ClickHouse/docs/en/operations/ssl-zookeeper.md

---
slug: /en/operations/ssl-zookeeper
sidebar_position: 45
sidebar_label: Secured Communication with Zookeeper
---

# Optional secured communication between ClickHouse and Zookeeper
import SelfManaged from '@site/docs/en/_snippets/_self_managed_only_automated.md';

<SelfManaged />

You should specify `ssl.keyStore.location`, `ssl.keyStore.password` and `ssl.trustStore.location`, `ssl.trustStore.password` for communication with ClickHouse client over SSL. These options are available from Zookeeper version 3.5.2.

You can add `zookeeper.crt` to trusted certificates.

``` bash
sudo cp zookeeper.crt /usr/local/share/ca-certificates/zookeeper.crt
sudo update-ca-certificates
```

Client section in `config.xml` will look like:

``` xml
<client>
    <certificateFile>/etc/clickhouse-server/client.crt</certificateFile>
    <privateKeyFile>/etc/clickhouse-server/client.key</privateKeyFile>
    <loadDefaultCAFile>true</loadDefaultCAFile>
    <cacheSessions>true</cacheSessions>
    <disableProtocols>sslv2,sslv3</disableProtocols>
    <preferServerCiphers>true</preferServerCiphers>
    <invalidCertificateHandler>
        <name>RejectCertificateHandler</name>
    </invalidCertificateHandler>
</client>
```

Add Zookeeper to ClickHouse config with some cluster and macros:

``` xml
<clickhouse>
    <zookeeper>
        <node>
            <host>localhost</host>
            <port>2281</port>
            <secure>1</secure>
        </node>
    </zookeeper>
</clickhouse>
```

Start `clickhouse-server`. In logs you should see:

```text
<Trace> ZooKeeper: initialized, hosts: secure://localhost:2281
```

Prefix `secure://` indicates that connection is secured by SSL.

To ensure traffic is encrypted run `tcpdump` on secured port:

```bash
tcpdump -i any dst port 2281 -nnXS
```

And query in `clickhouse-client`:

```sql
SELECT * FROM system.zookeeper WHERE path = '/';
```

On unencrypted connection you will see in `tcpdump` output something like this:

```text
..../zookeeper/quota.
```

On encrypted connection you should not see this.
Added the description of secured communication with Zookeeper 2021-08-18 15:16:37 +00:00			`---`
add slugs 2022-08-28 14:53:34 +00:00			`slug: /en/operations/ssl-zookeeper`
Removed /ja folder, cleaned up /ru markdown 2022-04-09 13:29:05 +00:00			`sidebar_position: 45`
			`sidebar_label: Secured Communication with Zookeeper`
Added the description of secured communication with Zookeeper 2021-08-18 15:16:37 +00:00			`---`

Remove H1 anchor tags from docs 2022-06-02 10:55:18 +00:00			`# Optional secured communication between ClickHouse and Zookeeper`
Go live with doc updates (#42053) * QIP to add overview page * wip * New Tutorial and Datasets landing page * give an example for Cloud * Update UK Price Paid for Cloud * Update nyc-taxi.md * add option for Cloud Load Data button * Removed the Import Raw Data section * Update nyc-taxi.md * update user management and replication docs * mark self managed * set doc ordering * add redirects setting * Simple fixes to index.md Co-authored-by: rfraposa <richraposa@gmail.com> 2022-10-04 11:36:59 +00:00			`import SelfManaged from '@site/docs/en/_snippets/_self_managed_only_automated.md';`

			`<SelfManaged />`
Added the description of secured communication with Zookeeper 2021-08-18 15:16:37 +00:00
Update ssl-zookeeper.md 2021-10-25 07:11:48 +00:00			You should specify `ssl.keyStore.location`, `ssl.keyStore.password` and `ssl.trustStore.location`, `ssl.trustStore.password` for communication with ClickHouse client over SSL. These options are available from Zookeeper version 3.5.2.
Added the description of secured communication with Zookeeper 2021-08-18 15:16:37 +00:00
Update ssl-zookeeper.md 2021-10-25 07:11:48 +00:00			You can add `zookeeper.crt` to trusted certificates.
Added the description of secured communication with Zookeeper 2021-08-18 15:16:37 +00:00
Small fixes 2021-08-18 17:31:27 +00:00			``` bash
Added the description of secured communication with Zookeeper 2021-08-18 15:16:37 +00:00			`sudo cp zookeeper.crt /usr/local/share/ca-certificates/zookeeper.crt`
			`sudo update-ca-certificates`
			```

			Client section in `config.xml` will look like:

Small fixes 2021-08-18 17:31:27 +00:00			``` xml
Added the description of secured communication with Zookeeper 2021-08-18 15:16:37 +00:00			`<client>`
			`<certificateFile>/etc/clickhouse-server/client.crt</certificateFile>`
			`<privateKeyFile>/etc/clickhouse-server/client.key</privateKeyFile>`
			`<loadDefaultCAFile>true</loadDefaultCAFile>`
			`<cacheSessions>true</cacheSessions>`
			`<disableProtocols>sslv2,sslv3</disableProtocols>`
			`<preferServerCiphers>true</preferServerCiphers>`
			`<invalidCertificateHandler>`
			`<name>RejectCertificateHandler</name>`
			`</invalidCertificateHandler>`
			`</client>`
Small fixes 2021-08-18 17:31:27 +00:00			```
Added the description of secured communication with Zookeeper 2021-08-18 15:16:37 +00:00
			`Add Zookeeper to ClickHouse config with some cluster and macros:`

Small fixes 2021-08-18 17:31:27 +00:00			``` xml
Update references in docs 2022-03-12 06:24:31 +00:00			`<clickhouse>`
Added the description of secured communication with Zookeeper 2021-08-18 15:16:37 +00:00			`<zookeeper>`
			`<node>`
			`<host>localhost</host>`
			`<port>2281</port>`
			`<secure>1</secure>`
			`</node>`
			`</zookeeper>`
Update references in docs 2022-03-12 06:24:31 +00:00			`</clickhouse>`
Small fixes 2021-08-18 17:31:27 +00:00			```
Added the description of secured communication with Zookeeper 2021-08-18 15:16:37 +00:00
			Start `clickhouse-server`. In logs you should see:

			```text
			`<Trace> ZooKeeper: initialized, hosts: secure://localhost:2281`
			```

			Prefix `secure://` indicates that connection is secured by SSL.

			To ensure traffic is encrypted run `tcpdump` on secured port:

Small fixes 2021-08-18 17:31:27 +00:00			```bash
Added the description of secured communication with Zookeeper 2021-08-18 15:16:37 +00:00			`tcpdump -i any dst port 2281 -nnXS`
			```

			And query in `clickhouse-client`:

			```sql
			`SELECT * FROM system.zookeeper WHERE path = '/';`
			```

			On unencrypted connection you will see in `tcpdump` output something like this:

			```text
Removed /ja folder, cleaned up /ru markdown 2022-04-09 13:29:05 +00:00			`..../zookeeper/quota.`
Added the description of secured communication with Zookeeper 2021-08-18 15:16:37 +00:00			```

Update ssl-zookeeper.md 2021-10-25 07:11:48 +00:00			`On encrypted connection you should not see this.`