To prevent unauthorized access to your data, RS databases support the TLS protocol (the more secure successor to SSL) that includes:

  • Encryption - Makes sure that the traffic can only be read by the sender and recipient.
  • Authentication - The server or client makes sure that it communicates with an authorized entity.

When you enable TLS for a database or CRDB, encryption is enforced on either all communications or only communications between clusters, and RS sends its certificate to clusters and clients for authentication to the database or CRDB. You can also configure a database or CRDB to require authentication with a certificate for traffic received from clusters or clients.

Related topics:

Authentication for Databases

When you configure Replica Of for a database, synchronization traffic flows between the source and destination databases. You can configure authentication for Replica Of synchronization traffic only, or for all communications including Replica Of synchronization traffic and data traffic between the database and the clients.

You can also specify that authentication is not enforced for traffic received from clusters or clients.

Configuring TLS for Replica Of communication only on the source database

To enable TLS for Replica Of communication only on the source database:

  1. In databases, either:
    • Click icon_add to create a new database.
    • Click on the database that you want to configure and at the bottom of the page click edit.
  2. Enable TLS.

    database-tls-config

  3. Select the communication that you want to secure:

    • For a new database - Require TLS for Replica Of communications only is selected by default.
    • For an existing database that is configured to Require TLS for all communications - Select Require TLS for Replica Of communications only.

    By default, client authentication is enforced so you must enter the syncer certificates of the clusters that host the destination databases.

  4. To enter the syncer certificates:

    1. Copy the syncer certificates for each cluster with a destination database:
      1. Login to the cluster.
      2. Go to Settings.
      3. In the syncer certificates box, copy the entire text of the certificate.
    2. Click icon_add to open the certificate box.

      database-tls-replica-certs

    3. Paste the text of the certificates in the box.

    4. Click icon_save to save the certificates.

    You can also clear Enforce client authentication so that all clusters or clients can connect to your database without authentication.

    To encrypt Replica Of synchronization traffic, you must also configure encryption for the destination database.

Configuring TLS for all communication on the source database

To enable TLS for Replica Of and client communication on the source database:

  1. In databases, either:
    • Click icon_add to create a new database.
    • Click on the database that you want to configure and at the bottom of the database page click edit.
  2. Enable TLS and select Require TLS for all communications.

    database-tls-all

    By default, client authentication is enforced so you must enter the syncer certificates of the clusters that host the destination databases. The certificates of the clients that connect to the database.

  3. To enter the syncer and client certificates:

    1. Copy the entire text of the syncer and client certificates.

      For each cluster with a destination database:

      1. Login to the cluster.
      2. Go to Settings.
      3. In the syncer certificates box, copy the entire text of the certificate.
    2. Click icon_add to open the certificate box.

      database-tls-replica-certs

    3. Paste the text of the certificates in the box.

    4. Click icon_save to save the certificates.

    You can also clear Enforce client authentication so that all clusters or clients can connect to your database without authentication.

    To encrypt Replica Of synchronization traffic, you must also configure encryption for the destination database.

Authentication for CRDBs

When you create a new CRDB, you can configure authentication for CRDB synchronization traffic only or for all communications, including CRDB synchronization traffic and data traffic between the database and the clients.

You can also specify that authentication is not enforced for traffic received from clusters and clients.

Note: You cannot enable or disable TLS after the CRDB is created, but you can change the TLS configuration.

Configuring TLS for CRDB communication only

To enable TLS for CRDB communication only for a CRDB:

  1. In databases, click icon_add to create a new CRDB.
  2. In configuration, at the bottom of the page click edit.
  3. Enable TLS.

crdb-tls-config-enable

Client authentication is enforced and the certificates for the participating clusters are used automatically.

Configuring TLS for CRDB and client communication

To enable TLS for CRDB and client communication for a CRDB:

  1. In databases, click icon_add to create a new CRDB.
  2. In configuration, at the bottom of the page click edit.
  3. Enable TLS.

    crdb-tls-config-enable

  4. After you create the CRDB on all participating clusters, on the participating clusters for which you want to require TLS for all communications, edit the CRDB instance and select Require TLS for all communications.

    crdb-tls-all

    By default, client authentication is enforced so you must enter the certificates of the clients that connect to the database. The certificates for the participating clusters are used automatically.

  5. To enter the client certificates:

    1. Copy the entire text of the client certificates.
    2. Click icon_add to open the certificate box.
    3. Paste the text of the certificates in the box.
    4. Click icon_save to save the certificates.

    crdb-tls-all-certs

    You can also clear Enforce client authentication so that all clusters or clients can connect to your database without authentication.