SSL Enabled CockroachDB Scala Client with Slick

Functional Ops

Background

In my previous post I have discussed about creating CockroachDB Scala client application with Slick library. It uses password based authentication. In this post I’m gonna discuss about creating CockroachDB Scala client with SSL support. The client will authenticate with SSL keys. All the source codes which related to this post available in gitlab. Please clone the repo and continue the post.

SSL Setup

I have deployed SSL enabled CockroachDB cluster with Docker. In this post I have discussed detailed information about the cluster setup and SSL configuration. To interact with SSL enabled cluster I need to generate SSL certificate and key for client. The client key should be PKCS#8 format since the JDBC supports to authenticate clients with PKCS#8 format keys. Following is the way to generate PKCS#8 format SSL key for client. In here, when generating the client certificate I have specified the flag --also-generate-pkcs8-key to creates a key in PKCS#8 format. This command will creates client certificate(client.root.crt), PEM format client key(client.root.key) and PKCS#8 format client key(client.root.key.pk8).

Database Config with SSL

Following is the CockroachDB related configs. These configurations defined in storage.conf file and loaded into StorageConfSSL trait. StorageConfSSL load SSL certificates/keys paths from resources directory and create SSL enabled JDBC URL. Other thing to notice here is the flag sslmode=verify-full. With this flag, the server host name will be verified to make sure it matches the name stored in the server certificate. Slick data source created with HikariCP connection pooling library HikariDataSource.

Now this StorageConfSSL trait can be used to handle the database functions with Scala Slick library. Read more about querying and executing other database functions on CockroachDB with Scala Slick library form my previous blog post.

Reference

1. https://forum.cockroachlabs.com/t/connecting-to-an-ssl-secure-server-using-jdbc-java-and-client-certificate-authentication/400
2. https://medium.com/rahasak/deploy-ssl-enabled-cockroachdb-cluster-on-docker-cc2e41108a6b
3. https://medium.com/rahasak/cockroachdb-scala-client-with-slick-12361f01afe9
4. https://www.cockroachlabs.com/docs/stable/build-a-java-app-with-cockroachdb.html
5. https://jdbc.postgresql.org/documentation/head/ssl-client.html
6. https://www.alibabacloud.com/blog/how-to-set-up-libpq-failover-and-load-balancing-for-jdbc-driver-layer_597797