Enable SSL encryption

Communication between an ADQM server and client can be secured by the SSL encryption protocol. This article provides instructions on how to configure ADQM to enable SSL certificate validation for incoming connections. The example uses an ADQM cluster that includes the following hosts:

  •, adqm-host-1.arenadata.local;

  •, adqm-host-2.arenadata.local;

  •, adqm-host-3.arenadata.local;

  •, adqm-host-4.arenadata.local.


In this article, a self-signed CA certificate is used to create server SSL certificates for demonstration and testing purposes. For production systems, use a trusted certificate authority to sign certificates.

Create SSL certificates

To run commands below, you need openssl installed — it is a command-line tool for using functions of the OpenSSL cryptographic library.

  1. Generate a root private key:

    $ openssl genrsa -out arenadata_ca.key 2048

    This key will be used to create a CA certificate and to sign other certificates (server certificates and certificates for user authentication), so keep it in a secure place.

  2. Create a self-signed CA certificate:

    $ openssl req -x509 -subj "/CN=arenadata.local CA" -nodes -key arenadata_ca.key -days 1095 -out arenadata_ca.crt
  3. For each ADQM server, generate a key and create a certificate signing request (CSR):

    $ openssl req -newkey rsa:2048 -nodes -subj "/CN=adqm-host-1.arenadata.local" -addext "subjectAltName = DNS:adqm-host-1.arenadata.local,IP:" -keyout adqm-host-1.key -out adqm-host-1.csr
    $ openssl req -newkey rsa:2048 -nodes -subj "/CN=adqm-host-2.arenadata.local" -addext "subjectAltName = DNS:adqm-host-2.arenadata.local,IP:" -keyout adqm-host-2.key -out adqm-host-2.csr
    $ openssl req -newkey rsa:2048 -nodes -subj "/CN=adqm-host-3.arenadata.local" -addext "subjectAltName = DNS:adqm-host-3.arenadata.local,IP:" -keyout adqm-host-3.key -out adqm-host-3.csr
    $ openssl req -newkey rsa:2048 -nodes -subj "/CN=adqm-host-4.arenadata.local" -addext "subjectAltName = DNS:adqm-host-4.arenadata.local,IP:" -keyout adqm-host-4.key -out adqm-host-4.csr

    The CN (Common Name) certificate identifier should be the fully qualified domain name (FQDN) of a server for which the certificate is being created. Otherwise, the certificate cannot be verified.

  4. For each ADQM server, create and sign a certificate using the root key and the CA certificate:

    $ openssl x509 -req -in adqm-host-1.csr -out adqm-host-1.crt -CAcreateserial -CA arenadata_ca.crt -CAkey arenadata_ca.key -days 365
    $ openssl x509 -req -in adqm-host-2.csr -out adqm-host-2.crt -CAcreateserial -CA arenadata_ca.crt -CAkey arenadata_ca.key -days 365
    $ openssl x509 -req -in adqm-host-3.csr -out adqm-host-3.crt -CAcreateserial -CA arenadata_ca.crt -CAkey arenadata_ca.key -days 365
    $ openssl x509 -req -in adqm-host-4.csr -out adqm-host-4.crt -CAcreateserial -CA arenadata_ca.crt -CAkey arenadata_ca.key -days 365
  5. For each ADQM server, copy the CA certificate, as well as the key and certificate of the corresponding server. These files should be stored in the same path (/etc/clickhouse-server is recommended) and named the same on each host of the cluster -- paths and file names of the CA certificate, server key and server certificate are specified in cluster settings (see the Configure ADQM to enable SSL encryption section below).

    For example, copy files to the adqm-host-1.arenadata.local server as follows:

    • arenadata_ca.crt to /etc/clickhouse-server/ca.crt;

    • adqm-host-1.key to /etc/clickhouse-server/server.key;

    • adqm-host-1.crt to /etc/clickhouse-server/server.crt.

Configure ADQM to enable SSL encryption

In the ADCM interface, open the configuration window for the ADQMDB service (ADQM cluster → Services → ADQMDB → Primary Configuration) and activate the Enable SSL option. In the expanded section, configure the following parameters:

  • Enable https — enables a port for connection to ADQM via the HTTPS protocol (enabled by default).

  • HTTPS port — port for connection via HTTPS (default is 8443).

  • Enable tcp secure — enables a port for SSL-encrypted connection (enabled by default).

  • TCP secure port — port for SSL-encrypted connection via the TCP protocol (default is 9440).

  • Disable protocols — protocols that are not allowed to be used (for example, sslv2, sslv3).

  • Certificate file — path to the server SSL certificate file in the PEM format.

  • Private key file — path to the file with the private key of the server SSL certificate.

  • Certificate authority file — path to the CA certificate file. If server certificates are self-signed, leave this field empty.

  • Client certificate verification mode — method of checking user SSL certificates that are signed by the CA certificate (the CA certificate file should be specified in the Certificate authority file field).

Configuration parameters to check SSL certificates of connections
Configuration parameters to check SSL certificates of connections

To complete parameter configuration and apply all changes, click Save and execute Reconfig and restart for the ADQMDB service.

Test connection

To ensure that the connection to ADQM is secured with the SSL encryption, you can connect to any server of the ADQM cluster via clickhouse-client with the --secure flag, specifying the TCP port for secure connection over SSL (9440). For example:

$ clickhouse-client --host adqm-host-1.arenadata.local --secure --port 9440 --user default

The output confirms the connection on the 9440 secure port:

ClickHouse client version
Connecting to adqm-host-1.arenadata.local:9440 as user default.
Connected to ClickHouse server version 22.8.4 revision 54460.

Note that the Client certificate verification mode option should be disabled (set to none) as this test connection does not use the SSL certificate user authentication.

Found a mistake? Seleсt text and press Ctrl+Enter to report it