MySQL配置SSL主从复制
MySQL5.6创建SSL文件方法
官方文档:https://dev.mysql.com/doc/refman/5.6/en/creating-ssl-files-using-openssl.html#creating-ssl-files-using-openssl-unix-command-line
Createcleanenvironment
mkdir/home/mysql/mysqlcerts&&cd/home/mysql/mysqlcerts
CreateCAcertificate
opensslgenrsa2048>ca-key.pem
opensslreq-new-x509-nodes-days3600-keyca-key.pem-outca.pem
Createservercertificate,removepassphrase,andsignit
server-cert.pem=publickey,server-key.pem=privatekey
opensslreq-newkeyrsa:2048-days3600-nodes-keyoutserver-key.pem-outserver-req.pem
opensslrsa-inserver-key.pem-outserver-key.pem
opensslx509-req-inserver-req.pem-days3600-CAca.pem-CAkeyca-key.pem-set_serial01-outserver-cert.pem
Createclientcertificate,removepassphrase,andsignit
client-cert.pem=publickey,client-key.pem=privatekey
opensslreq-newkeyrsa:2048-days3600 -nodes-keyoutclient-key.pem-outclient-req.pem
opensslrsa-inclient-key.pem-outclient-key.pem
opensslx509-req-inclient-req.pem-days3600-CAca.pem-CAkeyca-key.pem-set_serial01-outclient-cert.pem
opensslverify-CAfileca.pemserver-cert.pemclient-cert.pem
server-cert.pem:OK
client-cert.pem:OK
MySQL5.7创建SSL文件方法
官方文档:https://dev.mysql.com/doc/refman/5.7/en/creating-ssl-rsa-files-using-mysql.html
mkdir-p /home/mysql/mysqlcerts
/usr/local/mysql-5.7.21-linux-glibc2.12-x86_64/bin/mysql_ssl_rsa_setup --datadir=/home/mysql/mysqlcerts/
主库创建SSL后进行配置
从库192.168.1.222
mkdir-p /home/mysql/mysqlcerts
主库
chown-Rmysql.mysql /home/mysql/mysqlcerts/
scpca.pemclient-cert.pemclient-key.pemroot@192.168.1.222:/home/mysql/mysqlcerts/
主库授权
GRANTREPLICATIONSLAVEON*.*TO'repl'@'192.168.1.222'identifiedby''requiressl;
主库my.cnf
#SSL
ssl-ca=/home/mysql/mysqlcerts/ca.pem
ssl-cert=/home/mysql/mysqlcerts/server-cert.pem
ssl-key=/home/mysql/mysqlcerts/server-key.pem
restartmysql
从库
chown-Rmysql.mysql /home/mysql/mysqlcerts/
my.cnf
ssl-ca=/home/mysql/mysqlcerts/ca.pem
ssl-cert=/home/mysql/mysqlcerts/client-cert.pem
ssl-key=/home/mysql/mysqlcerts/client-key.pem
创建复制:
changemastertomaster_host='',master_user='',master_password='',master_log_file='mysql-bin.000001',master_log_pos=154, master_ssl=1,master_ssl_ca='/home/mysql/mysqlcerts/ca.pem',master_ssl_cert='/home/mysql/mysqlcerts/client-cert.pem', master_ssl_key='/home/mysql/mysqlcerts/client-key.pem',MASTER_CONNECT_RETRY=10;
验证:
主库配置SSL认证后,客户端默认以SSL方式登录
mysql-utest-h192.168.1.223-ptest-P3307
(该账号不论是否配置requiressl均能登录)
不以SSL方式登录命令为:
mysql-utest-h192.168.1.223-ptest-P3307--ssl-mode=DISABLED
(如该账号配置了requiressl则无法登录)
声明:本文内容来源于网络,版权归原作者所有,内容由互联网用户自发贡献自行上传,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任。如果您发现有涉嫌版权的内容,欢迎发送邮件至:czq8825#qq.com(发邮件时,请将#更换为@)进行举报,并提供相关证据,一经查实,本站将立刻删除涉嫌侵权内容。