Enabling SSL/TLS Encryption
The Yellowbrick server supports SSL/TLS encryption, using TLS protocol v1.2, for client
communications and passwords, including remote connections to the SMC and connections via
client tools such as ybload.
SSL-Only Mode
If you want to automatically enforce SSL mode for all client connections, you can set the
appliance to SSL-only mode. When the appliance is running in this mode, all client
connections from all tools, including connections to the SMC, the front-end PostgreSQL
database, and ybtools, must connect via HTTPS. All non-SSL connections are
rejected.
Trust and Trust Customization
Trust for SSL/TLS communication is enabled by default, but it is not required. By default,
Yellowbrick is shipped with self-signed certificates. When using self-signed certificates,
verification of the root ca is not supported. When using ybtools, see
SSL/TLS Settings for
ybtools. When using ybsql, see ybsql Connections.
The security policies of many company do not allow the use of self-signed certificates or client settings that ignore certificate root verification for use with appliances storing confidential or personally identifiable information (PII). In these environments, the self-signed certificate must be replaced with a certificate from a trusted signing authority. This option accepts a PEM-encoded file or a Java KeyStore (JKS).
SSL/TLS Ports
Database client connections, bulk load and unload options, SMC acces, and other SSL/TLS communication with the Yellowbrick appliance go through different ports than other non-SSL/TLS traffic. For this reason, additional network ports in the corporate firewall typically need to be opened, otherwise users will receive errors and communication will fail. For a list of client tools port numbers used for data control and transfer, see Opening Network Ports for Clients.
Import Certificates
There is a problem with this website's security certificate.The Import Certificate button in the SMC allows customers to import a new SSL certificate for the database. The same certificate is used for establishing trust to both the HTTPS listener and the Postgres TLS listener. The import must be done with a PEM-encoded certificate issued by a third-party CA or a custom CA trusted by the organization's standard browser.
Enable SSL Settings
- Log into the SMC as the
yellowbrickuser. - Go to .
- To import a new certificate, click Import Certificate and
import the public key and the private key. You must specify the password for the private
key. Be prepared to provide all three values: both keys and the private key password.
Although the format of the files being imported is text, it is encoded as follows:
-- BEGIN PRIVATE KEY -- <data> -- END PRIVATE KEY ... -- BEGIN CERTIFICATE -- <data> -- END CERTIFICATE KEY -- - Select the Enable SSL-only communications checkbox. (Skip this step if you only want to import a new certificate.)
- If required by your certificate, enter a fully-qualified hostname for the SMC in the
Automatic Redirect field. Redirection is commonly used to match
the Common Name (CN) or Subject Alternative Name (SAN) in an SSL certificate to the URL
a user visits in order to establish trust. If browsers attempt to log into the SMC via
an HTTP URL, those connections will be redirected to the hostname you entered, using
HTTPS. For example:
http://yb100will be redirected to:https://yb100.redirectme.comassuming you entered
yb100.redirectme.comin the Automatic Redirect field. - Click Save Settings in the top-right corner of the Configuration Settings screen.
- Restart the database as prompted, using
ybcli:$ ybcli -y database stop ... $ybcli database start