Server Configuration for Secure Client and Intra-Cluster Connections
On this page
This section describes how to enable secure connections between clients and the SingleStore cluster, as well as between nodes within the SingleStore cluster.ssl_, ssl_, and ssl_ settings on all SingleStore nodes.
This configuration secures intra-cluster communication by making each SingleStore node connect to other SingleStore nodes only over secure connections authenticated by a valid server certificate signed by the CA cert specified by the ssl_ setting.
Note that, depending on the client configuration, a client connecting to SingleStore may or may not use a secure connection even when SSL is enabled on the server.
Note
This secures communication between all nodes in the cluster and also secures communication between that cluster and a secondary cluster that is replicating databases using SingleStore replication.node_ in the memsql.  file on every node in every cluster where this behavior is required/desired.
SingleStore Tools
- 
        Place server-cert.,pem server-key., andpem ca-cert.files in thepem certsdirectory on each SingleStore node in the cluster.You can copy the files from the Generating SSL Certificates section to all nodes. Note that the certsdirectory and its contents must be owned by thememsqluser and group (e.g. , chown -R memsql:memsql <directory>after copying the certificates todirectory).
- 
        Update the SingleStore configuration for all nodes to set the ssl_,cert ssl_, andkey ssl_settings to the paths to theca server-cert.,pem server-key., andpem ca-cert.files, respectively.pem These can be absolute paths, or relative to the SingleStore installation directory. You can do this by using sdb-admin update-config.For example: sdb-admin update-config --all --key ssl_cert --value ./certs/server-cert.pemsdb-admin update-config --all --key ssl_key --value ./certs/server-key.pemsdb-admin update-config --all --key ssl_ca --value ./certs/ca-cert.pem
- 
        Alternatively, edit the memsql.file on all aggregators to add the certificate paths in thecnf [server]section.For example: ssl_cert = ./certs/server-cert.pem ssl_key = ./certs/server-key.pem ssl_ca = ./certs/ca-cert.pem
- 
        Restart all nodes. sdb-admin restart-node --all
It is also recommended to add REQUIRE SSL, as described in the next section, to the GRANT statement of all SingleStore accounts used to connect to aggregator and leaf nodes in ADD AGGREGATOR and ADD LEAF statements (by default, root).
Disable SSL
- 
          To disable SSL, run the following commands. sdb-admin update-config --all --key ssl_cert --resetsdb-admin update-config --all --key ssl_key --resetsdb-admin update-config --all --key ssl_ca --reset
- 
          Restart all nodes. sdb-admin restart-node --all
Last modified: April 26, 2023