SSL-based master-slave mysql Replication

Source: Internet
Author: User
Tags modulus
SSL-based mysql master-slave replication [background] the MySQL protocol is in plain text. When copying important data. Sometimes the SSL function is required to ensure data security. [Preparation] preparation preparations 1. Consistent master-slave time

SSL-based mysql master-slave replication [background] the MySQL protocol is in plain text. When copying important data. Sometimes the SSL function is required to ensure data security. [Preparation] preparation preparations 1. Consistent master-slave time

[Root @ node3 support-files] # crontab-e ### master node */3 *****/usr/sbin/ntpdate 172.16.0.1 &>/dev/null [root @ node1 CA] # crontab-e #### from Section */3 */usr/sbin/ntpdate 172.16.0.1 &>/dev/null

III.

[Root @ node1 CA] # (umask 077; openssl genrsa-out private/cakey. pem 1024) Generating RSA private key, 1024 bit long modulus ................... ++ ................ ++ e is 65537 (0x10001) [root @ node1 CA] # openssl req-new-x509-key private/cakey. pem-out cacert. pem-days 365You are about to be asked to enter information that will be ininitialized into yourcertificate request. what you are about to en Ter is what is called a Distinguished Name or a DN. there are quite a few fields but you can leave some blank For some fieldsthere will be a default value, If you enter '. ', the field will be left blank. ----- Country Name (2 letter code) [XX]: CNState or Province Name (full name) []: HALocality Name (eg, city) [Default City]: ZZOrganization Name (eg, company) [Default Company Ltd]: mageduOrganizational Un It Name (eg, section) []: 14 qiCommon Name (eg, your name or your server's hostname) []: cacertEmail Address []: admin.stu11.com [root @ node1 CA] # touch index.txt [root @ node1 CA] # echo 01> serial [root @ node1 CA] # cd/etc/mysql/ssl/[root @ node1 ssl] # (umask 077; openssl genrsa-out master. key 1024) Generating rs1_vate key, 1024 bit long modulus ................................... ++ .................. ........... ++ E is 65537 (0x10001) [root @ node1ssl] # openssl req-new-key master. key-out master. csr-days 365 You are about to be asked to enter information that will be ininitialized into yourcertificate request. what you are about to enter is what is called a Distinguished Name or a DN. there are quite a few fields but you can leave some blank For some fieldsthere will be a default value, If you Enter '. ', the field will be left blank. ----- Country Name (2 letter code) [XX]: CNState or Province Name (full name) []: HALocality Name (eg, city) [Default City]: ZZOrganization Name (eg, company) [Default Company Ltd]: mageduOrganizational Unit Name (eg, section) []: 14 qiCommon Name (eg, your name or your server's hostname) []: master. crtEmail Address []: admin@stu11.comPlease enter thefollowing 'extra' Attributesto be sent with your certificate requestA challenge password []: An optional company name []: [root @ node1 ssl] # openssl ca-in master. csr-out master. crt-days 365 Using configuration from/etc/pki/tls/openssl. cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1) Validity Not Before: Jan 25 07:12:12 2015GMT Not After: Jan 25 07:12:12 2016GMT Subject: countryName = CN stateOrProvinceName = HA organizationName = magedu organizationalUnitName = 14qi commonName = master. crt emailAddress = admin@stu11.com X509v3 extensions: X509v3 Basic Constraints: CA: FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 93: 50: 74: 97: 39: 91: 86: 5A: 1F: C6: 2F: 6A: 87: FB: 77: 04: 7B: 70: 33: 5C X509v3 Authority Key Identifier: keyid: C0: 69: 22: 4E: 9A: E5: BD: 13: 2B: BD: 93: 7B: 0F: 99: E6: 0F: 3A: FA: 40: 7 ECertificate is to becertified until Jan 25 07:12:12 2016 GMT (365 days) Sign thecertificate? [Y/n]: y1 out of 1 certificate requests certified, commit? [Y/n] yWrite out databasewith 1 new entriesData Base Updated [root @ node1 ssl] # lsmaster. crt master. csr master. key [root @ node1 ssl] # chown-R mysql: mysql * [root @ node1 ssl] # lltotal 16-rw-r -- 1 mysql 1013 Jan 25 cacert. pem-rw-r -- 1 mysql 3161 Jan 25 master. crt-rw-r -- 1 mysql 680 Jan 25 master. csr-rw ------- 1 mysql 887 Jan 25 master. key [root @ node 3 ssl] # (umask 077; openssl genrsa-out slave. key 1024) Generating RSA private key, 1024 bit long modulus .......................... ++ ......................... ++ e is 65537 (0x10001) [root @ node3 ssl] # openssl req-new-key slave. key-out slave. csr-days 365You are about to be asked to enter information that will be inemediatedinto your certificate request. what you are about to enter is what is Called a Distinguished Name or a DN. there are quite a few fields but you can leave some blankFor some fields there will be a default value, If you enter '. ', the field will be left blank. ----- Country Name (2 letter code) [XX]: CNState or Province Name (full name) []: HALocality Name (eg, city) [Default City]: ZZOrganization Name (eg, company) [Default Company Ltd]: mageduOrganizational Unit Name (eg, Section) []: 14 qiCommon Name (eg, your name or your server's hostname) []: slave. certEmail Address []: admin@stu11.com Please enter the following 'extra 'attributesto be sent with your certificate requestA challenge password []: An optional company name []: [root @ node3 ssl] # scp slave. csr 172.16.249.141:/etc/pki/CA/[root @ node1 CA] # openssl ca-in slave. csr-out slave. crt-days 365 Using configuration From/etc/pki/tls/openssl. cnf Check that therequest matches the signatureSignature okCertificate Details: Serial Number: 2 (0x2) Validity Not Before: Jan 25 07:21:11 2015GMT Not After: Jan 25 07:21:11 2016GMT Subject: countryName = CN stateOrProvinceName = HA organizationName = magedu organizationalUnitName = 14qi commonName = slave. cert emailAddress = admin@stu11.com X509v3 extensions: X509v3 B Asic Constraints: CA: FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: F8: 06: AD: F0: 1D: 8A: 78: 62: ED: A7: FF: BB: 7A: F6: 79: 14: D4: FB: 26: 39 X509v3 Authority Key Identifier: keyid: C0: 69: 22: 4E: 9A: E5: BD: 13: 2B: BD: 93: 7B: 0F: 99: E6: 0F: 3A: FA: 40: 7 ECertificate is to be certified until Jan 25 07:21:11 2016 GMT (365 days) sign the certificate? [Y/n]: y1 out of 1 certificate requests certified, commit? [Y/n] yWrite out database with 1 new entriesData Base Updated [root @ node1 CA] # scp slave. crt 172.16.11.3:/etc/mysql/ssl/[root @ node1 CA] # scp cacert. pem 172.16.11.3:/etc/mysql/ssl/[root @ node3 ssl] # chown-R mysql: mysql * [root @ node3 ssl] # lltotal 16-rw-r -- r -- 1 mysql 1013 Jan 25 cacert. pem-rw-r -- 1 mysql 3161 Jan 25 slave. crt-rw-r -- 1 mysql 680 Jan 25 slave. csr-rw ------- 1 mysql 887 Jan 25 slave. key

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.