Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

MySQL configuration SSL Master-Slave replication

2025-03-29 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Database >

Share

Shulou(Shulou.com)06/01 Report--

The method of creating SSL file by MySQL5.6

Official document: https://dev.mysql.com/doc/refman/5.6/en/creating-ssl-files-using-openssl.html#creating-ssl-files-using-openssl-unix-command-line

Create clean environment

Mkdir / home/mysql/mysqlcerts & & cd / home/mysql/mysqlcerts

Create CA certificate

Openssl genrsa 2048 > ca-key.pem

Openssl req-new-x509-nodes-days 3600-key ca-key.pem-out ca.pem

Create server certificate, remove passphrase, and sign it

Server-cert.pem = public key, server-key.pem = private key

Openssl req-newkey rsa:2048-days 3600-nodes-keyout server-key.pem-out server-req.pem

Openssl rsa-in server-key.pem-out server-key.pem

Openssl x509-req-in server-req.pem-days 3600-CA ca.pem-CAkey ca-key.pem-set_serial 01-out server-cert.pem

Create client certificate, remove passphrase, and sign it

Client-cert.pem = public key, client-key.pem = private key

Openssl req-newkey rsa:2048-days 3600-nodes-keyout client-key.pem-out client-req.pem

Openssl rsa-in client-key.pem-out client-key.pem

Openssl x509-req-in client-req.pem-days 3600-CA ca.pem-CAkey ca-key.pem-set_serial 01-out client-cert.pem

Openssl verify-CAfile ca.pem server-cert.pem client-cert.pem

Server-cert.pem: OK

Client-cert.pem: OK

The method of creating SSL file by MySQL5.7

Official document: https://dev.mysql.com/doc/refman/5.7/en/creating-ssl-rsa-files-using-mysql.html

Mkdir-p / home/mysql/mysqlcerts

/ usr/local/mysql-5.7.21-linux-glibc2.12-x86_64/bin/mysql_ssl_rsa_setup-- datadir=/home/mysql/mysqlcerts/

Configure the main library after creating the SSL

From the library 192.168.1.222

Mkdir-p / home/mysql/mysqlcerts

Main library

Chown-R mysql.mysql / home/mysql/mysqlcerts/

Scp ca.pem client-cert.pem client-key.pem root@192.168.1.222:/home/mysql/mysqlcerts/

Main library authorization

GRANT REPLICATION SLAVE ON *. * TO 'repl'@'192.168.1.222' identified by' require ssl

Main library my.cnf

# SSL

Ssl-ca=/home/mysql/mysqlcerts/ca.pem

Ssl-cert=/home/mysql/mysqlcerts/server-cert.pem

Ssl-key=/home/mysql/mysqlcerts/server-key.pem

Restart mysql

Slave library

Chown-R mysql.mysql / home/mysql/mysqlcerts/

My.cnf

Ssl-ca=/home/mysql/mysqlcerts/ca.pem

Ssl-cert= / home/mysql/mysqlcerts/client-cert.pem

Ssl-key= / home/mysql/mysqlcerts/client-key.pem

Create a replication:

Change master to master_host='',master_user='',master_password='',master_log_file='mysql-bin.000001',master_log_pos=154, master_ssl=1, master_ssl_ca='/home/mysql/mysqlcerts/ca.pem', master_ssl_cert='/home/mysql/mysqlcerts/client-cert.pem', master_ssl_key='/home/mysql/mysqlcerts/client-key.pem', MASTER_CONNECT_RETRY=10

Verify:

After the main library is configured with SSL authentication, the client logs in as SSL by default

Mysql-utest-h292.168.1.223-ptest-P3307

(the account can log in regardless of whether it is configured with or without require ssl)

The command not to log in as SSL is:

Mysql-utest-h292.168.1.223-ptest-P3307-- ssl-mode=DISABLED

(if the account is configured with require ssl, you cannot log in)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Database

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report