Server Configuration for Secure Client Connections
This section describes how to enable secure connections between clients and the SingleStoreDB cluster, but not between nodes within the SingleStoreDB cluster. This requires configuring the ssl_cert
and ssl_key
settings on all aggregators.
Note that, depending on the client configuration, a client connecting to SingleStoreDB may or may not use a secure connection even when SSL is enabled on the server. See the Server Configuration to Require Secure Client-Cluster Connections section.
SingleStore Tools
Place
server-cert.pem
andserver-key.pem
files in thecerts
directory on each aggregator in the cluster. You can copy the files from the Generating SSL Certificates section to all aggregators.Note that the
certs
directory and its contents must be owned by thememsql
user and group (e.g.,chown -R memsql:memsql <directory>
after copying the certificates todirectory
).Update the SingleStoreDB configuration for all aggregators (it is also fine to configure all nodes) to set the
ssl_cert
andssl_key
settings to the paths to theserver-cert.pem
andserver-key.pem
files, respectively. These can be absolute paths, or relative to the SingleStoreDB installation directory. You can do this by usingsdb-admin update-config
. For example:sdb-admin list-nodes -q -r aggregator | xargs bash -c '</dev/tty sdb-admin update-config --key ssl_cert --value ./certs/server-cert.pem --memsql-id "$@"' memsql
sdb-admin list-nodes -q -r master | xargs bash -c '</dev/tty sdb-admin update-config --key ssl_cert --value ./certs/server-cert.pem --memsql-id "$@"' memsql
sdb-admin list-nodes -q -r aggregator | xargs bash -c '</dev/tty sdb-admin update-config --key ssl_key --value ./certs/server-key.pem --memsql-id "$@"' memsql
sdb-admin list-nodes -q -r master | xargs bash -c '</dev/tty sdb-admin update-config --key ssl_key --value ./certs/server-key.pem --memsql-id "$@"' memsql
Alternatively, edit the
memsql.cnf
file on all aggregators to add the certificate paths in the[server]
section. For example:ssl_cert = ./certs/server-cert.pem ssl_key = ./certs/server-key.pem
Restart all SingleStoreDB aggregators.
sdb-admin restart-node --all