# Migrate Monitoring from HTTP to HTTPS

## Prerequisites

> **📝 Note**: These instructions have been developed for SingleStore clusters that have been installed and deployed via `.rpm` or `.deb` packages as a `sudo` user.If your cluster was deployed via tarball as a non-`sudo` user, change to the directory (`cd`) in which `singlestoredb-toolbox` was untarred and run all `sdb-admin` commands as `./sdb-admin`.

To migrate an existing cluster monitoring instance from HTTP to HTTPS connections, the following additional requirements must be met.

* Each Source and Metrics cluster must be running SingleStore 7.6.24 or later, or SingleStore 7.8.19 or later; SingleStore 8.5 or later to collect [trace events](https://docs.singlestore.com/db/v9.1/query-data/query-tuning/query-history.md).
* Clusters are managed with SingleStore Toolbox 1.14.2 or later.
* A server SSL certificate and a key signed with a CA certificate. This guide assumes that:

  * The server SSL certificate file is named `server-cert.pem`.
  * The server key file is named `server-key.pem`. Note that the server key may be protected with a passphrase.
  * The CA certificate file is named `ca-cert.pem`.
  * Refer to [Generating SSL Certificates](https://docs.singlestore.com/db/v9.1/security/encryption/ssl-secure-connections/generating-ssl-certificates.md) for an example of generating these certificates.

SingleStore Toolbox is recommended for managing the clusters as automation during setup is provided through `sdb-admin` commands. While monitoring can be enabled through a series of SQL commands, the preferred method is to use SingleStore Toolbox.

## Migrate Cluster Hosts to HTTPS

> **📝 Note**: Repeat the following steps for each Source cluster. The same or new certificates may be used.

2. Stop the exporter on the Source cluster.
   ```shell
   sdb-admin configure-monitoring --stop-exporter
   ```

3. Drop the monitoring pipelines for the Metrics cluster on the Master Aggregator.
   ```sql
   DROP PIPELINE <metrics-database>.<metrics-pipeline-name>;
   DROP PIPELINE <metrics-database>.<blobs-pipeline-name>;

   ```

4. Copy the server certificate and key to the Master Aggregator host of the Source cluster. This certificate will be used by the exporter process and must be readable by the user under which the nodes are running on the host (typically the `memsql` user).

5. Copy the CA certificate to the same file path on *each host* of the Metrics cluster.

   Alternatively, a directory containing multiple CA certificates can be provided, and this path must be the same on all hosts.

   This directory will be used by the monitoring pipelines and must be readable by the user under which the nodes are running on the host (typically the `memsql` user).

6. On the Source cluster, run the following command to start the exporter.

   **Note**: If starting the exporter as a database user other than `root`, substitute the database user for `root` in the `--exporter-user` option and this user’s password for `<secure-password>` in the `--exporter-password` option.
   ```shell
   sdb-admin configure-monitoring \
     --exporter-user root \
     --exporter-password <secure-password> \
     --exporter-use-https \
     --exporter-ssl-cert=/path/to/server-cert.pem \
     --exporter-ssl-key=/path/to/server-key.pem \
     --exporter-ssl-passphrase=<passphrase>
   ```
   **Note**: The `--exporter-ssl-passphrase` option should only be included if the server key has a passphrase.

   Refer to [configure-monitoring](https://docs.singlestore.com/db/v9.1/reference/singlestore-tools-reference/sdb-admin-commands/configure-monitoring.md) for additional options, including `--exporter-user` and `--exporter-password`.

7. On the Metrics cluster, resume monitoring.

   **Note**: If starting the monitoring process as a database user other than `root`, substitute the database user for `root` in the `--user` option and this user’s password for `<secure-password>` in the `--password` option.
   ```shell
   sdb-admin start-monitoring \
     --database-name metrics \
     --collect-event-traces \
     --exporter-host <exporter-hostname-or-IP-address> \
     --user root \
     --password <secure-password> \
     --retention-period 10 \
     --ssl-ca /path/to/ca-cert.pem      --or--
     --ssl-capath /ca-directory/including/path
   ```
   Refer to [start-monitoring](https://docs.singlestore.com/db/v9.1/reference/singlestore-tools-reference/sdb-admin-commands/start-monitoring.md) for additional options.

***

Modified at: September 13, 2024

Source: [/db/v9.1/user-and-cluster-administration/cluster-health-and-performance/configure-monitoring/migrate-monitoring-from-http-to-https/](https://docs.singlestore.com/db/v9.1/user-and-cluster-administration/cluster-health-and-performance/configure-monitoring/migrate-monitoring-from-http-to-https/)

(An index of the documentation is available at /llms.txt)