All Products
Search

This Product

    E-MapReduce:Set SSL encryption

    Document Center

    E-MapReduce:Set SSL encryption

    Last Updated:Jul 12, 2025

    To enhance link security, you can enable Secure Sockets Layer (SSL) encryption and install SSL CA certificates in the required application services. SSL encrypts network connections at the transport-layer, provides endpoint authentication and data encryption, ensuring that communication data between the client and StarRocks instance cannot be read by unauthorized users, thereby enhancing data security and integrity.

    Prerequisites

    An instance has been created. For more information, see Create an instance.

    Limits

    Only instances of version 3.3.8-1.94-1.7.12 or later support the SSL encryption feature.

    Enable SSL encryption

    Important

    • After SSL encryption is enabled, connections between clients and StarRocks must be encrypted using SSL. Existing clients without SSL encryption certificates configured will fail to connect. Please confirm the relevant settings before proceeding.

    • The FE nodes of the instance will undergo rolling restarts. During this period, import and query tasks may experience brief interruptions. Please choose to perform this operation during off-peak hours and monitor your tasks.

    1. Go to the Instance Details tab.

      1. Log on to the EMR console.

      2. In the navigation pane on the left, choose EMR Serverless > StarRocks.

      3. Click the name of the instance that you want to manage.

    2. In the Instance Details page, in the Security Configuration section, click Enable next to SSL Encryption.

    3. In the Enable SSL Encryption dialog box, click Confirm to use the default certificate.

      To customize the certificate, turn on the Custom Encryption File switch and configure the following parameters.

      Parameter

      Description

      Upload Certificate File

      Click Upload File, select and upload a PKCS#12 format certificate file (with the extension .p12). This certificate file contains your public key, private key, and possibly a certificate chain.

      Note

      In production environments, we recommend using certificates issued by certification authorities.

      Encryption File Access Password

      Enter the access password for the uploaded certificate file (the password used to encrypt the certificate file). Ensure this password is securely stored and provided when the certificate needs to be used.

      Key Access Password

      Enter the password for accessing the private key. If a password was set when generating the private key, you need to provide it here to ensure the system can correctly access and use the private key for SSL identity verification and key exchange.

    4. (Optional) View the SSL encryption configuration.

      1. Click the Parameter Configuration tab.

      2. Click FE on the left to view the following SSL authentication information.

        Parameter

        Description

        ssl_keystore_location

        The path to the keystore file containing the SSL certificate and key.

        ssl_keystore_password

        The access password for the keystore file. StarRocks needs to provide this password when reading the keystore file.

        ssl_key_password

        The access password for the key. StarRocks needs to provide this password when reading the key from the keystore file.

    Download the SSL encryption certificate

    1. Go to the Instance Details tab.

      1. Log on to the EMR console.

      2. In the navigation pane on the left, choose EMR Serverless > StarRocks.

      3. Click the name of the instance that you want to manage.

    2. In the Instance Details page, in the Security Configuration section, click Download next to Authentication Certificate.

      After you download a certificate to your computer, you can install the certificate on your web application server to implement HTTPS-encrypted communication.

      Note

      Due to invisible characters, the downloaded certificate is Base64-encoded. Before using it, you need to decode the certificate. The decoded certificate can be directly used to configure HTTPS-encrypted communication. Please ensure that you properly store the decoded file to avoid leaking sensitive information.

    Enable SSL authentication on the client

    This topic describes how to enable SSL authentication on the following clients:

    • MySQL client

      For MySQL clients, StarRocks is compatible with the MySQL protocol and enables SSL authentication by default, requiring no additional configuration. For more information about connecting to StarRocks instances, see Connect to a StarRocks instance using a MySQL client.

    • JDBC client

      Add the following options to the JDBC URL to enable SSL. For more information about connecting to StarRocks instances, see Connect to a StarRocks instance using JDBC.

      useSSL=true&verifyServerCertificate=false

      Parameter description:

      • useSSL=true: Enables SSL encryption.

      • verifyServerCertificate=false: Disables server certificate verification (suitable for development or test environments).

        Note

        In production environments, we recommend setting verifyServerCertificate=true and providing a trusted CA certificate.

    Disable SSL encryption

    Important

    • After SSL encryption is disabled, connections between clients and StarRocks will no longer be encrypted using SSL. In this case, you need to complete the client connection authentication method to ensure that clients can access normally. Please confirm before proceeding.

    • The FE nodes of the instance will undergo rolling restarts. During this period, import and query tasks may experience brief interruptions. Please choose to perform this operation during off-peak hours and monitor your tasks.

    1. In the Instance Details page, in the Security Configuration section, click Disable next to SSL Encryption.

    2. In the Disable SSL Encryption dialog box, click Confirm.