Secure Socket Layer (SSL) and Transport Layer Security (TLS) are protocols that use encryption to secure communications. You can use SSL/TLS to encrypt a connection from a client application to a database that you provision with VMware Data Services Manager to ensure that any data exchanged is protected.
By default, VMware Data Services Manager allows both secured and unsecured client connections to a database. If you want to mandate the use of secured connections, you must explicitly configure the database to require TLS. You can configure this during database creation, or at any time after the database is provisioned.
Requiring TLS on client connections to a Primary database does not automatically require TLS on its Read Replicas. You must ensure that you enable TLS for each Read Replica at the time of creation. Similarly, if you want to deactivate the TLS requirement, you must deactivate it on the Primary and on each Read Replica. VMware Data Services Manager does, however, synchronize the certificates from the Primary to each replica.
When you require client TLS for a database, you mandate that all clients communicate with the database over a secure connection.
VMware Data Services Manager performs the following tasks when you require client TLS:
For example, if the database is a PostgreSQL database, VMware Data Services Manager updates the PostgreSQL pg_hba.conf
file, and then invokes the pg_ctl
executable to reload the new configuration.
The effect of requiring TLS on existing client connections depends on the service. With some services, like PostgreSQL, there are no disruptions to existing client connections to a database; only new connections to the database will require TLS. Other services may require a restart.
Before you require TLS for a database, ensure that:
Perform the following procedure to require TLS on client connections to a database:
Select Databases from the left navigation pane.
This action displays the Databases view, a table that lists the provisioned databases.
Examine the databases listed in the table, identify the database for which you want to require TLS-secured connections, and navigate to that table row.
Click the database VM Name.
The database information Details tab displays.
Locate the Security section of the pane, click ACTIONS, and select Enable Client TLS from the drop down menu.
The Enable Client TLS dialog displays.
If you are certain that you want to require TLS-secured connections to the database, click CONFIRM.
VMware Data Services Manager initiates the task, generating an operation of type DB_CLIENT_SSL_ENABLE.
Monitor the progress of the task in the Operations tab or in the Operations view:
After you require TLS for a database, VMware Data Services Manager mandates that all client connections to the database be TLS-secured. A client connection may originate from any host with connectivity to the service Application Network.
Using TLS with a PostgreSQL Database Database describes TLS considerations for PostgreSQL.
Using TLS with a MySQL Database describes TLS considerations for MySQL.
When you deactivate client TLS for a database, you remove the requirement that all client connections to the service be secure. The database will accept both TLS and non-secure connections.
When you remove the TLS requirement for a database, VMware Data Services Manager:
There are no disruptions to existing client connections to a database when you remove the TLS requirement for the database. The database accepts any new connection, be it secure or unsecure.
The affect of removing the TLS requirement on existing client connections depends on the service. With some services, like PostgreSQL, there are no disruptions to existing client connections to a database; the database accepts any new connection, be it secure or unsecure. Other services may require a restart.
Before you deactivate TLS for a database, ensure that:
Perform the following procedure to remove the TLS requirement for client connections to a database:
Select Databases from the left navigation pane.
This action displays the Databases view, a table that lists the provisioned databases.
Examine the databases listed in the table, identify the database for which you want to remove the TLS requirement, and navigate to that table row.
Click the database VM Name.
The database information Details tab displays.
Locate the Security section of the pane, click ACTIONS, and select Disable Client TLS from the drop down menu.
The Disable Client TLS dialog displays.
If you are certain that you want to deactivate client TLS, click CONFIRM.
VMware Data Services Manager initiates the task, generating an operation of type DB_CLIENT_SSL_DISABLE.
Monitor the progress of the task in the Operations tab or in the Operations view: