Secure Socket Layer (SSL) and Transport Layer Security (TLS) are protocols that use encryption to secure communications. You can use SSL/TLS to encrypt a connection from a client application to a database that you provision with Data Management for VMware Tanzu to ensure that any data exchanged is protected.

By default, Data Management for VMware Tanzu allows both secured and unsecured client connections to a database. If you want to mandate the use of secured connections, you must explicitly configure the database to require TLS. You can configure this during database creation, or at any time after the database is provisioned.

Requiring TLS on client connections to a Primary database does not automatically require TLS on its Read Replicas. You must ensure that you enable TLS for each Read Replica at the time of creation. Similarly, if you want to deactivate the TLS requirement, you must deactivate it on the Primary and on each Read Replica. Data Management for VMware Tanzu does, however, synchronize the certificates from the Primary to each replica.

Requiring Client TLS

When you require client TLS for a database, you mandate that all clients communicate with the database over a secure connection.

Data Management for VMware Tanzu performs the following tasks when you require client TLS:

• Copies the certificates to the file system on the database.
• Modifies the service configuration to reject unsecured connections from any source.
• Reloads the service configuration.

For example, if the database is a PostgreSQL database, Data Management for VMware Tanzu updates the PostgreSQL pg_hba.conf file, and then invokes the pg_ctl executable to reload the new configuration.

The effect of requiring TLS on existing client connections depends on the service. With some services, like PostgreSQL, there are no disruptions to existing client connections to a database; only new connections to the database will require TLS. Other services may require a restart.

Prerequisites

Before you require TLS for a database, ensure that:

• The database is powered on and online.
• TLS is not currently required for the database.

Procedure

Perform the following procedure to require TLS on client connections to a database:

1. Select Databases from the left navigation pane.

   This action displays the Databases view, a table that lists the provisioned databases.

2. Examine the databases listed in the table, identify the database for which you want to require TLS-secured connections, and navigate to that table row.

3. Click the database VM Name.

   The database information Details tab displays.

4. Locate the Security section of the pane, click ACTIONS, and select Enable Client TLS from the drop down menu.

   The Enable Client TLS dialog displays.

5. If you are certain that you want to require TLS-secured connections to the database, click CONFIRM.

   Data Management for VMware Tanzu initiates the task, generating an operation of type DB_CLIENT_SSL_ENABLE.

6. Monitor the progress of the task in the Operations tab or in the Operations view:

   1. Locate the DB_CLIENT_SSL_ENABLE operation type and click it.
   2. Select the State History tab to view the subtasks and their status.
   3. If the operation fails, select the Error Info tab to examine the returned error information.

Connecting to a Database with TLS

After you require TLS for a database, Data Management for VMware Tanzu mandates that all client connections to the database be TLS-secured. A client connection may originate from any host with connectivity to the service Application Network.

PostgreSQL

Using TLS with a PostgreSQL Database Database describes TLS considerations for PostgreSQL.

MySQL

Using TLS with a MySQL Database describes TLS considerations for MySQL.

Deactivating Client TLS

When you deactivate client TLS for a database, you remove the requirement that all client connections to the service be secure. The database will accept both TLS and non-secure connections.

When you remove the TLS requirement for a database, Data Management for VMware Tanzu:

• Modifies the service configuration to accept both secured and unsecured connections from any source.
• Reloads the service configuration.

There are no disruptions to existing client connections to a database when you remove the TLS requirement for the database. The database accepts any new connection, be it secure or unsecure.

The affect of removing the TLS requirement on existing client connections depends on the service. With some services, like PostgreSQL, there are no disruptions to existing client connections to a database; the database accepts any new connection, be it secure or unsecure. Other services may require a restart.

Prerequisites

Before you deactivate TLS for a database, ensure that:

• The database is powered on and online.
• TLS is currently required for the database.

Procedure

Perform the following procedure to remove the TLS requirement for client connections to a database:

1. Select Databases from the left navigation pane.

   This action displays the Databases view, a table that lists the provisioned databases.

2. Examine the databases listed in the table, identify the database for which you want to remove the TLS requirement, and navigate to that table row.

3. Click the database VM Name.

   The database information Details tab displays.

4. Locate the Security section of the pane, click ACTIONS, and select Disable Client TLS from the drop down menu.

   The Disable Client TLS dialog displays.

5. If you are certain that you want to deactivate client TLS, click CONFIRM.

   Data Management for VMware Tanzu initiates the task, generating an operation of type DB_CLIENT_SSL_DISABLE.

6. Monitor the progress of the task in the Operations tab or in the Operations view:

   1. Locate the DB_CLIENT_SSL_DISABLE operation type and click it.
   2. Select the State History tab to view the subtasks and their status.
   3. If the operation fails, select the Error Info tab to examine the returned error information.