoted by the variable $NODE_IP_ADDRESS below.

Generate a configuration file (node.conf) for each node in the appropriate node directory as shown below.

$ cat > $NODE_IP_ADDRESS/node.conf

There is a sample config below that you can use. You can customize this file as needed. Move the resulting node.conf file into the appropriate node directory.

Note

Remember to replace the <NODE_IP_ADDRESS> entry in the example config file below with the node name or IP address of each node.
################################
# Example node configuration file
################################

[ req ]
prompt=no
distinguished_name = my_distinguished_name

[ my_distinguished_name ]
organizationName = Yugabyte
# Required value for commonName, do not change.
commonName = <NODE_IP_ADDRESS>

Generate private key for each node

You can generate the private key for each of the nodes as follows.

Note

The file names must be of the format node.<commonName>.key for YugabyteDB to recognize the file.
$ for node in $IP_ADDRESSES;
do
  openssl genrsa -out $node/node.$node.key 2048
  chmod 400 $node/node.$node.key
done

Generate the node certificates

Next, we need to generate the node certificate. This has two steps. First, create the certificate signing request (CSR) for each node.

$ for node in $IP_ADDRESSES;
do
  openssl req -new                       \
              -config $node/node.conf    \
              -key $node/node.$node.key  \
              -out $node/node.csr
done

Sign the node CSR with ca.key and ca.crt.

$ for node in $IP_ADDRESSES;
do
  openssl ca -config secure-data/ca.conf   \
             -keyfile secure-data/ca.key   \
             -cert secure-data/ca.crt      \
             -policy my_policy             \
             -out $node/node.$node.crt     \
             -outdir $node/                \
             -in $node/node.csr            \
             -days 3650                    \
             -batch
done

Note

The node key and crt should have node.<name>.[crt | key] naming format.

You can verify the signed certificate for each of the nodes by doing the following:

$ openssl verify -CAfile secure-data/ca.crt $node/node.$node.crt

You should see the following output:

X.X.X.X/node.X.X.X.X.crt: OK

Copy configuration files to the nodes

The files needed for each node are:

  • ca.crt
  • node.<name>.crt
  • node.<name>.key

You can remove all other files in the node directories as they are unnecessary.

Upload the necessary information to the target node.

$ for node in $IP_ADDRESSES;
do
  # Create the directory that will contain the config files.
  ssh <username>@$node mkdir ~/yugabyte-tls-config

  # Copy all the config files into the above directory.
  scp $node/ca.crt <user>@$node:~/yugabyte-tls-config/$NODE_IP
  scp $node/node.$node.crt <user>@$node:~/yugabyte-tls-config/$NODE_IP
  scp $node/node.$node.key <user>@$node:~/yugabyte-tls-config/$NODE_IP
done

You can now delete or appropriately secure the directories we created for the various nodes on the local machine.

  • Basic setup
    • Create a secure data directory
    • Prepare a IP_ADDRESSES environment variable
    • Create a directory for configuration data of each node
    • Create the OpenSSL CA configuration
    • Set up the necessary files
  • Generate root configuration
  • Generate per-node configuration
    • Generate configuration for each node
    • Generate private key for each node
    • Generate the node certificates
  • Copy configuration files to the nodes
Ask our community
  • Slack
  • Github
  • Forum
  • StackOverflow
Yugabyte
Contact Us
Copyright © 2017-2020 Yugabyte, Inc. All rights reserved.