TLS configuration
YDB supports data-in-transit encryption, and each network protocol can have different TLS settings. This documentation section provides a reference for configuring TLS in YDB.
Interconnect
The YDB actor system interconnect is a specialized protocol for communication between YDB nodes.
Example of enabling TLS for the interconnect:
interconnect_config:
start_tcp: true
encryption_mode: REQUIRED # or OPTIONAL
path_to_certificate_file: "/opt/ydb/certs/node.crt"
path_to_private_key_file: "/opt/ydb/certs/node.key"
path_to_ca_file: "/opt/ydb/certs/ca.crt"
YDB as a server
gRPC
The main YDB API is based on gRPC. It is used for external communication with client applications that work natively with YDB via the SDK or CLI.
Example of enabling TLS for gRPC API:
grpc_config:
cert: "/opt/ydb/certs/node.crt"
key: "/opt/ydb/certs/node.key"
ca: "/opt/ydb/certs/ca.crt"
PostgreSQL wire protocol
YDB exposes a separate network port for the PostgreSQL wire protocol. This protocol is used for external communication with client applications initially designed to work with PostgreSQL.
Example of enabling TLS for the PostgreSQL wire protocol:
local_pg_wire_config:
ssl_certificate: "/opt/ydb/certs/node.crt"
Kafka wire protocol
YDB exposes a separate network port for the Kafka wire protocol. This protocol is used for external communication with client applications initially designed to work with Apache Kafka.
Example of enabling TLS for the Kafka wire protocol with a file containing both the certificate and the private key:
kafka_proxy_config:
ssl_certificate: "/opt/ydb/certs/node.crt"
Example of enabling TLS for the Kafka wire protocol with the certificate and private key in separate files:
kafka_proxy_config:
cert: "/opt/ydb/certs/node.crt"
key: "/opt/ydb/certs/node.key"
HTTP
YDB exposes a separate HTTP network port for running the Embedded UI, exposing metrics, and other miscellaneous endpoints.
Example of enabling TLS on the HTTP port, making it HTTPS:
monitoring_config:
monitoring_certificate_file: "/opt/ydb/certs/node.crt"
YDB as a client
LDAP
YDB supports LDAP for user authentication. The LDAP protocol has two options for enabling TLS.
Example of enabling TLS for LDAP via the StartTls
protocol extension:
auth_config:
ldap_authentication:
use_tls:
enable: true
ca_cert_file: "/path/to/ca.pem"
cert_require: DEMAND
scheme: "ldap"
Example of enabling TLS for LDAP via ldaps
:
auth_config:
ldap_authentication:
use_tls:
enable: false
ca_cert_file: "/path/to/ca.pem"
cert_require: DEMAND
scheme: "ldaps"
Federated queries
Federated queries allow YDB to query various external data sources. Whether these queries occur over TLS-encrypted connections is controlled by the USE_TLS
setting of CREATE EXTERNAL DATA SOURCE
queries. No changes to the server-side configuration are required.
Tracing
YDB can send tracing data to an external collector via gRPC.
Example of enabling TLS for tracing data by specifying grpcs://
protocol:
tracing_config:
backend:
opentelemetry:
collector_url: grpcs://example.com:4317
service_name: ydb
Asynchronous replication
Asynchronous replication synchronizes data between two YDB databases, where one serves as a client to the other. Whether this communication uses TLS-encrypted connections is controlled by the CONNECTION_STRING
setting of CREATE ASYNC REPLICATION queries. Use the grpcs://
protocol for TLS connections. No changes to the server-side configuration are required.