--- title: "Configure TCP" description: "Configure Aerospike Secret Agent TCP listeners and TLS settings for secure, cross-host connections." --- # Configure TCP > For the complete documentation index see: [llms.txt](https://aerospike.com/docs/llms.txt) > > All documentation pages available in markdown. Use a TCP listener when Secret Agent and Aerospike Database run on different hosts, or when you need TLS encryption for the connection. For same-host deployments where TLS is not required, consider using a [UDS connection](https://aerospike.com/docs/database/tools/secret-agent/listener/uds) instead. To configure a TCP listener, add the `tcp` section to the `service` context in your Secret Agent configuration file: ```yaml service: tcp: endpoint: 0.0.0.0:3005 ``` The `endpoint` value specifies the address and port where Secret Agent listens for connections. An address of `0.0.0.0` listens on all interfaces. To listen on a specific interface, set the address to that interface’s IP address. The IP address can be in IPv4 or IPv6 format. ## TLS configuration Secret Agent supports TLS v1.2 and v1.3 over TCP. For one-way authentication, where the client verifies Secret Agent’s identity: ```yaml service: tcp: endpoint: 0.0.0.0:3005 tls: cert-file: /etc/aerospike/secret-agent/cert.pem key-file: /etc/aerospike/secret-agent/key.pem ``` For mutual authentication, add `ca-file` to verify client certificates: ```yaml service: tcp: endpoint: 0.0.0.0:3005 tls: cert-file: /etc/aerospike/secret-agent/cert.pem key-file: /etc/aerospike/secret-agent/key.pem ca-file: /etc/aerospike/secret-agent/ca-file.pem ``` The certificate and key files must be readable by the Secret Agent process and must be in PEM format. The client (Aerospike Database or other tools) must have the corresponding CA certificate to validate these certificates. See the [Aerospike TLS configuration guide](https://aerospike.com/docs/database/manage/network/tls) for details on configuring TLS certificates with Aerospike Database.