ApsaraDB for ClickHouse supports HTTPS connections, which encrypt traffic between your application and the cluster. This topic shows how to connect using Java JDBC and curl.
Prerequisites
Before you begin, ensure that you have:
An ApsaraDB for ClickHouse cluster running version 20.8 or later
HTTPS enabled on the cluster, and the SSL CA certificate downloaded — see Enable HTTPS
The client IP address added to the cluster whitelist — see Configure a whitelist
A public endpoint configured for the cluster, if the client and cluster are in different virtual private clouds (VPCs)
Usage notes
HTTPS connections increase both network response time and CPU utilization on the cluster.
Internet connections: Use HTTPS when data encryption is required.
VPC connections: VPC networks are private and isolated. HTTPS is generally not needed for connections within the same VPC.
Connect using Java JDBC
Step 1: Add the JDBC dependency
Add the following dependency to your Maven project:
<dependency>
<groupId>ru.yandex.clickhouse</groupId>
<artifactId>clickhouse-jdbc</artifactId>
<version>0.3.1</version>
</dependency>Step 2: Gather connection information
Collect the following values before writing your connection code:
| Variable | Description | Example value |
|---|---|---|
| Endpoint | Public endpoint or VPC endpoint of the cluster. Use the public endpoint if the client and cluster are in different VPCs. | cc-****.public.clickhouse.ads.aliyuncs.com |
| HTTPS port | Fixed value for HTTPS connections. | 8443 |
| Database name | Name of the target database. | test01 |
| Database account | Username for the database. | test |
| Password | Password for the database account. | 123456Aa |
| Certificate path | Local file path to the downloaded SSL CA certificate. | /user/ck-root-ClickHouse-CA-Chain.pem |
| SSL mode | strict — verifies the server certificate against the CA. Use none only when connecting by IP address within the same VPC. | strict |
| Socket timeout | Connection timeout in milliseconds. | 7200000 (2 hours) |
Step 3: Connect to the cluster
All SSL settings are configured through ClickHouseProperties. The JDBC URL uses port 8443 and the ssl=true parameter.
import ru.yandex.clickhouse.ClickHouseConnection;
import ru.yandex.clickhouse.ClickHouseDataSource;
import ru.yandex.clickhouse.settings.ClickHouseProperties;
public void run() throws InterruptedException {
ClickHouseProperties props = new ClickHouseProperties();
props.setSslRootCertificate("<certificate-path>"); // path to the SSL CA certificate
props.setSsl(true);
props.setSslMode("<ssl-mode>"); // strict: verify cert against CA; none: skip verification (IP + same VPC only)
props.setUser("<database-account>");
props.setPassword("<password>");
props.setSocketTimeout(<timeout-ms>); // timeout in milliseconds
String url = "jdbc:clickhouse://<endpoint>:<HTTPS port number>/<database-name>?ssl=true";
ClickHouseDataSource dataSource = new ClickHouseDataSource(url, props);
try {
final ClickHouseConnection conn = dataSource.getConnection();
conn.createStatement().executeQuery("select now()");
} catch (Throwable e) {
e.printStackTrace();
}
}Replace the placeholders with the values you collected in Step 2:
| Placeholder | Example value |
|---|---|
<certificate-path> | /user/ck-root-ClickHouse-CA-Chain.pem |
<ssl-mode> | strict |
<database-account> | test |
<password> | 123456Aa |
<timeout-ms> | 7200000 |
<endpoint> | cc-****.public.clickhouse.ads.aliyuncs.com |
<database-name> | test01 |
When connecting by IP address, the client and cluster must be in the same VPC, and ssl-mode must be set to none.
Connect using curl
Use curl to verify HTTPS connectivity with a /ping request.
Syntax:
curl --cacert <certificate-path> https://<endpoint>:<HTTPS port number>/pingExample:
curl --cacert ./ck-root-ClickHouse-CA-Chain.pem https://cc-bp163l724nkf****.clickhouse.ads.aliyuncs.com:8443/ping