How to configure Optional secured communication between ClickHouse and Zookeeper?
The first thing you should do is to specify the ssl.keyStore.location, ssl.keyStore.password and ssl.trustStore.location, ssl.trustStore.password for communication with ClickHouse client over SSL. These options are available from Zookeeper version 3.5.2.
You can add zookeeper.crt to trusted certificates.
sudo cp zookeeper.crt /usr/local/share/ca-certificates/zookeeper.crt sudo update-ca-certificates
The client section in config.xml should look like this:
<client> <certificateFile>/etc/clickhouse-server/client.crt</certificateFile> <privateKeyFile>/etc/clickhouse-server/client.key</privateKeyFile> <loadDefaultCAFile>true</loadDefaultCAFile> <cacheSessions>true</cacheSessions> <disableProtocols>sslv2,sslv3</disableProtocols> <preferServerCiphers>true</preferServerCiphers> <invalidCertificateHandler> <name>RejectCertificateHandler</name> </invalidCertificateHandler> </client>
Add Zookeeper to ClickHouse config with some cluster and macros:
<clickhouse> <zookeeper> <node> <host>localhost</host> <port>2281</port> <secure>1</secure> </node> </zookeeper> </clickhouse>
Start clickhouse-server. In logs you should see:
<Trace> ZooKeeper: initialized, hosts: secure://localhost:2281
Prefix secure:// indicates that the connection is secured by SSL.
To ensure traffic is encrypted run tcpdump on secured port:
tcpdump -i any dst port 2281 -nnXS
And query in clickhouse-client:
SELECT * FROM system.zookeeper WHERE path = '/';
On an unencrypted connection you will see in tcpdump output something like this:
..../zookeeper/quota.
On an encrypted connection, you should not see this.