Shulou(Shulou.com)06/01 Report--

Experimental environment

Centos7.6 minimized installation

Turn off firewall, selinux

First, establish CA and generate certificates

1. Generate the private key of CA

Mkdir / etc/my.cnf.d/ssl

Cd / etc/my.cnf.d/ssl

Openssl genrsa 2048 > cakey.pem

2. CA self-signed certificate

Openssl req-new-x509-key cakey.pem-out cacert.pem-days 3650

3. Generate the private key and certificate application file of the master node

Openssl req-newkey rsa:1024-days 365-nodes-keyout master.key > master.csr

Generate a certificate

Openssl x509-req-in master.csr-CA cacert.pem-CAkey cakey.pem-set_serial 01 > master.crt

4. Generate the slave node private key and certificate application file

Openssl req-newkey rsa:1024-days 365-nodes-keyout slave.key > slave.csr

Generate a certificate

Openssl x509-req-in slave.csr-CA cacert.pem-CAkey cakey.pem-set_serial 02 > slave.crt

[root@localhost ssl] # scp-r / etc/my.cnf.d/ssl/ 192.168.12.27:/etc/my.cnf.d/ # copy the certificate to the slave server

Second, configure SSL master and slave

MariaDB [(none)] > status # check whether the client uses ssl when logging in

MariaDB [(none)] > show variables like'% ssl%'; # to see if encryption is enabled

1. Configure the primary server

Vi / etc/my.cnf # modify the configuration file

[mysqld] datadir=/var/lib/mysqllog-binserver-id=57 ssl-ca=/etc/my.cnf.d/ssl/cacert.pemssl-cert=/etc/my.cnf.d/ssl/master.crtssl-key=/etc/my.cnf.d/ssl/master.key

Systemctl restart mariadb

MariaDB [(none)] > show variables like'% ssl%'; # can see that encryption is enabled

Mysql-- ssl-ca=cacert.pem-- ssl-cert=master.crt-- ssl-key=master.key # client connection encryption. If the certificate is not required in the current path, an error will be reported if there is a problem with the certificate.

Create an account that only allows ssl login

MariaDB [(none)] > grant replication slave on *. * to repluser@'192.168.12.%' identified by '123456' require ssl

[root@localhost ssl] # mysqldump-A-F-- single-transaction-- master-data=1 > all.sql # backup database

[root@localhost ssl] # scp all.sql 192.168.12.27:/

2. Configure slave server

Vi / etc/my.cnf # modify the configuration file

[mysqld] datadir=/var/lib/mysqlserver-id=27read-onlyssl-ca=/etc/my.cnf.d/ssl/cacert.pemssl-cert=/etc/my.cnf.d/ssl/slave.crt ssl-key=/etc/my.cnf.d/ssl/slave.key

Test if you can use ssl to connect to the primary server

Mysql-urepluser-p123456-h292.168.12.57-ssl-ca=cacert.pem-- ssl-cert=slave.crt-- ssl-key=slave.key

Vi / all.sql # modified on the basis of the original

CHANGE MASTER TOMASTER_HOST='192.168.12.57',MASTER_USER='repluser',MASTER_PASSWORD='123456',MASTER_SSL=1, MASTER_LOG_FILE='mariadb-bin.000009', MASTER_LOG_POS=245

[root@localhost ssl] # mysql

Start slave

MariaDB [(none)] > show slave status\ G # does not show the certificate path here if it is configured in the configuration file

If you specify the certificate path show slave status\ G in CHANGE MASTER TO, you can see the certificate path, but there is no difference between the others.

MariaDB [(none)] > show slave status\ G

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.