Server Configuration for Secure Client and Intra-Cluster Connections
On this page
This section describes how to enable secure connections between clients and the SingleStore cluster, as well as between nodes within the SingleStore cluster.ssl_
, ssl_
, and ssl_
settings on all SingleStore nodes.
This configuration secures intra-cluster communication by making each SingleStore node connect to other SingleStore nodes only over secure connections authenticated by a valid server certificate signed by the CA cert specified by the ssl_
setting.
Note that, depending on the client configuration, a client connecting to SingleStore may or may not use a secure connection even when SSL is enabled on the server.
Note
This secures communication between all nodes in the cluster and also secures communication between that cluster and a secondary cluster that is replicating databases using SingleStore replication.node_
in the memsql.
file on every node in every cluster where this behavior is required/desired.
SingleStore Tools
-
Place
server-cert.
,pem server-key.
, andpem ca-cert.
files in thepem certs
directory on each SingleStore node in the cluster.You can copy the files from the Generating SSL Certificates section to all nodes. Note that the
certs
directory and its contents must be owned by thememsql
user and group (e.g. , chown -R memsql:memsql <directory>
after copying the certificates todirectory
). -
Update the SingleStore configuration for all nodes to set the
ssl_
,cert ssl_
, andkey ssl_
settings to the paths to theca server-cert.
,pem server-key.
, andpem ca-cert.
files, respectively.pem These can be absolute paths, or relative to the SingleStore installation directory. You can do this by using sdb-admin update-config
.For example: sdb-admin update-config --all --key ssl_cert --value ./certs/server-cert.pemsdb-admin update-config --all --key ssl_key --value ./certs/server-key.pemsdb-admin update-config --all --key ssl_ca --value ./certs/ca-cert.pem -
Alternatively, edit the
memsql.
file on all aggregators to add the certificate paths in thecnf [server]
section.For example: ssl_cert = ./certs/server-cert.pem ssl_key = ./certs/server-key.pem ssl_ca = ./certs/ca-cert.pem
-
Restart all nodes.
sdb-admin restart-node --all
It is also recommended to add REQUIRE SSL
, as described in the next section, to the GRANT
statement of all SingleStore accounts used to connect to aggregator and leaf nodes in ADD AGGREGATOR
and ADD LEAF
statements (by default, root
).
Disable SSL
-
To disable SSL, run the following commands.
sdb-admin update-config --all --key ssl_cert --resetsdb-admin update-config --all --key ssl_key --resetsdb-admin update-config --all --key ssl_ca --reset -
Restart all nodes.
sdb-admin restart-node --all
MemSQL Ops
-
Place
server-cert.
,pem server-key.
, andpem ca-cert.
files in thepem certs
directory on each SingleStore node in the cluster.You can copy the files from the Generating SSL Certificates section to all nodes. Note that the
certs
directory and its contents must be owned by thememsql
user and group (e.g. , chown -R memsql:memsql <directory>
after copying the certificates todirectory
). -
Update the SingleStore configuration for all nodes to set the
ssl_
,cert ssl_
, andkey ssl_
settings to the paths to theca server-cert.
,pem server-key.
, andpem ca-cert.
files, respectively.pem These can be absolute paths, or relative to the SingleStore installation directory. You can do this by using memsql-ops memsql-update-config
.For example: memsql-ops memsql-update-config --all --key ssl_cert --value ./certs/server-cert.pemmemsql-ops memsql-update-config --all --key ssl_key --value ./certs/server-key.pemmemsql-ops memsql-update-config --all --key ssl_ca --value ./certs/ca-cert.pem -
Alternatively, edit the
memsql.
file on all aggregators to add the certificate paths in thecnf [server]
section.For example: ssl_cert = ./certs/server-cert.pem ssl_key = ./certs/server-key.pem ssl_ca = ./certs/ca-cert.pem
-
Restart all SingleStore nodes.
memsql-ops memsql-restart --all
It is also recommended to add REQUIRE SSL
, as described in the next section, to the GRANT
statement of all SingleStore accounts used to connect to aggregator and leaf nodes in ADD AGGREGATOR
and ADD LEAF
statements (by default, root
).
Last modified: April 26, 2023