Learn how to secure your MaxCtrl connections using TLS. This guide details the necessary MaxScale configuration parameters and command-line flags to enable encrypted administrative sessions.
_MaxCtrl is a command-line utility that can perform administrative tasks using MaxScale's REST API. It is possible to connect to MaxScale using TLS with MaxCtrl.
or , depending on what kind of user you need:
Replace maxscale\_rest\_admin and maxscale\_rest\_admin\_password with the desired user and password.
If you want to use MaxCtrl remotely, . Several global parameters must be configured in maxscale.cnf.
For example:
Several global parameters must be configured in maxscale.cnf.
For example:
Ensure that the client also has a TLS certificate, a private key, and the CA certificate.
Use to connect with TLS:
Replace maxscale_rest_admin and maxscale_rest_admin_password with the actual user and password.
This page is: Copyright © 2025 MariaDB. All rights reserved.
This parameter defines the network address that the REST API listens on. The default value is 127.0.0.1.
This parameter defines the network port that the REST API listens on. The default value is 8989.
* This parameter defines the private key used by the REST API.
* This parameter defines the certificate used by the REST API.
*This parameter defines the CA certificate that signed the REST API's certificate.
$ maxctrl create user "maxscale_rest_admin" "maxscale_rest_admin_password" --type=admin[maxscale]
...
admin_host = 0.0.0.0
admin_port = 8443[maxscale]
...
admin_ssl_key=/certs/server-key.pem
admin_ssl_cert=/certs/server-cert.pem
admin_ssl_ca_cert=/certs/ca-cert.pem$ maxctrl --secure
--user=maxscale_rest_admin
--password=maxscale_rest_admin_password
--hosts=192.0.2.100:8443
--tls-key=/certs/client-key.pem
--tls-cert=/certs/client-cert.pem
--tls-ca-cert=/certs/ca.pem