MySQL replication is setup already. Now I need to add SSL so the communication between server and client will be secure.<\/p>\n
1. generate CA certificate and server key\/cert on Master<\/p>\n
CA certificate
\n openssl genrsa 2048 > ca-key.pem
\n openssl req -new -x509 -nodes -days 1000 -key ca-key.pem -out ca-cert.pem<\/p><\/blockquote>\nServer Key\/Cert
\n openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem -out server-req.pem
\n openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem<\/p><\/blockquote>\n2. enable SSL on master
\n add the following to both [client] and [mysqld]<\/p>\nssl-ca=\/var\/lib\/mysql\/ssl\/ca-cert.pem
\n ssl-cert=\/var\/lib\/mysql\/ssl\/client-cert.pem
\n ssl-key=\/var\/lib\/mysql\/ssl\/client-key.pem<\/p><\/blockquote>\n3. generate client key\/cert on Slave<\/p>\n
openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem -out client-req.pem
\n openssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem<\/p><\/blockquote>\n4. enable SSL on slave
\n repeat 2, but on slave server and using keys\/cert of slave, restart db with skip-slave-start<\/p>\n5. start slave<\/p>\n
mysql>change master to master_host=’masterdb’, master_user=’repliuser’, master_password=’pass’,master_log_file=’db1-bin.xxxxx’, master_log_pos=98, MASTER_SSL=1, MASTER_SSL_CA=’ssl\/ca-cert.pem’;
\n start slave<\/p><\/blockquote>\n6. setup User permission to use SSL only
\n User “GRANT” to setup user allow SSL connection only<\/p>\nCheck if SSL is on in mysqld<\/p>\n
mysql> show variables like ‘%have_ssl%’;
\n+—————+——-+
\n| Variable_name | Value |
\n+—————+——-+
\n| have_ssl | YES |
\n+—————+——-+<\/p><\/blockquote>\nCheck if Client is using SSL:<\/p>\n
>mysql
\nSHOW STATUS LIKE ‘Ssl_cipher’;<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"MySQL replication is setup already. Now I need to add SSL so the communication between server and client will be secure. 1. generate CA certificate and server key\/cert on Master CA certificate openssl genrsa 2048 > ca-key.pem openssl req -new … Continue reading