Connect to clusters

    Before you can enable and use server-to-server encryption, you need to create and configure server certificates for each node of your YugabyteDB cluster. For information, see Create client certificates.

    For each client that will connect to a YugabyteDB cluster, you need the following three files to be accessible on the client computer.

    All three files should be available in the ~/.yugabytedb, the default location for TLS certificates when running the YSQL shell (ysqlsh) locally.

    For each of the clients below, the steps assume that you have:

    • Added the required client certificates to the ~/.yugabytedb directory (or a directory specified using the —certs_for_clients_dir option). For details, see .
    • Enabled client-to-server encryption on the YB-TServer nodes of your YugabyteDB cluster.
    • on the YugabyteDB cluster.

    To open the YSQL shell (ysqlsh) using a YugabyteDB cluster with encryption enabled, you need to add configuration options (flags) to the

    To connect to a remote YugabyteDB cluster, you need to have a local copy of ysqlsh available. You can use the ysqlsh CLI available on a locally installed YugabyteDB.

    To open the local ysqlsh CLI and access your YugabyteDB cluster, run ysqlsh with the following configuration options set:

    • host: -h <node-ip-address> (required for remote node; default is 127.0.0.1)
    • port: -p <port> (optional; default is 5433)
    • user: -U <username> (optional; default is )
    • TLS/SSL: "sslmode=require" (this flag is required)
    1. $ ./bin/ysqlsh
    2. ysqlsh (11.2-YB-2.0.11.0-b0)
    3. SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
    5. yugabyte=#

    To enable yb-admin to connect with a cluster having TLS enabled, pass in the extra argument of certs_dir_name with the directory location where the root certificate is present. The yb-admin tool is present on the cluster node in the ~/master/bin/ directory. The ~/yugabyte-tls-config directory on the cluster node contains all the certificates.

    For example, the command below will list the master information for the TLS enabled cluster:

    1. export MASTERS=node1:7100,node2:7100,node3:7100
    2. ./bin/yb-admin --master_addresses $MASTERS -certs_dir_name ~/yugabyte-tls-config list_all_masters

    You should see the following output format:

    To set the environment variables, use the following export commands:

    1. $ export SSL_CERTFILE=<path to file>/ca.crt
    2. $ export SSL_USERCERT=<path to file>/node.<name>.crt
    3. $ export SSL_USERKEY=<path to file>/node.<name>.key

    Next connect using the —ssl flag.

    1. $ ./bin/cqlsh --ssl

    You should see the following output:

    Remote cluster

    To connect to a remote YugabyteDB cluster, you need to have a local copy of cqlsh available. You can usse the cqlsh CLI available on a locally installed YugabyteDB.

    To open the local cqlsh CLI and access the remote cluster, run cqlsh with configuration options set for the host and port of the remote cluster. You must also add the —ssl flag to enable the use of the client-to-server encryption using TLS (successor to SSL).

    1. $ ./bin/cqlsh -h <node-ip-address> -p <port> --ssl
    • node-ip-address: the IP address of the remote node.
    • port: the port of the remote node.

      You should see the following output: