Server Configuration for Secure Client and Intra-Cluster Connections

This section describes how to enable secure connections between clients and the SingleStore cluster, as well as between nodes within the SingleStore cluster. This requires configuring the ssl_cert, ssl_key, and ssl_ca settings on all SingleStore nodes.

This configuration secures intra-cluster communication by making each SingleStore node connect to other SingleStore nodes only over secure connections authenticated by a valid server certificate signed by the CA cert specified by the ssl_ca setting.

Note that, depending on the client configuration, a client connecting to SingleStore may or may not use a secure connection even when SSL is enabled on the server. See the Server Configuration to Require Secure Client Connections section.

Note

This secures communication between all nodes in the cluster and also secures communication between that cluster and a secondary cluster that is replicating databases using SingleStore replication. If the performance cost of securing intra-cluster communication is too high but you still want to secure the communication to the secondary cluster, then set node_replication_ssl_only = true in the memsql.cnf file on every node in every cluster where this behavior is required/desired. This will disable SSL within the cluster but secure the communication to the secondary replicated cluster. See examples below on how to persist this behavior across your cluster.

SingleStore Tools

  1. Place server-cert.pem, server-key.pem, and ca-cert.pem files in the certs directory on each SingleStore node in the cluster. You can copy the files from the Generating SSL Certificates section to all nodes.

    Note that the certs directory and its contents must be owned by the memsql user and group (e.g., chown -R memsql:memsql <directory> after copying the certificates to directory).

  2. Update the SingleStore configuration for all nodes to set the ssl_cert, ssl_key, and ssl_ca settings to the paths to the server-cert.pem, server-key.pem, and ca-cert.pem files, respectively. These can be absolute paths, or relative to the SingleStore installation directory. You can do this by using sdb-admin update-config. For example:

    sdb-admin update-config --all --key ssl_cert --value ./certs/server-cert.pem
    sdb-admin update-config --all --key ssl_key --value ./certs/server-key.pem
    sdb-admin update-config --all --key ssl_ca --value ./certs/ca-cert.pem
  3. Alternatively, edit the memsql.cnf file on all aggregators to add the certificate paths in the [server] section. For example:

    ssl_cert = ./certs/server-cert.pem
    ssl_key = ./certs/server-key.pem
    ssl_ca = ./certs/ca-cert.pem
  4. Restart all nodes.

    sdb-admin restart-node --all

It is also recommended to add REQUIRE SSL, as described in the next section, to the GRANT statement of all SingleStore accounts used to connect to aggregator and leaf nodes in ADD AGGREGATOR and ADD LEAF statements (by default, root).

Disable SSL

  1. To disable SSL, run the following commands.

    sdb-admin update-config --all --key ssl_cert --reset
    sdb-admin update-config --all --key ssl_key --reset
    sdb-admin update-config --all --key ssl_ca --reset
  2. Restart all nodes.

    sdb-admin restart-node --all

MemSQL Ops

  1. Place server-cert.pem, server-key.pem, and ca-cert.pem files in the certs directory on each SingleStore node in the cluster. You can copy the files from the Generating SSL Certificates section to all nodes.

    Note that the certs directory and its contents must be owned by the memsql user and group (e.g., chown -R memsql:memsql <directory> after copying the certificates to directory).

  2. Update the SingleStore configuration for all nodes to set the ssl_cert, ssl_key, and ssl_ca settings to the paths to the server-cert.pem, server-key.pem, and ca-cert.pem files, respectively. These can be absolute paths, or relative to the SingleStore installation directory. You can do this by using memsql-ops memsql-update-config. For example:

    memsql-ops memsql-update-config --all --key ssl_cert --value ./certs/server-cert.pem
    memsql-ops memsql-update-config --all --key ssl_key --value ./certs/server-key.pem
    memsql-ops memsql-update-config --all --key ssl_ca --value ./certs/ca-cert.pem
  3. Alternatively, edit the memsql.cnf file on all aggregators to add the certificate paths in the [server] section. For example:

    ssl_cert = ./certs/server-cert.pem
    ssl_key = ./certs/server-key.pem
    ssl_ca = ./certs/ca-cert.pem
  4. Restart all SingleStore nodes.

    memsql-ops memsql-restart --all

It is also recommended to add REQUIRE SSL, as described in the next section, to the GRANT statement of all SingleStore accounts used to connect to aggregator and leaf nodes in ADD AGGREGATOR and ADD LEAF statements (by default, root).

Last modified: April 26, 2023

Was this article helpful?