clickhouse 配置openssl

1. 查看服务器是否安装 openssl

openssl version -a

 2、配置记录如下:

复制代码
#添加配置
cat >req.conf <<EOF
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
prompt = no
[ req_distinguished_name ]
C = CN
ST = GD
O = Bytebase
CN = root
[ v3_ca ]
basicConstraints = critical,CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[ alt_names ]
IP.1 = 10.80.21.50
EOF

#生成 根证书

openssl genrsa -out ca.key 2048
openssl req -x509 -new -key ca.key -sha256 -days 36500 -out ca.pem -extensions 'v3_ca' -config req.conf

# 服务端证书
openssl genrsa -out server.key 2048
openssl req -new -sha256 -key server.key -out server.csr -subj "/C=CN/ST=GD/O=Bytebase/CN=10.80.21.50"
openssl x509 -req -days 36500 -sha256 -extensions v3_req -CA ca.pem -CAkey ca.key -CAcreateserial -in server.csr -out server.pem

#客户端证书
openssl genrsa -out client.key 2048
openssl req -new -sha256 -key client.key -out client.csr -subj "/C=CN/ST=GD/O=Bytebase/CN=10.80.21.50"
openssl x509 -req -days 36500 -sha256 -extensions v3_req -CA ca.pem -CAkey ca.key -CAcreateserial -in client.csr -out client.pem


# pkcs12 证书 和 jks证书
openssl pkcs12 -export -in client.pem -inkey client.key -name client -out client.p12
keytool -importkeystore -v -srckeystore client.p12 -srcstoretype pkcs12 -srcstorepass 123qwe -destkeystore client.keystore -deststoretype jks -deststorepass 123qwe 

#验证

keytool -list -v -keystore client.keystore

#其他生成操作
-------------------
openssl pkcs12 -export -in client1.crt -inkey client1.key -name client1 -out client1.p12

keytool -importkeystore -v -srckeystore client1.p12 -srcstoretype pkcs12 -srcstorepass 1q2w3e -destkeystore client1.keystore -deststoretype jks -deststorepass 1q2w3e 

-------------------------

openssl pkcs8 -topk8 -inform PEM -in client.key -outform PEM -nocrypt

openssl req -newkey rsa:2048 -nodes -subj "/CN=chnode1" -addext "subjectAltName = DNS:chnode1.marsnet.local,IP:172.17.3.68" -keyout chnode1.key -out chnode1.csr
openssl x509 -req -in chnode1.csr -out chnode1.crt -CA marsnet_ca.crt -CAkey marsnet_ca.key -days 365 -copy_extensions copy

openssl x509 -in chnode1.crt -text -noout

openssl verify -CAfile marsnet_ca.crt chnode1.crt

openssl req -newkey rsa:2048 -nodes -subj "/CN=chnode2" -addext "subjectAltName = DNS:chnode2.marsnet.local,IP:192.168.1.222" -keyout chnode2.key -out chnode2.csr
openssl req -newkey rsa:2048 -nodes -subj "/CN=chnode3" -addext "subjectAltName = DNS:chnode3.marsnet.local,IP:192.168.1.223" -keyout chnode3.key -out chnode3.csr

keytool -importcert -alias ca -file ca.pom -keystore truststore -storepass 1q2w3e

#clickhouse-client 操作
cat >clickhouse-client-ssl.xml <<EOF
<config>
       <user>default</user>
       <password>unival_2024</password>
       <host>172.16.17.71</host>
       <secure>true</secure>
       <openSSL>
               <client>
                       <caConfig>/etc/clickhouse-server/ca.pem</caConfig>
                       <certificateFile>/etc/clickhouse-server/client.pem</certificateFile>
                       <privateKey>/etc/clickhouse-server/client.key</privateKey>
               </client>
       </openSSL>
</config>
EOF



#连接串
?ssl=true&sslmode=NONE


#jdbc内核参数

net.inet.tcp.keepidle: 60000
net.inet.tcp.keepintvl: 45000
net.inet.tcp.keepinit: 45000
net.inet.tcp.keepcnt: 8
net.inet.tcp.always_keepalive: 1
net.ipv4.tcp_keepalive_intvl: 75
net.ipv4.tcp_keepalive_probes: 9
net.ipv4.tcp_keepalive_time: 60


#实际使用的参数  vim  /etc/sysctl.conf   sudo sysctl -p

kernel.shmall = 3774873
kernel.shmmax= 15461882265
kernel.shmmni = 4096
kernel.sem = 250 32000 32 128
fs.file-max = 7672460
fs.aio-max-nr = 1048576
net.ipv4.ip_local_port_range = 9000 65000
net.core.rmem_default = 262144
net.core.rmem_max = 4194304
net.core.wmem_default = 262144
net.core.wmem_max = 4194304

net.ipv4.tcp_max_syn_backlog = 4096
net.core.netdev_max_backlog = 10000
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_tw_recycle=1
net.ipv4.tcp_timestamps=1
net.ipv4.tcp_keepalive_time = 72
net.ipv4.tcp_keepalive_probes = 9
net.ipv4.tcp_keepalive_intvl = 7
vm.zone_reclaim_mode=0
vm.dirty_background_bytes = 40960000
vm.dirty_ratio = 80
vm.dirty_expire_centisecs = 6000
vm.dirty_writeback_centisecs = 50
vm.swappiness=1
vm.overcommit_memory = 2
vm.overcommit_ratio = 90

vm.max_map_count=262144



参考:
https://clickhouse.com/docs/en/integrations/java/jdbc-driver
复制代码

 

 重启:

systemctl restart clickhouse-server

查看状态:

ps -ef|grep clickhouse

 

参考:

https://clickhouse.ac.cn/docs/en/guides/sre/ssl-user-auth

https://bbs.huaweicloud.com/blogs/387798

https://blog.csdn.net/sunny05296/article/details/143520051

https://clickhouse.ac.cn/docs/en/guides/sre/configuring-ssl

https://clickhouse.com/docs/en/integrations/dbeaver

posted @   leolzi  阅读(170)  评论(0编辑  收藏  举报
相关博文:
· clickhouse 安装
· clickhouse 备份
· clickhouse 配置文件
· clickhouse安装部署
· ClickHouse安装
阅读排行:
· 分享4款.NET开源、免费、实用的商城系统
· 全程不用写代码,我用AI程序员写了一个飞机大战
· MongoDB 8.0这个新功能碉堡了,比商业数据库还牛
· 白话解读 Dapr 1.15:你的「微服务管家」又秀新绝活了
· 上周热点回顾(2.24-3.2)
点击右上角即可分享
微信分享提示