Secure Connect Bundle
This page explains how to use the Secure Connect Bundle (SCB) for Astra DB Classic. If you want to use the SCB with Astra DB Serverless, see the Astra DB Serverless documentation. |
The Secure Connect Bundle (SCB) is a zip file containing security credentials and certificates required for secure mutual TLS (mTLS) connection to your Astra DB database. The SCB establishes a secure external connection. Within Astra DB, the protocol SNI over TCP is used to contact each node independently.
Often, you use application tokens to establish a secure connection to your Astra DB databases. The SCB is a required or alternative connection method for certain components and integrations, including the following:
-
Integrations that use drivers or CQL to connect to your database.
Download the Secure Connect Bundle
For security purposes, the SCB download link expires after five minutes. Once the download link expires, you must generate a new download link. Once downloaded, the SCB never expires. |
You can download an SCB in the Astra Portal or with the DevOps API.
-
Astra Portal
-
DevOps API
-
Astra CLI
To download an SCB for a Astra DB Classic database, do the following:
-
In the Astra Portal navigation menu, select your database.
-
Click Connect.
-
In the Database Essentials section, click Get Bundle.
-
In the Secure Connect Bundle Download dialog, select the region for which to download the bundle.
Multi-region databases have a different SCB for each region.
If you enabled VPC peering, you can also Download External Secure Connect Bundle for use within your VPC peering. VPC peering is only available on Astra DB Classic databases.
-
Click Download Secure Bundle, and then save the SCB as an archive (zip file).
You can use the DevOps API to get a temporary URL to download the SCB for a specific database.
-
Send a
POST
request to the DevOps API secure bundle URL endpoint:curl -sS -L -X POST "https://api.astra.datastax.com/v2/databases/DATABASE_ID/secureBundleURL?all=true" \ --header "Authorization: Bearer APPLICATION_TOKEN" \ --header "Accept: application/json"
Replace the following:
-
DATABASE_ID
: Your database ID -
APPLICATION_TOKEN
: An application token with the Organization Administrator role.For multi-region databases and organizations with multiple custom domains, include
all=true
to get SCB download links for all regions and domains. This parameter is optional for single-region databases.
-
-
Use the download link in the response to download the SCB zip file.
You can use the Astra CLI to download a database’s SCB:
astra db download-scb DB_NAME
For multi-region databases, this command downloads the SCB for the database’s primary region.
To download the SCB for a specific region, use the -r REGION_NAME
option.
By default, the SCB zip files are downloaded to the directory where you run the command.
To download the files to a different directory, include the -d DIRECTORY_PATH
option.
For more information, run astra help db download-scb
or see the Astra CLI documentation.
Use the Secure Connect Bundle
When you use an SCB to connect your apps and integrations to your database, you provide the entire SCB zip file.
Don’t extract the SCB archive unless you require a specific file or value from within the SCB for a particular integration or configuration.
Secure Connect Bundle contents
The SCB is a zip file named secure-connect-DATABASE_NAME.zip
.
For multi-region databases, each SCB file name also includes the region name.
A SCB contains the following files:
-
ca.crt
: DataStax’s Certificate Authority public certificate. -
cert
: A certificate, unique to the specific SCB. -
key
: A private key, unique to the specific SCB. Astra DB uses the key pair in the SCB to identify trusted clients through mutual TLS (mTLS) authentication. -
cert.pfx
: A PFX formatted archive containing the certificate and the private key. -
config.json
: A configuration file with information for securely connecting to the Astra DB instance associated with the SCB. -
cqlshrc
: A CQLSH profile containing CQL shell session settings. -
identity.jks
: A Java keystore file containing thecert
andkey
files. -
trustStore.jks
: A Java keystore file containing theca.crt
.
Secure Connect Bundle best practices
Treat the SCB the same way you would any other sensitive values, such as passwords or tokens. The SCB contains sensitive information that establishes a connection to your database, including key pairs and certificates. |
Be mindful of the following best practices and warnings:
-
Be careful when sharing connection details. SCB credentials grant access to your Astra DB database with ownership capabilities, such as modifying or deleting the database.
-
Always treat the SCB as a secret. For security purposes, practice responsible and secure credential management.
-
SCBs never expires after you download them. Make sure to clean up any downloaded SCBs when you no longer need them.