SSL/TLS Settings For ybtools

The following client tools support Secure Sockets Layer (SSL) and Transport Layer Security (TLS) encryption:
  • ybload
  • ybunload
  • ybbackup, ybrestore
Note: ybsql also supports SSL/TLS but with different options. See ybsql Connections.
These tools provide the following security options:
  • --secured: require SSL, which has the default SSLMODE of require root ca verification
    • When --secured is set, SSL/TLS encryption is used to secure all communication. The default setting is not secured; no encryption is used.
  • --cacert: supply a custom root ca bundle for trusting the cert installed under Yellowbrick
    • Note that this is not a server cert to be used in two-way trust.
  • --disable-trust: do not require root cert verification
    • --disable-trust is significant because it turns off the SSL/TLS root CA certification, not SSL/TLS. The bulk data tools require root CA certification by default. However, ybsql and many client tools do not require root CA certification.
Note: When SSL-only mode is enabled, you do not need to use the --secured option in ybtools commands. However, the behavior described here for the --cacert and --disable-trust options still applies.

See Opening Network Ports for Clients for a list of the port numbers that the client tools use for data control and data transfer. The ybtools data transfer ports will remain unencrypted if the --secured option is not set or SSL-only mode is not enabled.