Product DocumentationSecure Connections for Java-based ybtools
The following Java-based client tools support Secure Sockets Layer (SSL) and Transport Layer Security (TLS) encryption:
ybloadybunloadybbackup,ybrestoreybrelay: for details, see Setting Up the ybrelay Service
Note: ybsql also supports SSL/TLS but with different options. See ybsql Connections.
These tools provide the following security options:
--secured: require SSL, which has the default SSLMODE of require root ca verification- When
--securedis set, SSL/TLS encryption is used to secure all communication. The default setting is not secured; no encryption is used. --cacert: supply a custom root ca bundle for trusting the cert installed under Yellowbrick- Note that this is not a server cert to be used in two-way trust.
--disable-trust: do not require root cert verification--disable-trustis significant because it turns off the SSL/TLS root CA certification, not SSL/TLS. The bulk data tools require root CA certification by default. However,ybsqland many client tools do not require root CA certification.
Note: When SSL-only mode is enabled, you do not need to use the --secured option in ybtools commands. However, the behavior described here for the --cacert and --disable-trust options still applies.
See Opening Network Ports for Clients for a list of the port numbers that the client tools use for data control and data transfer. The ybtools data transfer ports will remain unencrypted if the --secured option is not set or SSL-only mode is not enabled.
When you are making a secure connection with Java-based ybtools:
- The default connection mode is determined by whether Enable SSL-only communications is set for the Yellowbrick data warehouse. If SSL-only is enabled, connections must be secure. To check this setting, log into the SMC and go to Configure > Settings > SSL > Configuration.
- To require connections to be secure if they are not by default, use the
--securedoption within each Java-based tool. - By default, secure connections require trust verification. To disable trust verification, use the
--disable-trustoption within each Java-based tool. - Because the Java-based tools use the Java certificate keystore, you will typically need to have a root cert bundle file only for intermediary certificates issued by your organization.
- If you do need certificates included in a custom root cert file, the order of precedence for the file to use is the option
--cacert, the environment variableYBCACERT(recognized only by the Java tools), then the environment variablesYBSSLROOTCERTandPGSSLROOTCERT. - The
--cacertoption has an alternative syntax for the Java keystore format file that is not found in the drivers or ybqsl. For Java keystore files for certificates, use--cacert yellowbrick.jks:mypassword, where the:character separates the file name from the password of the keystore. - If you are using a Java application/JDBC driver, you can update the Java SSL trust keystore to avoid providing a root cert bundle, but this approach is not generally recommended.
Summary of Options for Java-based ybtools
| Property | Value / From | Notes |
|---|---|---|
| TLS/SSL port | 11112 | Regular bulk traffic port is 11111Regular TLS database traffic port is 443 |
| Default TLS mode | Yellowbrick SSL/TLS mode | If Yellowbrick TLS/SSL only is not enabled, TLS is off by default. |
| Alternative TLS mode | --secured | Enable TLS/SSL even if not required. |
| Default trust mode | Verify CA mode | If TLS is enabled, CA verification is required by default. |
--disable-trust | ||
| Default root cert file | root.cert or root.crt | See Creating a Client-Side root CA File. |
| Alternative root cert file | --cacertYBCACERTYBSSLROOTCERTPGSSLROOTCERT | Alternative root cert will be looked for in this order of preference. |
Parent topic:Configuring SSL/TLS for Tools and Drivers