We all know that MySQL master-slave replication is transmitted in plain text, which is not allowed for some special businesses. Next we will try to build an SSL-based master-slave replication environment: RHEL5.8SELinux disabled, iptables disabled, and MySQL5.5.
We all know that MySQL master-slave replication is transmitted in plain text, which is not allowed for some special businesses. Next we will try to build an SSL-based master-slave replication environment: RHEL5.8SELinux disabled, iptables disabled, and MySQL5.5.
We all know that MySQL master-slave replication is transmitted in plain text, which is not allowed for some special businesses. Next we will try to build an SSL-based master-slave Replication
Environment: RHEL5.8 SELinux disabled, US server, iptables disabled, MySQL 5.5.28-i686 tar package initialized and installed (non-compiled)
Planning:
Master: 172.16.1.18 master. laoguang. me
Slave: 172.16.1.19 slave. laoguang. me
Preparations: the hostname is consistent with the plan. Configure/etc/hosts for resolution. The time should be synchronized. The Hong Kong virtual host will not be repeated during the process. For details, see mysql installation, the data directory is/data/mydata.
1. Configure the CA server on the master and issue a certificate to the master and slave.
1.1 create a CA server on the master. For details, refer
1.2 master MySQL Certificate Application
1.3 apply for a certificate on slave
1.4 The master node issues the Server Load balancer instance
1.5 Change permissions and owner on slave
Chown mysql: mysql .*
Chmod 600 mysql .*
Ii. Compile/etc/my. cnf on the Master to enable ssl and set Master/Slave
2.1 Modify/etc/my. cnf
2.2 start mysql and view ssl information
2.3 create a minimum permission account for synchronization and require ssl
3. Compile/etc/my. cnf on Slave, enable ssl, and set Master/Slave
3.1 editing/etc/my. cnf
3.2 enable mysqld and view ssl information
3.3 start the slave synchronization process and connect to the master server
Follow these parameters:
If it seems like tired, slave is basically normal, the following test
Iv. Test
4.1 create a database on the master server
4.2 check whether synchronization has been performed on the server
If the synchronization is successful, there is no error.
4.3 The slave server mysql connects to the master server based on ssl to check whether the connection status is encrypted
-- Ssl-key =/data/mydata/ssl/mysql. key
View connection status
The connection is encrypted. You can use tcpdump to capture packets.
By now, the SSL-based mysql master-slave synchronization has been built. If your slave server is newly added, restore the last full backup of the master server to the slave server, and synchronize the complete backup of the binary log, that is, when you change the master, add master_log_op = n, n represents the binary location after the complete backup, the other is basically consistent.
Note: Today, I tried to only issue a certificate to slave. The master has a CA certificate, and the VM should be successful in theory, but it cannot be connected, so I will give up temporarily, then try to name the master certificate as master. crt, slave certificate is slave. the crt results cannot be connected. Later, google named the master and slave certificates and private keys mysql. crt, mysql. the key is successfully completed. If you know why the document cannot be used, the two certificates cannot be used for different names. Thank you!
This article is from the "Free Linux, Share Linux" blog. Please keep this source