Server Configuration for Secure Client and Intra-Cluster Connections
This section describes how to enable secure connections between clients and the SingleStoreDB cluster, as well as between nodes within the SingleStoreDB cluster. This requires configuring the ssl_cert
, ssl_key
, and ssl_ca
settings on all SingleStoreDB nodes.
This configuration secures intra-cluster communication by making each SingleStoreDB node connect to other SingleStoreDB nodes only over secure connections authenticated by a valid server certificate signed by the CA cert specified by the ssl_ca
setting.
Note that, depending on the client configuration, a client connecting to SingleStoreDB may or may not use a secure connection even when SSL is enabled on the server. See the Server Configuration to Require Secure Client Connections section.
Note
This secures communication between all nodes in the cluster and also secures communication between that cluster and a secondary cluster that is replicating databases using SingleStoreDB replication. If the performance cost of securing intra-cluster communication is too high but you still want to secure the communication to the secondary cluster, then set node_replication_ssl_only = true
in the memsql.cnf
file on every node in every cluster where this behavior is required/desired. This will disable SSL within the cluster but secure the communication to the secondary replicated cluster. See examples below on how to persist this behavior across your cluster.
SingleStore Tools
Place
server-cert.pem
,server-key.pem
, andca-cert.pem
files in thecerts
directory on each SingleStoreDB node in the cluster. You can copy the files from the Generating SSL Certificates section to all nodes.Note that the
certs
directory and its contents must be owned by thememsql
user and group (e.g.,chown -R memsql:memsql <directory>
after copying the certificates todirectory
).Update the SingleStoreDB configuration for all nodes to set the
ssl_cert
,ssl_key
, andssl_ca
settings to the paths to theserver-cert.pem
,server-key.pem
, andca-cert.pem
files, respectively. These can be absolute paths, or relative to the SingleStoreDB installation directory. You can do this by usingsdb-admin update-config
. For example:sdb-admin update-config --all --key ssl_cert --value ./certs/server-cert.pem
sdb-admin update-config --all --key ssl_key --value ./certs/server-key.pem
sdb-admin update-config --all --key ssl_ca --value ./certs/ca-cert.pem
Alternatively, edit the
memsql.cnf
file on all aggregators to add the certificate paths in the[server]
section. For example:ssl_cert = ./certs/server-cert.pem ssl_key = ./certs/server-key.pem ssl_ca = ./certs/ca-cert.pem
Restart all nodes.
sdb-admin restart-node --all
It is also recommended to add REQUIRE SSL
, as described in the next section, to the GRANT
statement of all SingleStoreDB accounts used to connect to aggregator and leaf nodes in ADD AGGREGATOR
and ADD LEAF
statements (by default, root
).
Disable SSL
To disable SSL, run the following commands.
sdb-admin update-config --all --key ssl_cert --reset
sdb-admin update-config --all --key ssl_key --reset
sdb-admin update-config --all --key ssl_ca --reset
Restart all nodes.
sdb-admin restart-node --all