Configuring Transport Encryption for OceanBase (OBServer and ODP)

Building on previous articles about identity verification and user management, this tutorial demonstrates how to configure transport encryption for OceanBase, covering both OBServer and ODP (via OBProxy) setups.

1 Environment Preparation

OceanBase 4.1 enterprise cluster (3 nodes) with OBProxy.

Generate and configure CA, server, and client certificates.

Both community and enterprise editions of OceanBase are supported.

2 OBServer Transport Encryption

2.1 Enable Encryption

Encryption is activated by setting several system variables.

Login as root to the SYS tenant

Specify the method for obtaining private key, certificate, and CA certificate

alter system set ssl_external_kms_info = '{"ssl_mode":"file"}';

Configure MySQL port SSL communication

alter system set ssl_client_authentication = 'TRUE';
# After setting to TRUE, MySQL SSL communication is enabled instantly.

Configure RPC SSL whitelist

Since OBServer connections are long‑lived TCP links, the RPC SSL settings take effect after restarting OBServer.

# RPC SSL whitelist configuration
# Enable for the whole cluster
alter system set _ob_ssl_invited_nodes='ALL';
# Enable SSL for specific IPs
alter system set _ob_ssl_invited_nodes='135.xxx.xx.xx, 128.xxx.xx.xx';

2.2 Verify Encryption

MySQL port (2881)

Check the SSL status using the \s command and capture packets.

RPC port (2882)

Search the RPC connection logs for use_ssl to see if it is True, and capture packets.

3 ODP Transport Encryption

When using OBProxy, the client first establishes an encrypted connection with OBProxy, which then connects securely to OBServer. Therefore, enabling SSL on the server side is a prerequisite.

3.1 Enable Encryption

Log in to OBProxy with the root@proxysys account.

Set the certificate, public key, and private key.

UPDATE proxyconfig.security_config SET CONFIG_VAL='{"sourceType":"FILE","CA":"certs/ca.pem","publicKey":"certs/client-cert.pem","privateKey":"certs/client-key.pem"}' WHERE APP_NAME='obproxy' and VERSION='1';

Note: The public and private keys configured here are the client‑side certificates, not the server ones, because OBProxy acts as a client to the OceanBase server.

Enable SSL on the client side of OBProxy:

alter proxyconfig set enable_client_ssl=true;

Enable SSL on the server side of OBProxy:

alter proxyconfig set enable_server_ssl=true;

Set the SSL whitelist for the tenant administrator:

alter system set ob_ssl_invited_common_names="obclient";
# This tenant‑level parameter takes effect immediately without restarting.

Note: The value of ob_ssl_invited_common_names must match the cn (common name) field in the client certificate.

3.2 Verify Encryption

Client ↔ OBProxy connection

OBProxy ↔ OBServer connection

4 Summary

The configuration and verification process involves several pitfalls; thorough reading of the official documentation is recommended.

References

[1] OBServer Transport Encryption: https://www.oceanbase.com/docs/enterprise-oceanbase-database-cn-10000000000881589

[2] ODP Transport Encryption: https://www.oceanbase.com/docs/common-oceanbase-database-cn-10000000001692887