Server Configuration for Secure Client Connections

This section describes how to enable secure connections between clients and the SingleStore cluster, but not between nodes within the SingleStore cluster. This requires configuring the ssl_cert and ssl_key settings on all aggregators.

Note that, depending on the client configuration, a client connecting to SingleStore may or may not use a secure connection even when SSL is enabled on the server. See the Server Configuration to Require Secure Client-Cluster Connections section.

SingleStore Tools

  1. Place server-cert.pem and server-key.pem files in the certs directory on each aggregator in the cluster. You can copy the files from the Generating SSL Certificates section to all aggregators.

    Note that the certs directory and its contents must be owned by the memsql user and group (e.g., chown -R memsql:memsql <directory> after copying the certificates to directory).

  2. Update the SingleStore configuration for all aggregators (it is also fine to configure all nodes) to set the ssl_cert and ssl_key settings to the paths to the server-cert.pem and server-key.pem files, respectively. These can be absolute paths, or relative to the SingleStore installation directory. You can do this by using sdb-admin update-config. For example:

    sdb-admin list-nodes -q -r aggregator | xargs bash -c '</dev/tty sdb-admin update-config --key ssl_cert --value ./certs/server-cert.pem --memsql-id "$@"' memsql
    sdb-admin list-nodes -q -r master | xargs bash -c '</dev/tty sdb-admin update-config --key ssl_cert --value ./certs/server-cert.pem --memsql-id "$@"' memsql
    sdb-admin list-nodes -q -r aggregator | xargs bash -c '</dev/tty sdb-admin update-config --key ssl_key --value ./certs/server-key.pem --memsql-id "$@"' memsql
    sdb-admin list-nodes -q -r master | xargs bash -c '</dev/tty sdb-admin update-config --key ssl_key --value ./certs/server-key.pem --memsql-id "$@"' memsql
  3. Alternatively, edit the memsql.cnf file on all aggregators to add the certificate paths in the [server] section. For example:

    ssl_cert = ./certs/server-cert.pem
    ssl_key = ./certs/server-key.pem
  4. Restart all SingleStore aggregators.

    sdb-admin restart-node --all

MemSQL Ops

  1. Place server-cert.pem and server-key.pem files in the certs directory on each aggregator in the cluster. You can copy the files from the Generating SSL Certificates section to all aggregators.

    Note that the certs directory and its contents must be owned by the memsql user and group (e.g., chown -R memsql:memsql <directory> after copying the certificates to directory).

  2. Update the SingleStore configuration for all aggregators (it is also fine to configure all nodes) to set the ssl_cert and ssl_key settings to the paths to the server-cert.pem and server-key.pem files, respectively. These can be absolute paths, or relative to the SingleStore installation directory. You can do this by using memsql-ops memsql-update-config. For example:

    memsql-ops memsql-list -q -r aggregator | xargs memsql-ops memsql-update-config --key ssl_cert --value ./certs/server-cert.pem
    memsql-ops memsql-list -q -r master | xargs memsql-ops memsql-update-config --key ssl_cert --value ./certs/server-cert.pem
    memsql-ops memsql-list -q -r aggregator | xargs memsql-ops memsql-update-config --key ssl_key --value ./certs/server-key.pem
    memsql-ops memsql-list -q -r master | xargs memsql-ops memsql-update-config --key ssl_key --value ./certs/server-key.pem
  3. Alternatively, edit the memsql.cnf file on all aggregators to add the certificate paths in the [server] section. For example:

    ssl_cert = ./certs/server-cert.pem
    ssl_key = ./certs/server-key.pem
  4. Restart all SingleStore aggregators.

    memsql-ops memsql-restart --all

Last modified: April 26, 2023

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined
  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined
  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
    cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
    --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
    --bundle undefined \
    --new-bundle-format -
    Verified OK