SSL-based mysql master-slave replication [background] the MySQL protocol is in plain text. When copying important data. Sometimes the SSL function is required to ensure data security. [Preparation] preparation preparations 1. Consistent master-slave time
SSL-based mysql master-slave replication [background] the MySQL protocol is in plain text. When copying important data. Sometimes the SSL function is required to ensure data security. [Preparation] preparation preparations 1. Consistent master-slave time
[Root @ node3 support-files] # crontab-e ### master node */3 *****/usr/sbin/ntpdate 172.16.0.1 &>/dev/null [root @ node1 CA] # crontab-e #### from Section */3 */usr/sbin/ntpdate 172.16.0.1 &>/dev/null
III.
[Root @ node1 CA] # (umask 077; openssl genrsa-out private/cakey. pem 1024) Generating RSA private key, 1024 bit long modulus ................... ++ ................ ++ e is 65537 (0x10001) [root @ node1 CA] # openssl req-new-x509-key private/cakey. pem-out cacert. pem-days 365You are about to be asked to enter information that will be ininitialized into yourcertificate request. what you are about to en Ter is what is called a Distinguished Name or a DN. there are quite a few fields but you can leave some blank For some fieldsthere will be a default value, If you enter '. ', the field will be left blank. ----- Country Name (2 letter code) [XX]: CNState or Province Name (full name) []: HALocality Name (eg, city) [Default City]: ZZOrganization Name (eg, company) [Default Company Ltd]: mageduOrganizational Un It Name (eg, section) []: 14 qiCommon Name (eg, your name or your server's hostname) []: cacertEmail Address []: admin.stu11.com [root @ node1 CA] # touch index.txt [root @ node1 CA] # echo 01> serial [root @ node1 CA] # cd/etc/mysql/ssl/[root @ node1 ssl] # (umask 077; openssl genrsa-out master. key 1024) Generating rs1_vate key, 1024 bit long modulus ................................... ++ .................. ........... ++ E is 65537 (0x10001) [root @ node1ssl] # openssl req-new-key master. key-out master. csr-days 365 You are about to be asked to enter information that will be ininitialized into yourcertificate request. what you are about to enter is what is called a Distinguished Name or a DN. there are quite a few fields but you can leave some blank For some fieldsthere will be a default value, If you Enter '. ', the field will be left blank. ----- Country Name (2 letter code) [XX]: CNState or Province Name (full name) []: HALocality Name (eg, city) [Default City]: ZZOrganization Name (eg, company) [Default Company Ltd]: mageduOrganizational Unit Name (eg, section) []: 14 qiCommon Name (eg, your name or your server's hostname) []: master. crtEmail Address []: admin@stu11.comPlease enter thefollowing 'extra' Attributesto be sent with your certificate requestA challenge password []: An optional company name []: [root @ node1 ssl] # openssl ca-in master. csr-out master. crt-days 365 Using configuration from/etc/pki/tls/openssl. cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1) Validity Not Before: Jan 25 07:12:12 2015GMT Not After: Jan 25 07:12:12 2016GMT Subject: countryName = CN stateOrProvinceName = HA organizationName = magedu organizationalUnitName = 14qi commonName = master. crt emailAddress = admin@stu11.com X509v3 extensions: X509v3 Basic Constraints: CA: FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 93: 50: 74: 97: 39: 91: 86: 5A: 1F: C6: 2F: 6A: 87: FB: 77: 04: 7B: 70: 33: 5C X509v3 Authority Key Identifier: keyid: C0: 69: 22: 4E: 9A: E5: BD: 13: 2B: BD: 93: 7B: 0F: 99: E6: 0F: 3A: FA: 40: 7 ECertificate is to becertified until Jan 25 07:12:12 2016 GMT (365 days) Sign thecertificate? [Y/n]: y1 out of 1 certificate requests certified, commit? [Y/n] yWrite out databasewith 1 new entriesData Base Updated [root @ node1 ssl] # lsmaster. crt master. csr master. key [root @ node1 ssl] # chown-R mysql: mysql * [root @ node1 ssl] # lltotal 16-rw-r -- 1 mysql 1013 Jan 25 cacert. pem-rw-r -- 1 mysql 3161 Jan 25 master. crt-rw-r -- 1 mysql 680 Jan 25 master. csr-rw ------- 1 mysql 887 Jan 25 master. key [root @ node 3 ssl] # (umask 077; openssl genrsa-out slave. key 1024) Generating RSA private key, 1024 bit long modulus .......................... ++ ......................... ++ e is 65537 (0x10001) [root @ node3 ssl] # openssl req-new-key slave. key-out slave. csr-days 365You are about to be asked to enter information that will be inemediatedinto your certificate request. what you are about to enter is what is Called a Distinguished Name or a DN. there are quite a few fields but you can leave some blankFor some fields there will be a default value, If you enter '. ', the field will be left blank. ----- Country Name (2 letter code) [XX]: CNState or Province Name (full name) []: HALocality Name (eg, city) [Default City]: ZZOrganization Name (eg, company) [Default Company Ltd]: mageduOrganizational Unit Name (eg, Section) []: 14 qiCommon Name (eg, your name or your server's hostname) []: slave. certEmail Address []: admin@stu11.com Please enter the following 'extra 'attributesto be sent with your certificate requestA challenge password []: An optional company name []: [root @ node3 ssl] # scp slave. csr 172.16.249.141:/etc/pki/CA/[root @ node1 CA] # openssl ca-in slave. csr-out slave. crt-days 365 Using configuration From/etc/pki/tls/openssl. cnf Check that therequest matches the signatureSignature okCertificate Details: Serial Number: 2 (0x2) Validity Not Before: Jan 25 07:21:11 2015GMT Not After: Jan 25 07:21:11 2016GMT Subject: countryName = CN stateOrProvinceName = HA organizationName = magedu organizationalUnitName = 14qi commonName = slave. cert emailAddress = admin@stu11.com X509v3 extensions: X509v3 B Asic Constraints: CA: FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: F8: 06: AD: F0: 1D: 8A: 78: 62: ED: A7: FF: BB: 7A: F6: 79: 14: D4: FB: 26: 39 X509v3 Authority Key Identifier: keyid: C0: 69: 22: 4E: 9A: E5: BD: 13: 2B: BD: 93: 7B: 0F: 99: E6: 0F: 3A: FA: 40: 7 ECertificate is to be certified until Jan 25 07:21:11 2016 GMT (365 days) sign the certificate? [Y/n]: y1 out of 1 certificate requests certified, commit? [Y/n] yWrite out database with 1 new entriesData Base Updated [root @ node1 CA] # scp slave. crt 172.16.11.3:/etc/mysql/ssl/[root @ node1 CA] # scp cacert. pem 172.16.11.3:/etc/mysql/ssl/[root @ node3 ssl] # chown-R mysql: mysql * [root @ node3 ssl] # lltotal 16-rw-r -- r -- 1 mysql 1013 Jan 25 cacert. pem-rw-r -- 1 mysql 3161 Jan 25 slave. crt-rw-r -- 1 mysql 680 Jan 25 slave. csr-rw ------- 1 mysql 887 Jan 25 slave. key