diff --git a/content/operate/rs/security/encryption/tls/enable-tls.md b/content/operate/rs/security/encryption/tls/enable-tls.md index 102c8e4b5e..4c9a10dffc 100644 --- a/content/operate/rs/security/encryption/tls/enable-tls.md +++ b/content/operate/rs/security/encryption/tls/enable-tls.md @@ -36,11 +36,11 @@ To enable mutual TLS for client connections: 1. Select **Mutual TLS (Client authentication)**. - {{Mutual TLS authentication configuration.}} + {{Mutual TLS authentication configuration.}} 1. For each client certificate, select **+ Add certificate**, paste or upload the client certificate, then select **Done**. - If your database uses Replica Of or Active-Active replication, you also need to add the syncer certificates for the participating clusters. See [Enable TLS for Replica Of cluster connections](#enable-tls-for-replica-of-cluster-connections) or [Enable TLS for Active-Active cluster connections](#enable-tls-for-active-active-cluster-connections) for instructions. + If your database uses Replica Of, you also need to add the syncer certificates for the participating clusters. See [Enable TLS for Replica Of cluster connections](#enable-tls-for-replica-of-cluster-connections) for instructions. 1. You can configure **Additional certificate validations** to further limit connections to clients with valid certificates. @@ -73,59 +73,27 @@ To enable mutual TLS for client connections: 1. Select **Save**. - {{< note >}} By default, Redis Enterprise Software validates client certificate expiration dates. You can use `rladmin` to turn off this behavior. ```sh rladmin tune db < db:id | name > mtls_allow_outdated_certs enabled ``` - - {{< /note >}} ## Enable TLS for Active-Active cluster connections -To enable TLS for Active-Active cluster connections: - -1. If you are using the new Cluster Manager UI, switch to the legacy admin console. - - {{Select switch to legacy admin console from the dropdown.}} - -1. [Retrieve syncer certificates.](#retrieve-syncer-certificates) - -1. [Configure TLS certificates for Active-Active.](#configure-tls-certificates-for-active-active) - -1. [Configure TLS on all participating clusters.](#configure-tls-on-all-participating-clusters) - -{{< note >}} You cannot enable or turn off TLS after the Active-Active database is created, but you can change the TLS configuration. -{{< /note >}} - -### Retrieve syncer certificates -For each participating cluster, copy the syncer certificate from the **general** settings tab. - -{{< image filename="/images/rs/general-settings-syncer-cert.png" alt="general-settings-syncer-cert" >}} +To enable TLS for Active-Active cluster connections: -### Configure TLS certificates for Active-Active +1. During [database creation]({{}}), expand the **TLS** configuration section. -1. During database creation (see [Create an Active-Active Geo-Replicated Database]({{< relref "/operate/rs/databases/active-active/create.md" >}}), select **Edit** from the **configuration** tab. -1. Enable **TLS**. - - **Enforce client authentication** is selected by default. If you clear this option, you will still enforce encryption, but TLS client authentication will be deactivated. -1. Select **Require TLS for CRDB communication only** from the dropdown menu. - {{< image filename="/images/rs/crdb-tls-all.png" alt="crdb-tls-all" >}} -1. Select **Add** {{< image filename="/images/rs/icon_add.png#no-click" alt="Add" >}} -1. Paste a syncer certificate into the text box. - {{< image filename="/images/rs/database-tls-replica-certs.png" alt="Database TLS Configuration" >}} -1. Save the syncer certificate. {{< image filename="/images/rs/icon_save.png#no-click" alt="Save" >}} -1. Repeat this process, adding the syncer certificate for each participating cluster. -1. Optional: If also you want to require TLS for client connections, select **Require TLS for All Communications** from the dropdown and add client certificates as well. -1. Select **Update** at the bottom of the screen to save your configuration. +1. Select **On** to enable TLS. -### Configure TLS on all participating clusters + {{TLS is enabled on the Cluster Manager UI screen.}} -Repeat this process on all participating clusters. +1. Click **Create**. -To enforce TLS authentication, Active-Active databases require syncer certificates for each cluster connection. If every participating cluster doesn't have a syncer certificate for every other participating cluster, synchronization will fail. +If you also want to require TLS for client connections, you must edit the Active-Active database configuration after creation. See [Enable TLS for client connections](#client) for instructions. ## Enable TLS for Replica Of cluster connections diff --git a/static/images/rs/screenshots/databases/active-active-databases/enable-tls-for-active-active-db.png b/static/images/rs/screenshots/databases/active-active-databases/enable-tls-for-active-active-db.png new file mode 100644 index 0000000000..d45e3039ab Binary files /dev/null and b/static/images/rs/screenshots/databases/active-active-databases/enable-tls-for-active-active-db.png differ diff --git a/static/images/rs/screenshots/databases/security-mtls-clients-7-8-2.png b/static/images/rs/screenshots/databases/security-mtls-clients-7-8-2.png new file mode 100644 index 0000000000..c39fc8f8da Binary files /dev/null and b/static/images/rs/screenshots/databases/security-mtls-clients-7-8-2.png differ