SingleStore DB

Configuring SingleStore DB for Secure Connections

It’s important to note that enabling secure connections between the client and the SingleStore DB cluster is separate from enabling secure connections between nodes inside the SingleStore DB cluster itself. To configure the SingleStore DB cluster to use secure connections, see either:

To configure your client to use secure connections, see Server Configuration for Secure Client Connections.

Notice

When configuring SSL in SingleStore DB, you should specify an absolute path (/path/to/files) to your files. If you specify a relative path (./path/to/files), SingleStore first looks for the path relative to the location of the memsql.cnf file. If the path is not found there, SingleStore looks for the path relative to the current working directory. If neither of those paths work, the operation fails.

Warning

Do not place your SSL certificates in the SingleStore installation directory as that directory is subject to change during upgrades.

Specifying the TLS Version

Use the tls_version global variable to specify the TLS versions allowed by the server. By default, TLS versions TLSv1, TLSv1.1, and TLSv1.2 are supported by SingleStore DB and can be set only at startup.

SELECT @@tls_version;
****
+-----------------------+
| @@tls_version         |
+-----------------------+
| TLSv1,TLSv1.1,TLSv1.2 |
+-----------------------+

The following examples demonstrate how you can update the tls_version variable on your cluster nodes by running SingleStore Tools or MemSQL Ops commands at the Linux command line.

SingleStore Tools

The following command updates the TLS version to TLSv1.2 on all nodes in the cluster.

sdb-admin update-config --key tls_version --value TLSv1.2 --all
****
Toolbox is about to run 'memsqlctl update-config --key tls_version --value TLSv1.2' on the following nodes:
    - On host 127.0.0.1:
      + 27235D3E385B1056478CE11258959592CE49EE82
      + F9F6A7E64946D5D3D1E6F00C175EF00FC240AB97

Would you like to continue? [y/N]: y
✓ Updated configuration on 127.0.0.1
Operation completed successfully

The following commands restart all nodes in the cluster for the new tls_version value to take effect.

sdb-admin stop-node --all
****
✓ Successfully connected to host 127.0.0.1
Toolbox is about to perform the following actions:
  · Stop all nodes in the cluster

Would you like to continue? [y/N]: y
✓ Stopped Master node on 127.0.0.1 (1/1)
✓ Successfully stopped Master node on 1 host
✓ Stopped Master node
✓ Stopped Leaf nodes on 127.0.0.1 (1/1)
✓ Successfully stopped Leaf nodes on 1 host
✓ Stopped Leaf node
Operation completed successfully
sdb-admin start-node --all
****
Toolbox is about to perform the following actions:
  · Start all nodes in the cluster

Would you like to continue? [y/N]: y
✓ Successfully connected to host 127.0.0.1
✓ Started Leaf nodes on 127.0.0.1 (1/1)
✓ Successfully started Leaf nodes on 1 host
✓ Successfully connected to Leaf node
✓ Started Master node on 127.0.0.1 (1/1)
✓ Successfully started Master node on 1 host
✓ Successfully connected to Master node
Operation completed successfully
singlestore -p
****
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 5
Server version: 5.5.58 MemSQL source distribution (compatible; MySQL Enterprise & MySQL Commercial)

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

No entry for terminal type "xterm-256color";
using dumb terminal settings.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
SELECT @@tls_version;
****
+---------------+
| @@tls_version |
+---------------+
| TLSv1.2       |
+---------------+
1 row in set (0.01 sec)
MemSQL Ops

The following command updates the TLS version to TLSv1.2 on all nodes in the cluster.

memsql-ops memsql-update-config --key tls_version --value TLSv1.2 --all
****
Updating MemSQL configs
2020-08-13 00:17:17: J8cda22 [INFO] Changing config for MemSQL node 4FEF6F6AC8A971149F5E13587DA9EBD4B43F20F3 on Agent A3069bb123cd34e0994b183328f4f0c10 with values {"tls_version":"TLSv1.2"}
2020-08-13 00:17:18: J87d96d [INFO] Changing config for MemSQL node F2D99919B50D01E288B140E43A012C3E8B8D3BFF on Agent A3069bb123cd34e0994b183328f4f0c10 with values {"tls_version":"TLSv1.2"}
2020-08-13 00:17:18: J8cda22 [INFO] Successfully updated config for MemSQL node 4FEF6F6AC8A971149F5E13587DA9EBD4B43F20F3
2020-08-13 00:17:18: J87d96d [INFO] Successfully updated config for MemSQL node F2D99919B50D01E288B140E43A012C3E8B8D3BFF

The following command restarts all nodes in the cluster for the new tls_version value to take effect.

memsql-ops memsql-restart --all
****
Stopping cluster
Successfully stopped cluster
Starting cluster
Successfully started cluster
memsql 
****
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 7
Server version: 5.5.58 MemSQL source distribution (compatible; MySQL Enterprise & MySQL Commercial)

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
SELECT @@tls_version;
+---------------+
| @@tls_version |
+---------------+
| TLSv1.2       |
+---------------+
1 row in set (0.01 sec)
Server Configuration for Secure Client Connections

This section describes how to enable secure connections between clients and the SingleStore DB cluster, but not between nodes within the SingleStore DB cluster. This requires configuring the ssl_cert and ssl_key settings on all aggregators.

Note that, depending on the client configuration, a client connecting to SingleStore DB may or may not use a secure connection even when SSL is enabled on the server. See the Server Configuration to Require Secure Client-Cluster Connections section.

SingleStore Tools
  1. Place server-cert.pem and server-key.pem files on each aggregator in the cluster. You can copy the files from the Generating SSL Certificates section to all aggregators.

  2. Update the SingleStore DB configuration for all aggregators (it is also fine to configure all nodes) to set the ssl_cert and ssl_key settings to the paths to the server-cert.pem and server-key.pem files, respectively. These can be absolute paths, or relative to the SingleStore DB installation directory. You can do this by using sdb-admin update-config. For example:

    sdb-admin list-nodes -q -r aggregator | xargs bash -c '</dev/tty sdb-admin update-config --key ssl_cert --value ./certs/server-cert.pem --memsql-id "$@"' memsql
    
    sdb-admin list-nodes -q -r master | xargs bash -c '</dev/tty sdb-admin update-config --key ssl_cert --value ./certs/server-cert.pem --memsql-id "$@"' memsql
    
    sdb-admin list-nodes -q -r aggregator | xargs bash -c '</dev/tty sdb-admin update-config --key ssl_key --value ./certs/server-key.pem --memsql-id "$@"' memsql
    
    sdb-admin list-nodes -q -r master | xargs bash -c '</dev/tty sdb-admin update-config --key ssl_key --value ./certs/server-key.pem --memsql-id "$@"' memsql
    
  3. Alternatively, edit the memsql.cnf file on all aggregators to add the certificate paths in the [server] section. For example:

    ssl_cert = ./certs/server-cert.pem
    ssl_key = ./certs/server-key.pem
    
  4. Restart all SingleStore DB aggregators.

    sdb-admin restart-node --all
    
MemSQL Ops
  1. Place server-cert.pem and server-key.pem files on each aggregator in the cluster. You can copy the files from the Generating SSL Certificates section to all aggregators.

  2. Update the SingleStore DB configuration for all aggregators (it is also fine to configure all nodes) to set the ssl_cert and ssl_key settings to the paths to the server-cert.pem and server-key.pem files, respectively. These can be absolute paths, or relative to the SingleStore DB installation directory. You can do this by using memsql-ops memsql-update-config. For example:

    memsql-ops memsql-list -q -r aggregator | xargs memsql-ops memsql-update-config --key ssl_cert --value ./certs/server-cert.pem
    
    memsql-ops memsql-list -q -r master | xargs memsql-ops memsql-update-config --key ssl_cert --value ./certs/server-cert.pem
    
    memsql-ops memsql-list -q -r aggregator | xargs memsql-ops memsql-update-config --key ssl_key --value ./certs/server-key.pem
    
    memsql-ops memsql-list -q -r master | xargs memsql-ops memsql-update-config --key ssl_key --value ./certs/server-key.pem
    
  3. Alternatively, edit the memsql.cnf file on all aggregators to add the certificate paths in the [server] section. For example:

    ssl_cert = ./certs/server-cert.pem
    ssl_key = ./certs/server-key.pem
    
  4. Restart all SingleStore DB aggregators.

    memsql-ops memsql-restart --all
    
Server Configuration for Secure Client and Intra-Cluster Connections

This section describes how to enable secure connections between clients and the SingleStore DB cluster, as well as between nodes within the SingleStore DB cluster. This requires configuring the ssl_cert, ssl_key, and ssl_ca settings on all SingleStore DB nodes.

This configuration secures intra-cluster communication by making each SingleStore DB node connect to other SingleStore DB nodes only over secure connections authenticated by a valid server certificate signed by the CA cert specified by the ssl_ca setting.

Note that, depending on the client configuration, a client connecting to SingleStore DB may or may not use a secure connection even when SSL is enabled on the server. See the Server Configuration to Require Secure Client Connections section.

Notice

This secures communication between all nodes in the cluster and also secures communication between that cluster and a secondary cluster that is replicating databases using SingleStore DB replication. If the performance cost of securing intra-cluster communication is too high but you still want to secure the communication to the secondary cluster, then set node_replication_ssl_only = true in memsql.cnf on every node in your primary cluster. This will disable SSL within the cluster but secure the communication to the secondary replicated cluster. See examples below on how to persist this behavior across your cluster.

SingleStore Tools
  1. Place server-cert.pem, server-key.pem, and ca-cert.pem files on each SingleStore DB node in the cluster. You can copy the files from the Generating SSL Certificates section to all nodes.

  2. Update the SingleStore DB configuration for all nodes to set the ssl_cert, ssl_key, and ssl_ca settings to the paths to the server-cert.pem, server-key.pem, and ca-cert.pem files, respectively. These can be absolute paths, or relative to the SingleStore DB installation directory. You can do this by using sdb-admin update-config. For example:

    sdb-admin update-config --all --key ssl_cert --value ./certs/server-cert.pem
    
    sdb-admin update-config --all --key ssl_key --value ./certs/server-key.pem
    
    sdb-admin update-config --all --key ssl_ca --value ./certs/ca-cert.pem
    
  3. Alternatively, edit the memsql.cnf file on all aggregators to add the certificate paths in the [server] section. For example:

    ssl_cert = ./certs/server-cert.pem
    ssl_key = ./certs/server-key.pem
    ssl_ca = ./certs/ca-cert.pem
    
  4. Restart all SingleStore DB nodes.

    sdb-admin restart-node --all
    

It is also recommended to add REQUIRE SSL, as described in the next section, to the GRANT statement of all SingleStore DB accounts used to connect to aggregator and leaf nodes in ADD AGGREGATOR and ADD LEAF statements (by default, root).

MemSQL Ops
  1. Place server-cert.pem, server-key.pem, and ca-cert.pem files on each SingleStore DB node in the cluster. You can copy the files from the Generating SSL Certificates section to all nodes.

  2. Update the SingleStore DB configuration for all nodes to set the ssl_cert, ssl_key, and ssl_ca settings to the paths to the server-cert.pem, server-key.pem, and ca-cert.pem files, respectively. These can be absolute paths, or relative to the SingleStore DB installation directory. You can do this by using memsql-ops memsql-update-config. For example:

    memsql-ops memsql-update-config --all --key ssl_cert --value ./certs/server-cert.pem
    
    memsql-ops memsql-update-config --all --key ssl_key --value ./certs/server-key.pem
    
    memsql-ops memsql-update-config --all --key ssl_ca --value ./certs/ca-cert.pem
    
  3. Alternatively, edit the memsql.cnf file on all aggregators to add the certificate paths in the [server] section. For example:

    ssl_cert = ./certs/server-cert.pem
    ssl_key = ./certs/server-key.pem
    ssl_ca = ./certs/ca-cert.pem
    
  4. Restart all SingleStore DB nodes.

    memsql-ops memsql-restart --all
    

It is also recommended to add REQUIRE SSL, as described in the next section, to the GRANT statement of all SingleStore DB accounts used to connect to aggregator and leaf nodes in ADD AGGREGATOR and ADD LEAF statements (by default, root).

Server Configuration to Require Secure Client Connections

To make the server restrict access to clients over SSL only, add the REQUIRE SSL clause to the user’s GRANT statement, for example:

GRANT all ON *.* TO 'user'@'%' REQUIRE SSL;

For example, if REQUIRE SSL is specified for the user user:

## this connection attempt is rejected with an "Access denied" error:
$ mysql -u user -h 1.2.3.4

## this works:
$ mysql -u user -h 1.2.3.4 --ssl-ca=ca-cert.pem

Unless the client is configured properly, the client may or may not use SSL to connect to SingleStore DB even if SSL is enabled on the SingleStore DB cluster. Adding REQUIRE SSL helps protect against misconfigured clients by preventing them from connecting over an insecure plaintext connection. However, proper client configuration is still necessary for security against active network attacks, regardless of server configuration. See Client Configuration for Secure Client Connections.

Client Configuration for Secure Client Connections

To ensure secure connections, clients must be properly configured to require a secure connection and verify the appropriate server certificate. Otherwise, the client may or may not use SSL to connect to SingleStore DB even if SSL is enabled on the SingleStore DB cluster, and man in the middle attacks can compromise security, e.g. an attacker may impersonate a server with SSL disabled or impersonate a server while presenting a different server certificate.

The instructions below describe how to configure the MySQL command-line client to connect to SingleStore DB with a secure connection. Other clients may need to be configured differently.

Copy ca-cert.pem to your client machine. Specify the path to ca-cert.pem with the --ssl-ca option. This can be given as a command line option, as in --ssl-ca=path/ca-cert.pem, or by setting the appropriate option in the configuration files for the MySQL command-line client. Add the --ssl-mode=REQUIRED option to require a secure connection (this is necessary in older versions of the MySQL client, even when --ssl-ca is specified). The client will abort with an error if a secure connection cannot be established, e.g. if the server is misconfigured or an attacker is modifying the connection.

You can use the status command to print connection details. For example:

$ mysql -uroot -h1.2.3.4 --ssl-ca=ca-cert.pem -e 'status'
--------------
mysql  Ver 14.14 Distrib 5.6.19, for osx10.9 (x86_64) using  EditLine wrapper

Connection id:      13
Current database:
Current user:       root@4.5.6.7
SSL:            Cipher in use is AES256-SHA
Current pager:      stdout
Using outfile:      ''
Using delimiter:    ;
Server version:     5.5.8 MemSQL source distribution (compatible; MySQL Enterprise & MySQL Commercial)
Protocol version:   10
Connection:     1.2.3.4 via TCP/IP
Server characterset:    utf8
Db     characterset:    utf8
Client characterset:    utf8
Conn.  characterset:    utf8
TCP port:       3306
--------------