Skip to main content
The terms SSL and TLS are often used interchangeably to mean a secure encrypted connection using a TLS protocol. SSL protocols are the precursors to TLS protocols, and the term SSL is still used for encrypted connections even though SSL protocols are no longer supported. SSL is used interchangeably with TLS in RisingWave.

Configure SSL in RisingWave

When running a RisingWave serving node, set the environment variables RW_SSL_CERT and RW_SSL_KEY to specify the paths of the server-side SSL certificate (typically server.crt) and private key (typically server.key).

Enforce SSL connections

Added in v2.7.0
By default, RW_SSL_ENFORCE is false, allowing both SSL and non-SSL connections when SSL is configured. To require all clients to connect using SSL, set the RW_SSL_ENFORCE environment variable to true. When SSL enforcement is enabled, the server will reject any connection attempts that do not use SSL with error message.

Connect to RisingWave using SSL

To connect to RisingWave using SSL, clients can use the psql command with the following parameters: 
psql -p 4566 -d dev -h localhost -U root --set=sslmode=verify-full
If the connection is successful, you will see information similar to the following: 
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)

Optional: Create a self-signed certificate for testing purposes

While a self-signed certificate is suitable for testing, it is recommended to obtain a certificate from a Certificate Authority (CA) for production environments.
To create a simple self-signed certificate for the server, valid for 365 days, for testing purposes, use the OpenSSL command below. Replace localhost with the desired Common Name (CN). 
openssl req -x509 -sha256 -nodes -newkey rsa:2048 -days 365 -keyout localhost.key -out localhost.crt
After running the command, you will get two files, localhost.crt and localhost.key. You can then set the paths of these files as the values for RW_SSL_CERT and RW_SSL_KEY respectively.