You can use TLS authentication for one or more of the following types of communication:

  • Communication from clients (applications) to your database
  • Communication from your database to other clusters for replication using Replica Of
  • Communication to and from your database to other clusters for synchronization using Active-Active

Enable TLS for client connections

You can enable TLS by editing the configuration of an existing database (as shown below) or by selecting Advanced Options when you are creating a new database.

  1. Select your database from your database list and navigate to the configuration tab.
  2. Select Edit at the bottom of your screen.
  3. Enable TLS.
    • Enforce client authentication is selected by default. If you clear this option, you will still enforce encryption, but TLS client authentication will be deactivated.
  4. Select Advanced Options and Require TLS for All Communications from the dropdown menu. database-tls-all
  5. Select Add Add
  6. Paste your certificate or certificate authority (CA) into the text box. database-tls-replica-certs
  7. Save the certificate. icon_save
  8. Repeat for each client certificate you need to add.
    • If your database uses Replica Of or Active-Active replication, you will need to add the syncer certificates for the participating clusters. The steps for each are below.
  9. Optional: To limit connections further to a subset of those with valid certificates, enforce Subject Alternative Name and enter authorized users separated with commas.
  10. Select Update at the bottom of the screen to save your configuration.
  11. Optional: By default, Redis Enterprise Software validates client certificate expiration dates. You can use rladmin to turn off this behavior.
    rladmin tune db < db:id | name > mtls_allow_outdated_certs enabled
    

Enable TLS for Active-Active cluster connections

Note:
You cannot enable or turn off TLS after the Active-Active database is created, but you can change the TLS configuration.

Retrieve syncer certificates

  1. For each participating cluster, copy the syncer certificate from the general settings tab. general-settings-syncer-cert

Configure TLS certificates for Active-Active

  1. During database creation (see Create an Active-Active Geo-Replicated Database, select Edit from the configuration tab.
  2. Enable TLS.
    • Enforce client authentication is selected by default. If you clear this option, you will still enforce encryption, but TLS client authentication will be deactivated.
  3. Select Require TLS for CRDB communication only from the dropdown menu. crdb-tls-all
  4. Select Add Add
  5. Paste a syncer certificate into the text box. database-tls-replica-certs
  6. Save the syncer certificate. icon_save
  7. Repeat this process, adding the syncer certificate for each participating cluster.
  8. Optional: If also you want to require TLS for client connections, select Require TLS for All Communications from the dropdown and add client certificates as well.
  9. Select Update at the bottom of the screen to save your configuration.

Configure TLS on all participating clusters

Repeat this process on all participating clusters.

To enforce TLS authentication, Active-Active databases require syncer certificates for each cluster connection. If every participating cluster doesn’t have a syncer certificate for every other participating cluster, synchronization will fail.

Enable TLS for Replica Of cluster connections

You can enable TLS by editing the configuration of an existing database (as shown below) or by selecting Advanced Options when you are creating a new database.

  1. For each cluster hosting a replica, copy the syncer certificate from the general settings tab.
  2. Select your database from your database list and navigate to the configuration tab.
  3. Select Edit at the bottom of your screen.
  4. Enable TLS.
    • Enforce client authentication is selected by default. If you clear this option, you will still enforce encryption, but TLS client authentication will be deactivated.
  5. Under Advanced Options, Select Require TLS for Replica Of Only from the dropdown menu. database-tls-all
  6. Select Add Add
  7. Paste a syncer certificate into the text box. database-tls-replica-certs
  8. Save the syncer certificate. icon_save
  9. Repeat this process, adding the syncer certificate for each cluster hosting a replica of this database.
  10. Optional: If you also want to require TLS for client connections, select Require TLS for All Communications from the dropdown and add client certificates as well.
  11. Select Update at the bottom of the screen to save your configuration.