[doc][yba] Encryption in transit update

docs/content/preview/explore/change-data-capture/debezium-connector-yugabytedb.md

@@ -1043,9 +1043,9 @@ The APIs used to fetch the changes are set up to work with TLSv1.2 only. Make su
 
 If you have a YugabyteDB cluster with SSL enabled, you need to obtain the root certificate and provide the path of the file in the `database.sslrootcert` configuration property. You can follow these links to get the certificates for your universe:
 
-* [Local deployments](../../../secure/tls-encryption/)
-* [YugabyteDB Anywhere](../../../yugabyte-platform/security/enable-encryption-in-transit/#connect-to-a-ysql-endpoint-with-tls)
-* [YugabyteDB Aeon](../../../yugabyte-cloud/cloud-secure-clusters/cloud-authentication/#download-your-cluster-certificate)
+- [Local deployments](../../../secure/tls-encryption/)
+- [YugabyteDB Anywhere](../../../yugabyte-platform/create-deployments/connect-to-universe/#download-the-universe-certificate)
+- [YugabyteDB Aeon](../../../yugabyte-cloud/cloud-secure-clusters/cloud-authentication/#download-your-cluster-certificate)
 
 {{< /note >}}
 

docs/content/preview/yugabyte-cloud/cloud-connect/connect-client-shell.md

@@ -26,7 +26,7 @@ Before you can connect a desktop client to a YugabyteDB Aeon cluster, you need t
 
 Before you can connect using a shell or other client, you need to add your computer to the cluster IP allow list.
 
-By default, clusters deployed in a VPC do not expose any publicly-accessible IP addresses. To add public IP addresses, enable [Public Access](../../../yugabyte-cloud/cloud-secure-clusters/add-connections/#enabling-public-access) on the cluster **Settings > Network Access** tab. Alternatively, use the [Cloud shell](../connect-cloud-shell/) instead.
+By default, clusters deployed in a VPC do not expose any publicly-accessible IP addresses. To add public IP addresses, enable [Public Access](../../cloud-secure-clusters/add-connections/#enabling-public-access) on the cluster **Settings > Network Access** tab. Alternatively, use the [Cloud shell](../connect-cloud-shell/) instead.
 
 For more information, refer to [IP allow list](../../cloud-secure-clusters/add-connections).
 

docs/content/preview/yugabyte-cloud/cloud-connect/connect/ysql.md

@@ -14,7 +14,7 @@ To connect to a cluster using `ysqlsh`:
 1. If your cluster is deployed in a VPC, choose **Private Address** if you are connecting from a peered VPC. Otherwise, choose **Public Address** (only available if you have enabled Public Access for the cluster; not recommended for production).
 1. Copy the **YSQL** connection string.
 
-    The connection string includes flags specifying the host (`host`), username (`user`), database (`dbname`), and TLS settings (`sslmode` and `sslrootcert`). The command specifies that the connection will use the CA certificate you installed on your computer. For information on using other SSL modes, refer to [SSL modes in YSQL](../../../cloud-secure-clusters/cloud-authentication/#ssl-modes-in-ysql).
+    The connection string includes flags specifying the host (`host`), username (`user`), database (`dbname`), and TLS settings (`sslmode` and `sslrootcert`). The command specifies that the connection will use the CA certificate you installed on your computer. For information on using other SSL modes, refer to [SSL modes in YSQL](/preview/yugabyte-cloud/cloud-secure-clusters/cloud-authentication/#ssl-modes-in-ysql).
 
     Here's an example of the generated `ysqlsh` command:
 

docs/content/preview/yugabyte-cloud/cloud-secure-clusters/_index.md

@@ -19,7 +19,7 @@ YugabyteDB Aeon clusters include the following security features:
 | :--- | :--- |
 | [Network authorization](add-connections/) | Access to YugabyteDB Aeon clusters is limited to IP addresses that you explicitly allow using IP allow lists.<br>You can further enhance security and lower network latencies by deploying clusters in a [virtual private cloud (VPC) network](../cloud-basics/cloud-vpcs/). |
 | [Database&nbsp;authorization](cloud-users/) | YugabyteDB uses [role-based access control](cloud-users/) for database authorization. Using the default database admin user that is created when a cluster is deployed, you can [add additional roles and users](add-users/) to provide custom access to database resources to other team members and database clients. |
-| [Encryption in transit](cloud-authentication/) | YugabyteDB Aeon uses encryption-in-transit for client-server and intra-node connectivity. |
+| [Encryption in transit](cloud-authentication/) | YugabyteDB Aeon uses encryption in transit for client-server and intra-node connectivity. |
 | [Encryption at rest](managed-ear/) | Data at rest, including clusters and backups, is AES-256 encrypted using native cloud provider technologies: S3 and EBS volume encryption for AWS, Azure disk encryption, and server-side and persistent disk encryption for GCP. For additional security, you can encrypt your clusters using keys that you manage yourself. |
 | [Auditing](cloud-activity/) | YugabyteDB Aeon provides detailed auditing of activity on your account, including cluster creation, changes to clusters, changes to IP allow lists, backup activity, billing, access history, and more. |
 

docs/content/preview/yugabyte-platform/administer-yugabyte-platform/high-availability.md

@@ -144,7 +144,7 @@ For example, if your metrics retention is 14 days on your active instance, and y
 
 After HA is operational, it is recommended that you enable certificate validation to improve security of communication between the active and any standby instances. Enable certificate validation as follows:
 
-1. Add certificates for the active and all standbys to the active instance [trust store](../../security/enable-encryption-in-transit/#add-certificates-to-your-trust-store).
+1. Add certificates for the active and all standbys to the active instance [trust store](../../security/enable-encryption-in-transit/trust-store/).
 
     - If YBA was set up to use a custom server certificate, locate the corresponding Certificate Authority (CA) certificate.
     - If YBA was set up to use automatically generated self-signed certificates and you installed YBA using YBA Installer, locate the CA certificate at `/opt/yugabyte/data/yba-installer/certs/ca_cert.pem` on both the YBA active and standby instances. (If you configured a custom install root, replace `/opt/yugabyte` with the path you configured.)

docs/content/preview/yugabyte-platform/configure-yugabyte-platform/kubernetes.md

@@ -122,7 +122,7 @@ Continue configuring your Kubernetes provider by clicking **Add region** and com
 
 1. Complete the **Overrides** field using one of the provided [options](#overrides). If you do not specify anything, YBA uses defaults specified inside the Helm chart. For additional information, see [Open source Kubernetes](../../../deploy/kubernetes/single-zone/oss/helm-chart/).
 
-1. If you are using [Kubernetes cert-manager](https://cert-manager.io) to manage TLS certificates, specify the issuer type and enter the issuer name. For more information, refer to [Enable encryption in transit](../../security/enable-encryption-in-transit/#kubernetes-cert-manager).
+1. If you are using [Kubernetes cert-manager](https://cert-manager.io) to manage TLS certificates, specify the issuer type and enter the issuer name. For more information, refer to [Enable encryption in transit](../../security/enable-encryption-in-transit/add-certificate-kubernetes/).
 
 If required, add a new zone by clicking **Add Zone**, as your configuration may have multiple zones.
 

docs/content/preview/yugabyte-platform/create-deployments/connect-to-universe.md

@@ -21,13 +21,36 @@ You can connect to the database on a universe in the following ways:
 
 ## Download the universe certificate
 
-If the universe uses encryption in transit, to connect you need to first download the universe TLS root certificate. Do the following:
+If the universe uses Client-to-Node encryption in transit, to connect you need to first download the universe TLS certificate. Do the following:
 
 1. Navigate to **Configs > Security > Encryption in Transit**.
 
-1. Find the certificate for your universe in the list and click **Actions** and download the certificate.
+1. Find your universe in the list.
 
-For more information on connecting to TLS-enabled universes, refer to [Connect to clusters](../../security/enable-encryption-in-transit/#connect-to-clusters).
+1. Download the certificate.
+
+    - If you are connecting using a YSQL client (such as ysqlsh), click **Actions**, and choose **Download YSQL Cert**.
+
+        This downloads the `yugabytedb.crt` and `yugabytedb.key` files.
+
+    - If you are connecting using a YCQL client (such as ycqlsh), click **Actions**, and choose **Download Root CA Cert**.
+
+        This downloads the `root.crt` file.
+
+    - If you are connecting to universes that are configured with custom CA-signed certificates, obtain the root CA and client YSQL certificate from your administrator. These certificates are not available on YugabyteDB Anywhere for downloading.
+
+1. For connecting using a `ysqlsh` client, paste the `yugabytedb.crt` and `yugabytedb.key` files into the `<home-dir>/.yugabytedb` directory and change the permissions to `0600`, as follows:
+
+    ```sh
+    mkdir ~/.yugabytedb; cd ~/.yugabytedb
+    cp <DownloadDir>/yugabytedb.crt .
+    cp <DownloadDir>/yugabytedb.key .
+    chmod 600 yugabytedb.*
+    ```
+
+To use TLS from a different client, consult the client-specific documentation. For example, if you are using a PostgreSQL JDBC driver to connect to YugabyteDB, see [Configuring the client](https://jdbc.postgresql.org/documentation/head/ssl-client.html) for more details.
+
+If you are using PostgreSQL/YugabyteDB JDBC driver with SSL, you need to convert the certificates to DER format. To do this, you need to perform only steps 6 and 7 from [Set up SSL certificates for Java applications](../../../reference/drivers/java/postgres-jdbc-reference/#set-up-ssl-certificates-for-java-applications) section after downloading the certificates.
 
 ## Connect to a universe node
 
@@ -132,7 +155,7 @@ curl --location --request PUT 'http://<ip>/api/v1/customers/<customer_uuid>/runt
     docker run -it yugabytedb/yugabyte-client ysqlsh -h <hostname> -p <port>
     ```
 
-- If your universe has TLS/SSL (encryption in-transit) enabled, you need to [download the certificate](#download-the-universe-certificate) to your computer.
+- If your universe has Client-to-Node encryption in-transit enabled, you need to [download the certificate](#download-the-universe-certificate) to your computer.
 
 - The host address of an endpoint on your universe.
 

docs/content/preview/yugabyte-platform/create-deployments/create-universe-multi-zone-kubernetes.md

@@ -71,16 +71,16 @@ Complete the **Security Configurations** section as follows:
 - **Enable YSQL Auth** - specify whether or not to enable the YSQL password authentication.
 - **Enable YCQL** - specify whether or not to enable the YCQL API endpoint for running Cassandra-compatible workloads. This setting is enabled by default.
 - **Enable YCQL Auth** - specify whether or not to enable the YCQL password authentication.
-- **Enable Node-to-Node TLS** - specify whether or not to enable encryption-in-transit for communication between the database servers. This setting is enabled by default.
-- **Enable Client-to-Node TLS** - specify whether or not to enable encryption-in-transit for communication between clients and the database servers. This setting is enabled by default.
+- **Enable Node-to-Node TLS** - specify whether or not to enable encryption in transit for communication between the database servers. This setting is enabled by default.
+- **Enable Client-to-Node TLS** - specify whether or not to enable encryption in transit for communication between clients and the database servers. This setting is enabled by default.
 - **Root Certificate** - select an existing security certificate or create a new one.
 - **Enable Encryption at Rest** - specify whether or not to enable encryption for data stored on the tablet servers. This setting is disabled by default.
 
 ### Advanced Configuration
 
 Complete the **Advanced** section as follows:
 
-- In the **DB Version** field, specify the YugabyteDB version. The default is either the same as the YugabyteDB Anywhere version or the latest YugabyteDB version available for YugabyteDB Anywhere.
+- In the **DB Version** field, specify the YugabyteDB version. The default is either the same as the YugabyteDB Anywhere version or the latest YugabyteDB version available for YugabyteDB Anywhere. If the version you want to add is not listed, you can add it to YugabyteDB Anywhere. Refer to [Manage YugabyteDB releases](../../manage-deployments/ybdb-releases/).
 - Use the **Enable IPV6** field to specify whether or not you want to use IPV6 networking for connections between database servers. This setting is disabled by default.
 - Use the **Enable Public Network Access** field to specify whether or not to assign a load balancer or nodeport for connecting to the database endpoints over the internet. This setting is disabled by default.
 

docs/content/preview/yugabyte-platform/create-deployments/create-universe-multi-zone.md

@@ -84,27 +84,46 @@ Specify the instance to use for the universe nodes:
 
 ### Security Configurations
 
+#### IP Settings
+
 To enable public access to the universe, select the **Assign Public IP** option.
 
+#### Authentication Settings
+
 Enable the YSQL and YCQL endpoints and database authentication. You can also enable and disable authentication after deployment. Navigate to your universe, click **Actions**, and choose **Edit YSQL Configuration** or **Edit YCQL Configuration**.
 
 Enter the password to use for the default database admin superuser (yugabyte for YSQL, and cassandra for YCQL). For more information, refer to [Database authorization](../../security/authorization-platform/).
 
-Enable encryption in transit to encrypt universe traffic. Refer to [Enable encryption in transit](../../security/enable-encryption-in-transit/).
+#### Encryption Settings
+
+Enable encryption in transit to encrypt universe traffic. You can enable the following:
+
+- **Node-to-Node TLS** to encrypt traffic between universe nodes.
+- **Client-to-Node TLS** to encrypt traffic between universe nodes and external clients.
+
+    Note that if you want to enable Client-to-Node encryption, you first must enable Node-to-Node encryption.
+
+Encryption requires a certificate. YugabyteDB Anywhere can generate a self-signed certificate automatically, or you can use your own certificate.
+
+To use your own, you must first add it to YugabyteDB Anywhere; refer to [Add certificates](../../security/enable-encryption-in-transit/add-certificate-self/).
+
+To have YugabyteDB Anywhere generate a certificate for the universe, use the default **Root Certificate** setting of **Create New Certificate**. To use a certificate you added or a previously generated certificate, select it from the **Root Certificate** menu.
+
+For more information on using and managing certificates, refer to [Encryption in transit](../../security/enable-encryption-in-transit/).
 
-Enable encryption at rest to encrypt the universe data. Refer to [Enable encryption at rest](../../security/enable-encryption-at-rest/).
+To encrypt the universe data, select the **Enable encryption at rest** option and select the [KMS configuration](../../security/create-kms-config/aws-kms/) to use for encryption. For more information, refer to [Encryption at rest](../../security/enable-encryption-at-rest/).
 
 ### Advanced Configuration
 
-Choose the version of YugabyteDB to install on the nodes.
+Choose the version of YugabyteDB to install on the nodes. If the version you want to add is not listed, you can add it to YugabyteDB Anywhere. Refer to [Manage YugabyteDB releases](../../manage-deployments/ybdb-releases/).
 
 The access key is the SSH key that is created in the provider. Usually, each provider has its own access key, but if you are reusing keys across providers, they are listed here.
 
 For AWS providers, you can assign an ARN to the nodes in the universe; this allow them to be seamlessly backed up without explicit credentials.
 
 To use cron instead of systemd for managing nodes, you can disable systemd services. This not recommended.
 
-To customize the ports used for the universe, select the **Override Deployment Ports** option and enter the custom port numbers for the services you want to change.
+To customize the [ports used for the universe](../../prepare/networking/), select the **Override Deployment Ports** option and enter the custom port numbers for the services you want to change. Any value from `1024` to `65535` is valid, as long as it doesn't conflict with anything else running on nodes to be provisioned.
 
 ### G-Flags
 

docs/content/preview/yugabyte-platform/manage-deployments/edit-universe.md

@@ -40,7 +40,7 @@ YugabyteDB Anywhere performs these modifications through the [YB-Masters](../../
 
 Note that you can't change the replication factor of a universe.
 
-To change the number of nodes of universes created with an on-premises cloud provider and secured with third-party certificates obtained from external certification authorities, follow the instructions in [Expand the universe](../../security/enable-encryption-in-transit#expand-the-universe).
+To change the number of nodes of universes created with an on-premises cloud provider and secured with third-party certificates obtained from external certification authorities, you must first add the certificates to the nodes you will add to the universe. Refer to [Add certificates](../../security/enable-encryption-in-transit/add-certificate-ca/). Ensure that the certificates are signed by the same external CA and have the same root certificate. In addition, ensure that you copy the certificates to the same locations that you originally used when creating the universe.
 
 ### Smart resize
 

docs/content/preview/yugabyte-platform/security/_index.md

@@ -22,8 +22,8 @@ type: indexpage
     icon="/images/section_icons/secure/checklist.png">}}
 
   {{<index/item
-    title="Configure ports"
-    body="Configure YugabyteDB ports for security purposes."
+    title="Customize ports"
+    body="Customize universe ports."
     href="customize-ports/"
     icon="/images/section_icons/index/secure.png">}}
 
@@ -40,13 +40,13 @@ type: indexpage
     icon="/images/section_icons/secure/authorization.png">}}
 
   {{<index/item
-    title="Enable encryption in transit (TLS)"
-    body="Enable encryption in transit using TLS to secure data in transit."
+    title="Encryption in transit"
+    body="Use encryption in transit to secure data in transit."
     href="enable-encryption-in-transit/"
     icon="/images/section_icons/secure/tls-encryption.png">}}
 
   {{<index/item
-    title="Enable encryption at rest"
+    title="Encryption at rest"
     body="Enable encryption at rest to protect data in storage."
     href="enable-encryption-at-rest/"
     icon="/images/section_icons/secure/tls-encryption.png">}}

docs/content/preview/yugabyte-platform/security/customize-ports.md

@@ -1,8 +1,9 @@
 ---
-title: Configure ports
-headerTitle: Configure ports
-linkTitle: Configure ports
-description: Configure ports
+title: Customize ports
+headerTitle: Customize ports
+linkTitle: Customize ports
+description: Customize ports used by YugabyteDB Anywhere universes
+headcontent: Change the ports used by your universe
 menu:
   preview_yugabyte-platform:
     parent: security
@@ -13,7 +14,7 @@ type: docs
 
 YugabyteDB Anywhere and the universes it manages use a set of [default ports](../../prepare/networking/) to manage access to services.
 
-When deploying a universe, YugabyteDB Anywhere allows you to customize these ports.
+When [deploying a universe](../../create-deployments/), YugabyteDB Anywhere allows you to customize some of these ports.
 
 ## Customize ports