Sign inTry Free

Configure mTLS for SingleStore Kafka Sink Connector

On this page

To configure a mutual TLS (mTLS) connection for the SingleStore Kafka Sink Connector ("the connector") on SingleStore Helios:

  1. Generate client certificates.

  2. Create a Java keystore.

  3. Configure SingleStore.

  4. Create a database user that requires certificate-based mTLS authentication.

  5. Update the connector configuration.

Generate Client Certificates

Refer to Generate Client Certificates for SingleStore mTLS Connection for information on generating the required certificates for mTLS authentication.

The following files are generated:

  • ca-key.pem: The private key for the CA.

  • ca-cert.pem: The public CA certificate.

  • client-key.pem: The client private key.

  • client-cert.pem: The client certificate signed by the CA.

Additionally, download the singlestore_bundle.pem certificate file.

Create a Java Keystore

The connector uses the SingleStore JDBC driver internally, which expects the client certificate and key in a keystore format. Convert the .pem files to a .p12 keystore using OpenSSL. Update the certificate files paths, and then run the following command:

openssl pkcs12 -export \
  -inkey /path/to/client-key.pem \
  -in /path/to/client-cert.pem \
  -out client-keystore.p12 \
  -name client-cert \
  -CAfile /path/to/ca-cert.pem \
  -caname root \
  -passout pass:<your_keystore_password>

This command creates a client-keystore.p12 file that contains the client certificate, private key, and CA certificate chain, protected by the keystore password (<your_keystore_password>).

Copy and securely store the client-keystore.p12 file.

Configure SingleStore

Configure a CA in the Cloud Portal:

  1. On the left navigation pane, select Workspaces.

  2. Select the three dots for your workspace, and select Access & Security from the list.

  3. On the Security tab, select Upload CA Bundle, and upload the CA bundle (ca-cert.pem file).

Create a Database User

Create a database user with one of the following options in the CREATE USER statement to require certificate-based mTLS authentication (replace <mtls_password> with a secure password):

  • REQUIRE X509: The user can connect only if the client presents a valid TLS client certificate that is not expired and chains to the CA bundle configured on the server. Connections that do not provide a valid certificate are rejected. For example:

    CREATE USER 's2user'@'%' IDENTIFIED BY '<mtls_password>' REQUIRE X509;

  • REQUIRE SUBJECT '<subject-dn-string>': In addition to extending REQUIRE X509, REQUIRE SUBJECT enforces that the Subject DN in the client certificate must exactly match the configured value. This option verifies both trust (via certificate chaining to the CA) and identity (via the Subject DN string). For example:

    CREATE USER 's2user'@'%' IDENTIFIED BY '<mtls_password>' REQUIRE SUBJECT '/CN=s2user/O=example/C=US';

    Note: While running CREATE USER or ALTER USER, the Subject must be specified in OpenSSL “oneline” format. The fields CN, O, C, ST, L, etc., must be separated by a /.

Grant the required privileges to the database user.

Update the Connector Configuration

Update the following parameters in the SingleStore Kafka Sink connector's configuration JSON to enable mTLS authentication:

  • connection.user: Specify the username of the mTLS-enabled SingleStore database user.

  • connection.password: Specify the password (<mtls_password>) for the SingleStore database user.

  • params.sslMode: Specify either of the following:

    • verify-ca: Use SSL/TLS for encryption and perform certificate verification, but do not perform hostname verification.

    • verify-full: Use SSL/TLS for encryption, certificate verification, and hostname verification.

    Refer to sslMode for more information.

  • params.serverSslCert: Specify the path to singlestore_bundle.pem (include the filename and extension).

  • params.keyStore: Specify the path to client-keystore.p12 (include the filename and extension).

  • params.keyStorePassword: Specify the keystore password (<your_keystore_password>) passed to the openssl command.

  • params.keyStoreType. Specify PKCS12 as the keystore type.

Refer to SingleStore JDBC Driver - TLS Parameters for more information on supported SSL/TLS configuration options.

The following is a sample configuration:

{
  "name": "singlestore-sink-connector-mtls",
  "config": {
    "connector.class": "com.singlestore.kafka.SingleStoreSinkConnector",
    "tasks.max": "1",
    "topics": "s2Ingest",


    "connection.clientEndpoint": "svc-XXXX-svchost:3306",
    "connection.database": "dbTest",


    "connection.user": "mtls_user",
    "connection.password": "<mtls_password>",


    "params.sslMode": "verify-full",
    "params.serverSslCert": "/opt/certs/singlestore_bundle.pem",
    "params.keystore": "/opt/certs/client-keystore.p12",
    "params.keyStorePassword": "<keystore_password>",
    "params.keyStoreType": "PKCS12"
  }
}

To apply the configuration, deploy or restart the connector.

Last modified:

Was this article helpful?

On this page

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined

  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined

  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
        cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
          --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
          --bundle undefined \
          --new-bundle-format -
    Verified OK

Try Out This Notebook to See What’s Possible in SingleStore

Get access to other groundbreaking datasets and engage with our community for expert advice.

Sign UpLog In