Help Center/ CloudTable Service/ User Guide/ ClickHouse User Guide/ ClickHouse Cluster Management/ Configuring Secure Channel Encryption for ClickHouse Clusters
Updated on 2024-07-23 GMT+08:00

Configuring Secure Channel Encryption for ClickHouse Clusters

You can enable secure channel encryption to encrypt data transmission. This section describes how to enable HTTPS for a ClickHouse cluster.

Enabling Channel Encryption

  1. Log in to the CloudTable console.
  2. Click in the upper left corner to select a region.
  3. Click Buy Cluster in the upper right corner.
  4. Check whether Enable Channel Encryption (which is toggled on by default) is toggled on after completing other configurations.

    Figure 1 Enabling channel encryption
    • Disabling HTTPS will pose risks to enterprise services.
    • The HTTPS option is enabled during cluster creation and cannot be disabled later.
    • If the HTTPS option is not enabled during cluster creation, it cannot be enabled later.

  5. Completing the parameter setting and click Next.
  6. Confirm the cluster specification order information on the displayed page and submit the order. After the cluster is created, go to its details page to view the channel status.

Enabling Secure and Non-Secure Channels

  1. Log in to the CloudTable console.
  2. Click in the upper left corner to select a region.
  3. Click Buy Cluster in the upper right corner.
  4. Completing the parameter setting and click Next.
  5. On the displayed page, confirm the cluster specification order information and click Submit. The cluster creation task is submitted.
  6. After the cluster is created, go to its details page and toggle Enable Secure and Non-secure Channels on. In the displayed dialog box, confirm the information and click OK.

    • The cluster restarts after the secure channels are enabled on the cluster details page.
    • The secure and non-secure channels cannot be disabled after being enabled concurrently.

Connecting to a Security Cluster

  1. Click the name of the target security cluster to download the certificates on its details page.
  2. Connect to the client and specify the configuration file.

    ./clickhouse client --host Private IP address of the cluster --port port --user admin --password Password --secure --config-file /root/config.xml

    Configure files.

    <config>
        <secure>true</secure>
        <openSSL>
          <client>
            <caConfig>/etc/ssl/certificate.crt</caConfig>
          </client>
        </openSSL>
    </config>
    • <caConfig>/etc/ssl/certificate.crt</caConfig> indicates the path where certificates are stored.
    • root indicates the path for storing the configuration file.
    • Certificates can be downloaded only once per minute.

HTTPS Connection

  1. Click the name of the target security cluster to download the certificates on its details page.
  2. Specify the path for storing the certificates.
  3. Execute the sample SQL statement through HTTPS.

    echo 'select 1' | curl -H 'X-ClickHouse-User: user' -H 'X-ClickHouse-Key: password' --cacert /clickhouse/client/client/bin/certificate.crt 'https://host:port/?' --data-binary @-
    • select 1 indicates the executed SQL statement.
    • user indicates the username.
    • password indicates the password created during cluster creation.
    • /clickhouse/client/client/bin/certificate.crt indicates the path for storing the certificates.
    • host indicates the private IP address and port indicates the HTTPS port.

JDBC Connection

public void run()
        throws InterruptedException {
    final ClickHouseProperties clickHouseProperties = new ClickHouseProperties();
    // There will be security risks if the password used for authentication is directly written into code. Encrypt the password in the configuration file or environment variables for storage;
    // In this example, the password is stored in environment variables for identity authentication. Before running the code in this example, configure environment variable CK_PASSWORD.
    String password = System.getenv("CK_PASSWORD");
    clickHouseProperties.setSslRootCertificate("/etc/ssl/certificate.crt");
    clickHouseProperties.setSsl(true);
    clickHouseProperties.setSslMode("strict");
    clickHouseProperties.setUser("test");
    clickHouseProperties.setPassword(password);
    clickHouseProperties.setSocketTimeout(2 * 3600 * 1000);
    final BalancedClickhouseDataSource dataSource = new BalancedClickhouseDataSource("xxxx.mycloudtable.com:8443/default?ssl=true", clickHouseProperties);
    try {
        final ClickHouseConnection conn = dataSource.getConnection();
        conn.createStatement().executeQuery("select now()");
    } catch (Throwable e) {
        e.printStackTrace();
    }
}

/etc/ssl/certificate.crt in clickHouseProperties.setSslRootCertificate("/etc/ssl/certificate.crt"); indicates the path for storing the certificates.