MySQL-based encrypted master-slave replication using SSL

Source: Internet
Author: User
We all know that MySQL master-slave replication is transmitted in plain text, which is not allowed for some special businesses. Next we will try to build an SSL-based master-slave replication environment: RHEL5.8SELinux disabled, iptables disabled, and MySQL5.5.

We all know that MySQL master-slave replication is transmitted in plain text, which is not allowed for some special businesses. Next we will try to build an SSL-based master-slave replication environment: RHEL5.8SELinux disabled, iptables disabled, and MySQL5.5.

We all know that MySQL master-slave replication is transmitted in plain text, which is not allowed for some special businesses. Next we will try to build an SSL-based master-slave Replication

Environment: RHEL5.8 SELinux disabled, US server, iptables disabled, MySQL 5.5.28-i686 tar package initialized and installed (non-compiled)

Planning:

  • Master: 172.16.1.18 master. laoguang. me
  • Slave: 172.16.1.19 slave. laoguang. me
  • Preparations: the hostname is consistent with the plan. Configure/etc/hosts for resolution. The time should be synchronized. The Hong Kong virtual host will not be repeated during the process. For details, see mysql installation, the data directory is/data/mydata.

    1. Configure the CA server on the master and issue a certificate to the master and slave.

    1.1 create a CA server on the master. For details, refer

    1.2 master MySQL Certificate Application

    1.3 apply for a certificate on slave

    1.4 The master node issues the Server Load balancer instance

    1.5 Change permissions and owner on slave

  • Chown mysql: mysql .*
  • Chmod 600 mysql .*
  • Ii. Compile/etc/my. cnf on the Master to enable ssl and set Master/Slave

    2.1 Modify/etc/my. cnf

    2.2 start mysql and view ssl information

    2.3 create a minimum permission account for synchronization and require ssl

    3. Compile/etc/my. cnf on Slave, enable ssl, and set Master/Slave

    3.1 editing/etc/my. cnf

    3.2 enable mysqld and view ssl information

    3.3 start the slave synchronization process and connect to the master server

    Follow these parameters:

    If it seems like tired, slave is basically normal, the following test

    Iv. Test

    4.1 create a database on the master server

  • 4.2 check whether synchronization has been performed on the server

  • If the synchronization is successful, there is no error.

    4.3 The slave server mysql connects to the master server based on ssl to check whether the connection status is encrypted

  • -- Ssl-key =/data/mydata/ssl/mysql. key
  • View connection status

    The connection is encrypted. You can use tcpdump to capture packets.

    By now, the SSL-based mysql master-slave synchronization has been built. If your slave server is newly added, restore the last full backup of the master server to the slave server, and synchronize the complete backup of the binary log, that is, when you change the master, add master_log_op = n, n represents the binary location after the complete backup, the other is basically consistent.

    Note: Today, I tried to only issue a certificate to slave. The master has a CA certificate, and the VM should be successful in theory, but it cannot be connected, so I will give up temporarily, then try to name the master certificate as master. crt, slave certificate is slave. the crt results cannot be connected. Later, google named the master and slave certificates and private keys mysql. crt, mysql. the key is successfully completed. If you know why the document cannot be used, the two certificates cannot be used for different names. Thank you!

    This article is from the "Free Linux, Share Linux" blog. Please keep this source

    Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.