Issues in TiDB Security Hardening

Note:
This topic has been translated from a Chinese forum by GPT and might contain errors.

Original topic: tidb安全加固问题

| username: usretyn

Click here to copy the link and complete the certification to gain “priority” in handling issues, allowing you to resolve problems more quickly.

To improve efficiency, please provide the following information. Clear problem descriptions can be resolved faster:
【TiDB Usage Environment】Production Environment
【TiDB Version】v5.3.1
【Encountered Issue】
The parameter enable_tls:true was not set during the default installation.
Later, according to the official documentation 为 TiDB 组件间通信开启加密传输 | PingCAP 文档中心, the relevant certificates were configured.
Using tiup cluster reload tidb, the service could not start.
Checking the deployment directory scripts of each node, the URL of pd did not automatically change to the https protocol.
What other configurations are needed after configuring according to the official guide for enabling encrypted transmission between TiDB components?

| username: yilong | Original post link

1. If you want to enable it, you can configure the parameters when creating a new cluster.
2. If it is already in use and you want to enable it, it is relatively troublesome.
   (1) Scale down PD nodes to 1
   (2) tiup cluster tls enable
   (3) Check the output of the member command executed by pd-ctl to ensure that the corresponding peer_urls and client_urls have changed to the https protocol. If they are not in the https protocol, you need to check the environment and execute tiup cluster tls ${cluster_name} disable to roll back; if they are all in the https protocol, you can proceed to the next step.
   (4) Scale up PD
   (5) After enabling, if there are binlog or ticdc, dashboard, etc., you need to verify. It is best to try it in a test environment first.