TLS configuration

YDB supports data-in-transit encryption, and each network protocol can have different TLS settings. This documentation section provides a reference for configuring TLS in YDB.

Interconnect

The YDB actor system interconnect is a specialized protocol for communication between YDB nodes.

Example of enabling TLS for the interconnect:

interconnect_config:
   start_tcp: true
   encryption_mode: REQUIRED # or OPTIONAL
   path_to_certificate_file: "/opt/ydb/certs/node.crt"
   path_to_private_key_file: "/opt/ydb/certs/node.key"
   path_to_ca_file: "/opt/ydb/certs/ca.crt"

YDB as a server

gRPC

The main YDB API is based on gRPC. It is used for external communication with client applications that work natively with YDB via the SDK or CLI.

Example of enabling TLS for gRPC API:

grpc_config:
   cert: "/opt/ydb/certs/node.crt"
   key: "/opt/ydb/certs/node.key"
   ca: "/opt/ydb/certs/ca.crt"

PostgreSQL wire protocol

YDB exposes a separate network port for the PostgreSQL wire protocol. This protocol is used for external communication with client applications initially designed to work with PostgreSQL.

Example of enabling TLS for the PostgreSQL wire protocol:

local_pg_wire_config:
    ssl_certificate: "/opt/ydb/certs/node.crt"

Kafka wire protocol

YDB exposes a separate network port for the Kafka wire protocol. This protocol is used for external communication with client applications initially designed to work with Apache Kafka.

Example of enabling TLS for the Kafka wire protocol with a file containing both the certificate and the private key:

kafka_proxy_config:
    ssl_certificate: "/opt/ydb/certs/node.crt"

Example of enabling TLS for the Kafka wire protocol with the certificate and private key in separate files:

kafka_proxy_config:
    cert: "/opt/ydb/certs/node.crt"
    key: "/opt/ydb/certs/node.key"

HTTP

YDB exposes a separate HTTP network port for running the Embedded UI, exposing metrics, and other miscellaneous endpoints.

Example of enabling TLS on the HTTP port, making it HTTPS:

monitoring_config:
    monitoring_certificate_file: "/opt/ydb/certs/node.crt"

YDB as a client

LDAP

YDB supports LDAP for user authentication. The LDAP protocol has two options for enabling TLS.

Example of enabling TLS for LDAP via the StartTls protocol extension:

auth_config:
  ldap_authentication:
    use_tls:
      enable: true
      ca_cert_file: "/path/to/ca.pem"
      cert_require: DEMAND
  scheme: "ldap"

Example of enabling TLS for LDAP via ldaps:

auth_config:
  ldap_authentication:
    use_tls:
      enable: false
      ca_cert_file: "/path/to/ca.pem"
      cert_require: DEMAND
  scheme: "ldaps"

Federated queries

Federated queries allow YDB to query various external data sources. Whether these queries occur over TLS-encrypted connections is controlled by the USE_TLS setting of CREATE EXTERNAL DATA SOURCE queries. No changes to the server-side configuration are required.

Tracing

YDB can send tracing data to an external collector via gRPC.

Example of enabling TLS for tracing data by specifying grpcs:// protocol:

tracing_config:
  backend:
    opentelemetry:
      collector_url: grpcs://example.com:4317
      service_name: ydb

Asynchronous replication

Asynchronous replication synchronizes data between two YDB databases, where one serves as a client to the other. Whether this communication uses TLS-encrypted connections is controlled by the CONNECTION_STRING setting of CREATE ASYNC REPLICATION queries. Use the grpcs:// protocol for TLS connections. No changes to the server-side configuration are required.