Set up SSL encryption-E-MapReduce(EMR)-阿里云帮助中心

Prerequisites

An instance is created. For more information, see Create an instance.

Limits

The SSL encryption feature is supported only on instances of version 3.3.8-1.94-1.7.12 or later.

Procedure

Step 1: Enable SSL encryption

Important

After you enable SSL encryption, clients must also use SSL encryption to connect to StarRocks. Connections from clients that are not configured with an SSL certificate will fail. Confirm your settings before you proceed.
The FE nodes of the instance will perform a rolling restart. During this process, import and query jobs may be briefly interrupted. Perform this operation during off-peak hours and monitor the status of your jobs.

Scenario 1: Use a platform-provided self-signed certificate

Go to the instance details page.
1. Log on to the E-MapReduce console.
2. In the navigation pane on the left, choose EMR Serverless > StarRocks.
3. Click the name of the target instance.
On the Instance Details page, in the Security Configuration section, click to enable the feature. next to SSL Encryption.
In the Enable SSL encryption dialog box, click Confirm to use the default certificate.

(Optional) View the SSL encryption configuration.

Click the Parameter Configurations tab.

In the navigation pane on the left, click FE to view the SSL authentication information.

Parameter	Description
`ssl_keystore_location`	The path to the keystore file that contains the SSL certificate and key.
`ssl_keystore_password`	The password to access the keystore file. StarRocks requires this password to read the keystore file.
`ssl_key_password`	The password to access the private key in the keystore file. StarRocks requires this password to read the private key.

Scenario 2: Use a custom certificate

Go to the instance details page.
1. Log on to the E-MapReduce console.
2. In the navigation pane on the left, choose EMR Serverless > StarRocks.
3. Click the name of the target instance.
On the Instance Details page, in the Security Configuration section, click to enable the feature. next to SSL Encryption.

In the Enable SSL encryption dialog box, turn on Custom Encrypted Files, configure the following parameters, and click Confirm.

Parameter	Description
Upload Certificate File	Click Upload File to select and upload a certificate file in PKCS#12 format (with a .p12 extension). This certificate file contains your public key, private key, and possible certificate chain. Note In a production environment, use a certificate issued by a certificate authority.
Encrypted File Access Password	The password used to encrypt the certificate file. Keep this password secure and provide it when the certificate is used.
Key Access Password	The password to access the private key. Required if a password was set when the private key was generated. This ensures that the system can access and use the private key for SSL identity verification and key exchange.

(Optional) View the SSL encryption configuration.

Click the Parameter Configurations tab.

In the navigation pane, click FE to view the SSL authentication information.

Parameter	Description
`ssl_keystore_location`	The path to the keystore file that contains the SSL certificate and key.
`ssl_keystore_password`	The password to access the keystore file. StarRocks requires this password to read the keystore file.
`ssl_key_password`	The password to access the private key in the keystore file. StarRocks requires this password to read the private key.

Step 2: Download the SSL certificate

Note

If you use a certificate issued by a certificate authority, you do not need to download the certificate. You can connect directly to the StarRocks instance.

In the Security Configuration section on the Instance Details page, click Download next to the authentication certificate.
Decode the certificate.

Note
The downloaded certificate is Base64-encoded because it contains non-printable characters. You must decode the certificate before you can use it. The decoded file can be used to configure encrypted communication. Store the decoded file in a secure location to prevent information leaks.

Step 3: Connect to the StarRocks instance from a client

You can enable SSL authentication for the following clients:

MySQL client

For MySQL clients, StarRocks is compatible with the MySQL protocol, which supports SSL authentication by default. No extra configuration is required. For more information about how to connect to a StarRocks instance, see Connect to a StarRocks instance from a MySQL client.
JDBC client

Add the following options to the Java Database Connectivity (JDBC) URL to enable SSL. For more information about how to connect to a StarRocks instance, see Connect to a StarRocks instance using JDBC.
```
useSSL=true&verifyServerCertificate=false
```
Parameter descriptions:
- useSSL=true: Enables SSL encryption.
- verifyServerCertificate=false: Disables server certificate validation. This is suitable for development or staging environments.
  
  Note
  In a production environment, set verifyServerCertificate=true and provide a trusted CA certificate.

More operations

Disable SSL encryption

Important

After you disable SSL encryption, connections to StarRocks are no longer encrypted using SSL. You must update your client connection settings accordingly. Confirm your settings before you proceed.
The FE nodes of the instance will perform a rolling restart. During this process, import and query jobs may be briefly interrupted. Perform this operation during off-peak hours and monitor the status of your jobs.

On the Instance Details page, in the Security Configuration section, click Close next to SSL Encryption.
In the Disable SSL encryption dialog box, click Confirm.