Secure Socket Layer (SSL) and Transport Layer Security (TLS) are protocols that use encryption to secure communications. You can use SSL/TLS to encrypt a connection from a client application to a Service Instance that you provision with Data Management for VMware Tanzu to ensure that any data exchanged is protected.

By default, Data Management for VMware Tanzu allows both secured and unsecured client connections to a Service Instance. If you want to mandate the use of secured connections, you must explicitly configure the Service Instance to require TLS. You can configure this during instance creation, or at any time after the instance is provisioned.

Requiring TLS on client connections to a Primary Service Instance does not automatically require TLS on its Read Replicas. You must ensure that you enable TLS for each Read Replica at the time of creation. Similarly, if you want to disable the TLS requirement, you must disable it on the Primary and on each Read Replica. Data Management for VMware Tanzu does, however, synchronize the certificates from the Primary to each replica.

Requiring Client TLS

When you require client TLS for a Service Instance, you mandate that all clients communicate with the instance over a secure connection.

Data Management for VMware Tanzu performs the following tasks when you require client TLS:

  • Copies the certificates to the file system on the Service Instance VM.
  • Modifies the service configuration to reject unsecured connections from any source.
  • Reloads the service configuration.

For example, if the Service Instance is a PostgreSQL database, Data Management for VMware Tanzu updates the PostgreSQL pg_hba.conf file, and then invokes the pg_ctl executable to reload the new configuration.

The effect of requiring TLS on existing client connections depends on the service. With some services, like PostgreSQL, there are no disruptions to existing client connections to a Service Instance; only new connections to the Service Instance will require TLS. Other services may require a restart.

Note: If you wish to immediately enforce TLS on all connections, you must restart the service. Consider initiating this operation and performing the subsequent service restart during the maintenance window of the Service Instance.

Prerequisites

Before you require TLS for a Service Instance, ensure that:

  • The Service Instance is powered on and online.
  • TLS is not currently required for the instance.

Procedure

Perform the following procedure to require TLS on client connections to a Service Instance:

  1. Select Databases from the left navigation pane.

    This action displays the Databases view, a table that lists the provisioned database instances.

  2. Examine the databases listed in the table, identify the instance for which you want to require TLS-secured connections, and navigate to that table row.

  3. Click the database Instance Name.

    The database information Details tab displays.

  4. Locate the Security section of the pane, click ACTIONS, and select Enable Client TLS from the drop down menu.

    The Enable Client TLS dialog displays.

  5. If you are certain that you want to require TLS-secured connections to the Service Instance, click CONFIRM.

    Data Management for VMware Tanzu initiates the task, generating an operation of type DB_CLIENT_SSL_ENABLE.

  6. Monitor the progress of the task in the Operations tab or in the Database Operations view:

    1. Locate the DB_CLIENT_SSL_ENABLE operation type and click it.
    2. Select the State History tab to view the subtasks and their status.
    3. If the operation fails, select the Error Info tab to examine the returned error information.

Connecting to a Service Instance with TLS

After you require TLS for a Service Instance, Data Management for VMware Tanzu mandates that all client connections to the instance be TLS-secured. A client connection may originate from any host with connectivity to the service Application Network.

PostgreSQL

Using TLS with a PostgreSQL Database Service Instance describes TLS considerations for PostgreSQL.

MySQL

Using TLS with a MySQL Database Service Instance describes TLS considerations for MySQL.

Disabling Client TLS

When you disable client TLS for a Service Instance, you remove the requirement that all client connections to the service be secure. The instance will accept both TLS and non-secure connections.

When you remove the TLS requirement for a Service Instance, Data Management for VMware Tanzu:

  • Modifies the service configuration to accept both secured and unsecured connections from any source.
  • Reloads the service configuration.

There are no disruptions to existing client connections to a Service Instance when you remove the TLS requirement for the instance. The instance accepts any new connection, be it secure or unsecure.

The affect of removing the TLS requirement on existing client connections depends on the service. With some services, like PostgreSQL, there are no disruptions to existing client connections to a Service Instance; the instance accepts any new connection, be it secure or unsecure. Other services may require a restart.

Prerequisites

Before you disable TLS for a Service Instance, ensure that:

  • The Service Instance is powered on and online.
  • TLS is currently required for the instance.

Procedure

Perform the following procedure to remove the TLS requirement for client connections to a Service Instance:

  1. Select Databases from the left navigation pane.

    This action displays the Databases view, a table that lists the provisioned database instances.

  2. Examine the databases listed in the table, identify the instance for which you want to remove the TLS requirement, and navigate to that table row.

  3. Click the database Instance Name.

    The database information Details tab displays.

  4. Locate the Security section of the pane, click ACTIONS, and select Disable Client TLS from the drop down menu.

    The Disable Client TLS dialog displays.

  5. If you are certain that you want to disable client TLS, click CONFIRM.

    Data Management for VMware Tanzu initiates the task, generating an operation of type DB_CLIENT_SSL_DISABLE.

  6. Monitor the progress of the task in the Operations tab or in the Database Operations view:

    1. Locate the DB_CLIENT_SSL_DISABLE operation type and click it.
    2. Select the State History tab to view the subtasks and their status.
    3. If the operation fails, select the Error Info tab to examine the returned error information.
check-circle-line exclamation-circle-line close-line
Scroll to top icon