- Introduction
- Concepts
- Architecture
- Key Features
- Horizontal Scalability
- MySQL Compatible Syntax
- Replicate from and to MySQL
- Distributed Transactions with Strong Consistency
- Cloud Native Architecture
- Minimize ETL with HTAP
- Fault Tolerance & Recovery with Raft
- Automatic Rebalancing
- Deployment and Orchestration with Ansible, Kubernetes, Docker
- JSON Support
- Spark Integration
- Read Historical Data Without Restoring from Backup
- Fast Import and Restore of Data
- Hybrid of Column and Row Storage
- SQL Plan Management
- Open Source
- Online Schema Changes
- How-to
- Get Started
- Deploy
- Hardware Recommendations
- From Binary Tarball
- Orchestrated Deployment
- Geographic Redundancy
- Data Migration with Ansible
- Configure
- Secure
- Transport Layer Security (TLS)
- Generate Self-signed Certificates
- Monitor
- Migrate
- Maintain
- Scale
- Upgrade
- Troubleshoot
- Reference
- SQL
- MySQL Compatibility
- SQL Language Structure
- Data Types
- Functions and Operators
- Function and Operator Reference
- Type Conversion in Expression Evaluation
- Operators
- Control Flow Functions
- String Functions
- Numeric Functions and Operators
- Date and Time Functions
- Bit Functions and Operators
- Cast Functions and Operators
- Encryption and Compression Functions
- Information Functions
- JSON Functions
- Aggregate (GROUP BY) Functions
- Miscellaneous Functions
- Precision Math
- SQL Statements
ADD COLUMNADD INDEXADMINADMIN CANCEL DDLADMIN CHECKSUM TABLEADMIN CHECK [TABLE|INDEX]ADMIN SHOW DDL [JOBS|QUERIES]ALTER DATABASEALTER TABLEALTER USERANALYZE TABLEBEGINCHANGE COLUMNCOMMITCREATE DATABASECREATE INDEXCREATE TABLE LIKECREATE TABLECREATE USERDEALLOCATEDELETEDESCDESCRIBEDODROP COLUMNDROP DATABASEDROP INDEXDROP TABLEDROP USEREXECUTEEXPLAIN ANALYZEEXPLAINFLUSH PRIVILEGESFLUSH STATUSFLUSH TABLESGRANT <privileges>INSERTKILL [TIDB]LOAD DATALOAD STATSMODIFY COLUMNPREPARERENAME INDEXRENAME TABLEREPLACEREVOKE <privileges>ROLLBACKSELECTSET [NAMES|CHARACTER SET]SET PASSWORDSET TRANSACTIONSET [GLOBAL|SESSION] <variable>SHOW CHARACTER SETSHOW COLLATIONSHOW [FULL] COLUMNS FROMSHOW CREATE TABLESHOW DATABASESSHOW ENGINESSHOW ERRORSSHOW [FULL] FIELDS FROMSHOW GRANTSSHOW INDEXES [FROM|IN]SHOW INDEX [FROM|IN]SHOW KEYS [FROM|IN]SHOW PRIVILEGESSHOW [FULL] PROCESSSLISTSHOW SCHEMASSHOW STATUSSHOW [FULL] TABLESSHOW TABLE STATUSSHOW [GLOBAL|SESSION] VARIABLESSHOW WARNINGSSTART TRANSACTIONTRACETRUNCATEUPDATEUSE
- Constraints
- Generated Columns
- Character Set
- Configuration
- Security
- Transactions
- System Databases
- Errors Codes
- Supported Client Drivers
- Garbage Collection (GC)
- Performance
- Key Monitoring Metrics
- Alert Rules
- Best Practices
- TiSpark
- TiDB Binlog
- Tools
- Overview
- Use Cases
- Download
- Mydumper
- Syncer
- Loader
- TiDB Data Migration
- TiDB Lightning
- sync-diff-inspector
- PD Control
- PD Recover
- TiKV Control
- TiDB Control
- FAQs
- Support
- Contribute
- Releases
- All Releases
- v2.1
- v2.0
- v1.0
- Glossary
You are viewing the documentation of an older version of the TiDB database (TiDB v2.1).
Enable TLS Authentication
Overview
This document describes how to enable TLS authentication in the TiDB cluster. The TLS authentication includes the following two conditions:
- The mutual authentication between TiDB components, including the authentication among TiDB, TiKV and PD, between TiKV Control and TiKV, between PD Control and PD, between TiKV peers, and between PD peers. Once enabled, the mutual authentication applies to all components, and it does not support applying to only part of the components.
- The one-way and mutual authentication between the TiDB server and the MySQL Client.
The authentication between the MySQL Client and the TiDB server uses one set of certificates, while the authentication among TiDB components uses another set of certificates.
Enable mutual TLS authentication among TiDB components
Prepare certificates
It is recommended to prepare a separate server certificate for TiDB, TiKV and PD, and make sure that they can authenticate each other. The clients of TiDB, TiKV and PD share one client certificate.
You can use multiple tools to generate self-signed certificates, such as openssl, easy-rsa and cfssl.
See an example of generating self-signed certificates using cfssl.
Configure certificates
To enable mutual authentication among TiDB components, configure the certificates of TiDB, TiKV and PD as follows.
TiDB
Configure in the configuration file or command line arguments:
[security]
# Path of file that contains list of trusted SSL CAs for connection with cluster components.
cluster-ssl-ca = "/path/to/ca.pem"
# Path of file that contains X509 certificate in PEM format for connection with cluster components.
cluster-ssl-cert = "/path/to/tidb-server.pem"
# Path of file that contains X509 key in PEM format for connection with cluster components.
cluster-ssl-key = "/path/to/tidb-server-key.pem"
TiKV
Configure in the configuration file or command line arguments, and set the corresponding URL to https:
[security]
# set the path for certificates. Empty string means disabling secure connections.
ca-path = "/path/to/ca.pem"
cert-path = "/path/to/tikv-server.pem"
key-path = "/path/to/tikv-server-key.pem"
PD
Configure in the configuration file or command line arguments, and set the corresponding URL to https:
[security]
# Path of file that contains list of trusted SSL CAs. If set, following four settings shouldn't be empty
cacert-path = "/path/to/ca.pem"
# Path of file that contains X509 certificate in PEM format.
cert-path = "/path/to/pd-server.pem"
# Path of file that contains X509 key in PEM format.
key-path = "/path/to/pd-server-key.pem"
Now mutual authentication among TiDB components is enabled.
When you connect the server using the client, it is required to specify the client certificate. For example:
./pd-ctl -u https://127.0.0.1:2379 --cacert /path/to/ca.pem --cert /path/to/client.pem --key /path/to/client-key.pem
./tikv-ctl --host="127.0.0.1:20160" --ca-path="/path/to/ca.pem" --cert-path="/path/to/client.pem" --key-path="/path/to/clinet-key.pem"