1. Home
  2. Knowledge Base
  3. ClickHouse
  4. Configuring Optional secured communication between ClickHouse and Zookeeper

Configuring Optional secured communication between ClickHouse and Zookeeper

How to configure Optional secured communication between ClickHouse and Zookeeper?


The first thing you should do is to specify the ssl.keyStore.location, ssl.keyStore.password and ssl.trustStore.location, ssl.trustStore.password for communication with ClickHouse client over SSL. These options are available from Zookeeper version 3.5.2.

You can add zookeeper.crt to trusted certificates.

sudo cp zookeeper.crt /usr/local/share/ca-certificates/zookeeper.crt
sudo update-ca-certificates

The client section in config.xml should look like this:

<client>
    <certificateFile>/etc/clickhouse-server/client.crt</certificateFile>
    <privateKeyFile>/etc/clickhouse-server/client.key</privateKeyFile>
    <loadDefaultCAFile>true</loadDefaultCAFile>
    <cacheSessions>true</cacheSessions>
    <disableProtocols>sslv2,sslv3</disableProtocols>
    <preferServerCiphers>true</preferServerCiphers>
    <invalidCertificateHandler>
        <name>RejectCertificateHandler</name>
    </invalidCertificateHandler>
</client>

Add Zookeeper to ClickHouse config with some cluster and macros:

<clickhouse>
    <zookeeper>
        <node>
            <host>localhost</host>
            <port>2281</port>
            <secure>1</secure>
        </node>
    </zookeeper>
</clickhouse>

Start clickhouse-server. In logs you should see:

<Trace> ZooKeeper: initialized, hosts: secure://localhost:2281

Prefix secure:// indicates that the connection is secured by SSL.

To ensure traffic is encrypted run tcpdump on secured port:

tcpdump -i any dst port 2281 -nnXS

And query in clickhouse-client:

SELECT * FROM system.zookeeper WHERE path = '/';

On an unencrypted connection you will see in tcpdump output something like this:

..../zookeeper/quota.

On an encrypted connection, you should not see this.

Was this article helpful?

Related Articles

CHISTADATA IS COMMITTED TO OPEN SOURCE SOFTWARE AND BUILDING HIGH PERFORMANCE COLUMNSTORES

In the spirit of freedom, independence and innovation. ChistaDATA Corporation is not affiliated with ClickHouse Corporation 

Need Support?

Can't find the answer you're looking for?
Contact Support

ChistaDATA Inc. Knowledge base is licensed under the Apache License, Version 2.0 (the “License”)

Copyright 2022 ChistaDATA Inc

Licensed under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.