# Server Configuration for Secure Client and Intra-Cluster Connections This section describes how to enable secure connections between clients and the SingleStore cluster, as well as between nodes within the SingleStore cluster. This requires configuring the `ssl_cert`, `ssl_key`, and `ssl_ca` settings on all SingleStore nodes. This configuration secures intra-cluster communication by making each SingleStore node connect to other SingleStore nodes only over secure connections authenticated by a valid server certificate signed by the CA cert specified by the `ssl_ca` setting. Note that, depending on the client configuration, a client connecting to SingleStore may or may not use a secure connection even when SSL is enabled on the server. See the [Server Configuration to Require Secure Client Connections](https://docs.singlestore.com/db/v9.1/security/encryption/ssl-secure-connections/server-configuration-to-require-secure-client-connections.md) section. > **📝 Note**: This secures communication between all nodes in the cluster and also secures communication between that cluster and a secondary cluster that is replicating databases [using SingleStore replication](https://docs.singlestore.com/db/v9.1/user-and-cluster-administration/high-availability-and-disaster-recovery/replicating-data-across-clusters.md). If the performance cost of securing intra-cluster communication is too high but you still want to secure the communication to the secondary cluster, then set `node_replication_ssl_only = true` in the `memsql.cnf` file on every node in every cluster where this behavior is required/desired. This will disable SSL within the cluster but secure the communication to the secondary replicated cluster. See examples below on how to persist this behavior across your cluster. ## SingleStore Tools 1. Place `server-cert.pem`, `server-key.pem`, and `ca-cert.pem` files in the `certs` directory on each SingleStore node in the cluster. You can copy the files from the [Generating SSL Certificates](https://docs.singlestore.com/db/v9.1/security/encryption/ssl-secure-connections/generating-ssl-certificates.md) section to all nodes. Note that the `certs` directory and its contents must be owned by the `memsql` user and group (e.g., `chown -R memsql:memsql ` after copying the certificates to `directory`). 2. Update the SingleStore configuration for all nodes to set the `ssl_cert`, `ssl_key`, and `ssl_ca` settings to the paths to the `server-cert.pem`, `server-key.pem`, and `ca-cert.pem` files, respectively. These can be absolute paths, or relative to the SingleStore installation directory. You can do this by using `sdb-admin update-config`. For example: ```shell sdb-admin update-config --all --key ssl_cert --value ./certs/server-cert.pem ``` ```shell sdb-admin update-config --all --key ssl_key --value ./certs/server-key.pem ``` ```shell sdb-admin update-config --all --key ssl_ca --value ./certs/ca-cert.pem ``` 3. **Alternatively**, edit the `memsql.cnf` file on all aggregators to add the certificate paths in the `[server]` section. For example: ``` ssl_cert = ./certs/server-cert.pem ssl_key = ./certs/server-key.pem ssl_ca = ./certs/ca-cert.pem ``` 4. Restart all nodes. ```shell sdb-admin restart-node --all ``` It is also recommended to add `REQUIRE SSL`, as described in the next section, to the `GRANT` statement of all SingleStore accounts used to connect to aggregator and leaf nodes in `ADD AGGREGATOR` and `ADD LEAF` statements (by default, `root`). ## Disable SSL 1. To disable SSL, run the following commands. ```shell sdb-admin update-config --all --key ssl_cert --reset ``` ```shell sdb-admin update-config --all --key ssl_key --reset ``` ```shell sdb-admin update-config --all --key ssl_ca --reset ``` 2. Restart all nodes. ```shell sdb-admin restart-node --all ``` *** Modified at: April 26, 2023 Source: [/db/v9.1/security/encryption/ssl-secure-connections/server-configuration-for-secure-client-and-intra-cluster-connections/](https://docs.singlestore.com/db/v9.1/security/encryption/ssl-secure-connections/server-configuration-for-secure-client-and-intra-cluster-connections/) (An index of the documentation is available at /llms.txt)