Help Center/ CloudTable Service/ User Guide/ Using ClickHouse/ Connecting to a ClickHouse Cluster/ Using a Client to Connect to a ClickHouse Security Cluster
Updated on 2025-08-12 GMT+08:00

Using a Client to Connect to a ClickHouse Security Cluster

You can enable channel encryption to secure data transmission. This section describes how to enable a secure channel for a ClickHouse cluster.

Constraints

  • Disabling HTTPS will pose risks to enterprise services.
  • The HTTPS option is enabled during cluster creation and cannot be disabled later.
  • If the HTTPS option is not enabled during cluster creation, it cannot be enabled later.
  • The cluster restarts after the secure channels are enabled on the cluster details page.
  • The secure and non-secure channels cannot be disabled after being enabled concurrently.

Enabling the Secure Channel

  1. Log in to the CloudTable console.
  2. Select a region in the upper left corner.
  3. On the Cluster Management page, click Buy Cluster in the upper right corner. The Buy Cluster page is displayed.
  4. Check whether Security Channel is toggled on (default).

    Additionally, you can toggle Enable Secure and Non-secure Channels on the cluster details page post-creation. This enables both secure and non-secure channels.
    Figure 1 Secure channel

  5. Set the parameters and click Next.
  6. Confirm the cluster information and click Submit. After the cluster is created, go to its details page to view its security channel status.

Downloading a Certificate

  1. After the cluster is created, go to the cluster details page and click Download certificates on the right of Channel Status in the cluster information area.
  2. Use the SSH login tool to remotely log in to the Linux ECS through the EIP.

    For details, see Logging In to a Linux ECS Using an SSH Password in the Elastic Cloud Server User Guide.

  3. Configure the certificate.

    Customize the certificate path by updating the certificate storage path in the following configuration file. Save the file to the root directory.
    <config>
        <secure>true</secure>
        <openSSL>
          <client>
            <caConfig>/etc/ssl/certificate.crt</caConfig>
          </client>
        </openSSL>
    </config>
    • <caConfig>/etc/ssl/certificate.crt</caConfig> indicates the path where certificates are stored.
    • root indicates the path for storing the configuration file.
    • The certificate can be downloaded only once per minute.

Using the ClickHouse Client to Connect to a Cluster

  1. After the certificate is configured, download the client. Log in to the CloudTable console. In the navigation pane on the left, choose Help. In the right pane, click Download Client and Client Verification File to download the client installation package and client verification file.
  2. Install the client.

    1. Use the SSH login tool to remotely log in to the Linux ECS through the EIP.

      For details, see Logging In to a Linux ECS Using an SSH Password in the Elastic Cloud Server User Guide.

    2. Go to the root directory of the SSH login tool.
      cd /
    3. Create a folder in the root directory.
      mkdir Folder name
    4. Go to the directory of the created folder.
      cd /Folder name/
    5. Place the client in the directory.
    6. Decompress the client package.
      tar  -zxf   Client package name
    7. Decompress the client verification file to the same directory as the client.
      1. Decompress the client verification file.
        cd <Path for storing the client verification file >
        tar -xzvf Client_sha256.tar.gz
      2. Obtain the client verification code.
        sha256sum ClickHouse_Client_23.3.tar.gz
      3. Check the verification code in the client verification file and compare it with the client verification code. If they are the same, the client is not tampered with. If they are different, the client is tampered with.
        less ClickHouse_Client_23.3.tar.gz.sha256
    8. Go to the clickhouse folder and load the .so file.
      sh install.sh
    9. Go to the bin directory.
      cd bin/

      Grant the 700 permission to the directory.

      chmod 700 clickhouse

  3. Connect to the cluster.

    ./clickhouse client --host Internal IP address of the cluster --port 9440 --user admin --password Password --secure --config-file /root/config.xml

Getting Started with ClickHouse

  1. Create a database.
    create database demo;
  2. Use the database.
    use demo;
  3. Check the database in use.
    select currentDatabase();
  4. Create a table.
    create table demo_t(uid Int32,name String,age UInt32,gender String)engine = TinyLog;
  5. View the table structure.
    desc demo_t;
  6. Insert data.
    insert into demo_t values(1,'Candy','23','M'),(2,'cici','33','F');
  7. View the table.
    select * from demo_t;
  8. View the database and table.
    • View the database.
      show databases;
    • View the table.
      show tables;
  9. Delete the database and table.
    • Delete the table.
      drop table demo_t;
      • Before deleting a table, check whether the table is in use.
      • After a table is deleted, it can be restored within 24 hours. The restoration command is as follows:
        set allow_experimental_undrop_table_query = 1;
        UNDROP TABLE Table name;
    • Delete the database.
      drop database demo;