SingleStore Managed Service

Connect to SingleStore using TLS/SSL

To ensure a secure connection to SingleStore DB, SQL clients must be properly configured to both require a secure connection and to verify the supplied server certificate. Otherwise, the SQL client will not use TLS/SSL connections to SingleStore DB, even if TLS/SSL is enabled on the SingleStore DB cluster. This can compromise security and lead to man-in-the-middle attacks, where a would-be attacker can impersonate a server when SSL is disabled, or create a secure connection by impersonating a server using an illegitimate server certificate.

Configure the Managed Service Connection

These instructions describe how to configure the MySQL command-line client to connect to SingleStore Managed Service with a secure connection. SQL clients other than MySQL’s will likely require a different configuration.

  1. Download the singlestore_bundle.pem certificate file and save it to your MySQL client machine.

  2. When connecting to SingleStore Managed Service, be sure to include:

    a. The host shown under Admin Endpoint from your cluster in the Customer Portal.

    b. Port 3306.

    c. The --default-auth=mysql_native_password option.

    d. The --ssl-ca option, including the path to the singlestore_bundle.pem file. This can be done via command-line option, as in --ssl-ca=/path/singlestore_bundle.pem, or by setting the appropriate option in the configuration files for the MySQL command-line client. Include the --ssl-mode=REQUIRED when using older versions of the MySQL client, even when the --ssl-ca option is specified.

    e. The --ssl-mode=VERIFY_CA option to verify the certificate.

  3. Test the connection to SingleStore Managed Service. The MySQL client will abort with an error if a secure connection cannot be established. While this is most likely due to a misconfiguration, it can also be due to a would-be attacker manipulating the secure connection to SingleStore DB.

    mysql -u admin -p -h <admin-endpoint-host> -P 3306 \
    --default-auth=mysql_native_password \
    --ssl-ca=./singlestore_bundle.pem \
    --ssl-mode=VERIFY_CA
    
  4. Verify that a secure connection has been established to SingleStore Managed Service via the status command.

    mysql -u admin -p -h <admin-endpoint-host> -P 3306 \
    --default-auth=mysql_native_password \
    --ssl-ca=./singlestore_bundle.pem -e 'status' \
    --ssl-mode=VERIFY_CA
    ****
    mysql  Ver 14.14 Distrib 5.6.19, for osx10.9 (x86_64) using  EditLine wrapper
    
    Connection id:        13
    Current database:
    Current user:         root@yyy.yyy.yyy.yyy
    SSL:                  Cipher in use is AES256-SHA
    Current pager:        stdout
    Using outfile:        ''
    Using delimiter:      ;
    Server version:       5.5.8 MemSQL source distribution (compatible; MySQL Enterprise & MySQL Commercial)
    Protocol version:     10
    Connection:           xxx.xxx.xxx.xxx via TCP/IP
    Server characterset:  utf8
    Db     characterset:  utf8
    Client characterset:  utf8
    Conn.  characterset:  utf8
    TCP port:             3306