1.) Step one SSL should be enabled if it is not enabled then we need to enable "have_openssl" and "have_ssl"
mysql> show variables like '%ssl%';
+---------------+----------+
| Variable_name | Value |
+---------------+----------+
| have_openssl | DISABLED |
| have_ssl | DISABLED |
| ssl_ca | |
| ssl_capath | |
| ssl_cert | |
| ssl_cipher | |
| ssl_key | |
+---------------+----------+
7 rows in set (0.00 sec)
2.) in my.cnf add ssl below [mysqld] as follow and restart the server.
[mysqld]
port = 3306
socket = /var/lib/mysql/mysql.sock
#### ssl configurations
ssl
3.) after restart the server check the ssl is enabled or not
mysql> SHOW variables LIKE '%ssl%';
+---------------+---------------------------+
| Variable_name | Value |
+---------------+---------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca |
| ssl_capath | |
| ssl_cert | |
| ssl_cipher |
| ssl_key | |
+---------------+---------------------------+
7 rows in set (0.00 sec)
4.) creating the certificates.
for creating the certificates we first need to install openssl
check wheather openssl is installed or not
openssl
OpenSSL>
5. creating the certficates.
shell> mkdir -p /etc/mysql/cert
shell> cd /etc/mysql/cert
Create CA certificate:
shell> openssl genrsa 2048 > ca-key.pem
shell> openssl req -new -x509 -nodes -days 9999 -key ca-key.pem > ca-cert.pem
Create server certificate:
shell> openssl req -newkey rsa:2048 -days 9999 -nodes -keyout server-key.pem > server-req.pem
shell> openssl x509 -req -in server-req.pem -days 9999 -CA ca-cert.pem -CAkey ca-key.pem –set_serial 01 > server-cert.pem
Create client certificate:
shell> openssl req -newkey rsa:2048 -days 9999 -nodes -keyout client-key.pem > client-req.pem
shell> openssl x509 -req -in client-req.pem -days 9999 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem
verify the certificates
openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem
Now we have following certificates/keys got created.
ca-cert.pem
ca-key.pem
client-cert.pem
client-key.pem
client-req.pem
server-cert.pem
server-key.pem
server-req.pem
6.) now we need to add certificates in my.cnf as follows:
[mysqld]
port = 3306
socket = /var/lib/mysql/mysql.sock
#### ssl configurations
ssl
ssl-ca = /etc/cert/ca-cert.pem
ssl_capath = /etc/cert
ssl-cert = /etc/cert/server-cert.pem
ssl-key = /etc/cert/server-key.pem
[client]
port = 3306
socket = /var/lib/mysql/mysql.sock
ssl-ca = /etc/cert/ca-cert.pem
ssl-cert = /etc/cert/client-cert.pem
ssl-key = /etc/cert/client-key.pem
7.) restart the mysql
shell> /etc/init/mysql restart
run the command as follows:
mysql> SHOW variables LIKE '%ssl%';
+---------------+---------------------------+
| Variable_name | Value |
+---------------+---------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /etc/cert/ca-cert.pem |
| ssl_capath | /etc/cert |
| ssl_cert | /etc/cert/server-cert.pem |
| ssl_cipher | |
| ssl_key | /etc/cert/server-key.pem |
+---------------+---------------------------+
7 rows in set (0.00 sec)
9.) given the grant privileges uing ssl.
GRANT ALL ON *.* TO 'test123'@'localhost' IDENTIFIED BY 'test123' REQUIRE SSL;
10.) suppose we want to connect to another server (from system2).
copy the ca-cert.pem,client-cert.pem,client-key.pem to sytem2
11.) go to system2 type the following command
mysql -u test123 -h system1 --ssl-ca=/etc/cert1/ca-cert.pem --ssl-cert=/etc/cert1/client-cert.pem --ssl-key=/etc//cert1/client-key.pem -p
mysql>
In this way the ssl configuration is established.
for vericication the command is as follows:
mysql> \s
--------------
mysql Ver 14.14 Distrib 5.5.13, for Linux (x86_64) using readline 5.1
Connection id: 25
Current database:
Current user: root@localhost
SSL: Cipher in use is DHE-RSA-AES256-SHA
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.5.13 MySQL Community Server (GPL)
Protocol version: 10
Connection: Localhost via UNIX socket
Server characterset: latin1
Db characterset: latin1
Client characterset: utf8
Conn. characterset: utf8
UNIX socket: /var/lib/mysql/mysql.sock
Uptime: 23 hours 50 min 36 sec
Threads: 2 Questions: 10559 Slow queries: 0 Opens: 1261 Flush tables: 1 Open tables: 42 Queries per second avg: 0.123
If we want to set up replication using ssl keys.
The commands are as follows:
mysql> GRANT REPLICATION SLAVE ON *.* TO "repl"@"10.%" IDENTIFIED BY 'XXXXXX' REQUIRE SSL;
mysql> FLUSH PRIVILEGES;
the replication command are as follows:
CHANGE MASTER TO
MASTER_HOST=,
MASTER_USER='repl',
MASTER_PASSWORD='',
MASTER_LOG_FILE='',
MASTER_LOG_POS= ,
MASTER_SSL=1,
MASTER_SSL_CA = '/etc/mysql/cert/ca-cert.pem',
MASTER_SSL_CERT = '/etc/mysql/cert/client-cert.pem',
MASTER_SSL_KEY = '/etc/mysql/cert/client-key.pem';
For more details the url are as follows:
http://dev.mysql.com/doc/refman/5.5/en/secure-using-ssl.html
mysql> show variables like '%ssl%';
+---------------+----------+
| Variable_name | Value |
+---------------+----------+
| have_openssl | DISABLED |
| have_ssl | DISABLED |
| ssl_ca | |
| ssl_capath | |
| ssl_cert | |
| ssl_cipher | |
| ssl_key | |
+---------------+----------+
7 rows in set (0.00 sec)
2.) in my.cnf add ssl below [mysqld] as follow and restart the server.
[mysqld]
port = 3306
socket = /var/lib/mysql/mysql.sock
#### ssl configurations
ssl
3.) after restart the server check the ssl is enabled or not
mysql> SHOW variables LIKE '%ssl%';
+---------------+---------------------------+
| Variable_name | Value |
+---------------+---------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca |
| ssl_capath | |
| ssl_cert | |
| ssl_cipher |
| ssl_key | |
+---------------+---------------------------+
7 rows in set (0.00 sec)
4.) creating the certificates.
for creating the certificates we first need to install openssl
check wheather openssl is installed or not
openssl
OpenSSL>
5. creating the certficates.
shell> mkdir -p /etc/mysql/cert
shell> cd /etc/mysql/cert
Create CA certificate:
shell> openssl genrsa 2048 > ca-key.pem
shell> openssl req -new -x509 -nodes -days 9999 -key ca-key.pem > ca-cert.pem
Create server certificate:
shell> openssl req -newkey rsa:2048 -days 9999 -nodes -keyout server-key.pem > server-req.pem
shell> openssl x509 -req -in server-req.pem -days 9999 -CA ca-cert.pem -CAkey ca-key.pem –set_serial 01 > server-cert.pem
Create client certificate:
shell> openssl req -newkey rsa:2048 -days 9999 -nodes -keyout client-key.pem > client-req.pem
shell> openssl x509 -req -in client-req.pem -days 9999 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem
verify the certificates
openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem
Now we have following certificates/keys got created.
ca-cert.pem
ca-key.pem
client-cert.pem
client-key.pem
client-req.pem
server-cert.pem
server-key.pem
server-req.pem
6.) now we need to add certificates in my.cnf as follows:
[mysqld]
port = 3306
socket = /var/lib/mysql/mysql.sock
#### ssl configurations
ssl
ssl-ca = /etc/cert/ca-cert.pem
ssl_capath = /etc/cert
ssl-cert = /etc/cert/server-cert.pem
ssl-key = /etc/cert/server-key.pem
[client]
port = 3306
socket = /var/lib/mysql/mysql.sock
ssl-ca = /etc/cert/ca-cert.pem
ssl-cert = /etc/cert/client-cert.pem
ssl-key = /etc/cert/client-key.pem
7.) restart the mysql
shell> /etc/init/mysql restart
run the command as follows:
mysql> SHOW variables LIKE '%ssl%';
+---------------+---------------------------+
| Variable_name | Value |
+---------------+---------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /etc/cert/ca-cert.pem |
| ssl_capath | /etc/cert |
| ssl_cert | /etc/cert/server-cert.pem |
| ssl_cipher | |
| ssl_key | /etc/cert/server-key.pem |
+---------------+---------------------------+
7 rows in set (0.00 sec)
9.) given the grant privileges uing ssl.
GRANT ALL ON *.* TO 'test123'@'localhost' IDENTIFIED BY 'test123' REQUIRE SSL;
10.) suppose we want to connect to another server (from system2).
copy the ca-cert.pem,client-cert.pem,client-key.pem to sytem2
11.) go to system2 type the following command
mysql -u test123 -h system1 --ssl-ca=/etc/cert1/ca-cert.pem --ssl-cert=/etc/cert1/client-cert.pem --ssl-key=/etc//cert1/client-key.pem -p
mysql>
In this way the ssl configuration is established.
for vericication the command is as follows:
mysql> \s
--------------
mysql Ver 14.14 Distrib 5.5.13, for Linux (x86_64) using readline 5.1
Connection id: 25
Current database:
Current user: root@localhost
SSL: Cipher in use is DHE-RSA-AES256-SHA
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.5.13 MySQL Community Server (GPL)
Protocol version: 10
Connection: Localhost via UNIX socket
Server characterset: latin1
Db characterset: latin1
Client characterset: utf8
Conn. characterset: utf8
UNIX socket: /var/lib/mysql/mysql.sock
Uptime: 23 hours 50 min 36 sec
Threads: 2 Questions: 10559 Slow queries: 0 Opens: 1261 Flush tables: 1 Open tables: 42 Queries per second avg: 0.123
If we want to set up replication using ssl keys.
The commands are as follows:
mysql> GRANT REPLICATION SLAVE ON *.* TO "repl"@"10.%" IDENTIFIED BY 'XXXXXX' REQUIRE SSL;
mysql> FLUSH PRIVILEGES;
the replication command are as follows:
CHANGE MASTER TO
MASTER_HOST=,
MASTER_USER='repl',
MASTER_PASSWORD='',
MASTER_LOG_FILE='',
MASTER_LOG_POS= ,
MASTER_SSL=1,
MASTER_SSL_CA = '/etc/mysql/cert/ca-cert.pem',
MASTER_SSL_CERT = '/etc/mysql/cert/client-cert.pem',
MASTER_SSL_KEY = '/etc/mysql/cert/client-key.pem';
For more details the url are as follows:
http://dev.mysql.com/doc/refman/5.5/en/secure-using-ssl.html
No comments:
Post a Comment