Continuent Ltd

Database Replication and Clustering

Continuent Documentation

Search:
Manual Home
Tungsten Clustering for MySQL 5.3 Manual
Page in Other Manuals
Tungsten Replicator 5.2 Manual
Breadcrumbs
» Tungsten Clustering for MySQL 5.3 Manual

       » 2. Deployment

       » 2.8. Deployment Security
Chapters
Preface
1. Introduction
2. Deployment
3. Deployment: MySQL Topologies
4. Deployment: Advanced
5. Operations Guide
6. Tungsten Connector
7. Tungsten Manager
8. Command-line Tools
9. The tpm Deployment Command
10. Replication Filters
11. Performance and Tuning
A. Release Notes
B. Prerequisites
C. Troubleshooting
D. Files, Directories, and Environment
E. Terminology Reference
F. Internals
G. Frequently Asked Questions (FAQ)
H. Ecosystem Support
I. Configuration Property Reference
Navigate Up
2.8. Deployment Security
Parent Sections
2.8.1. Enabling Security
2.8.2. Disabling Security
2.8.3. Creating Suitable Certificates
2.8.4. Installing from a Staging Host with Manually Generated Certificates
2.8.5. Installing via INI File with Manually Generated Certificates
2.8.6. Replacing the JGroups Certificate from a Staging Directory
2.8.7. Replacing the TLS Certificate from a Staging Directory
2.8.8. Removing JGroups Encryption from a Staging Directory
2.8.9. Removing JGroups Encryption via INI File
2.8.10. Removing TLS Encryption from a Staging Directory
2.8.11. Removing TLS Encryption via INI File
2.8.1. Enabling Security
Prev 2.8. Deployment Security Next

2.8.1. Enabling Security

2.8.1.1. Enabling Security using the Staging Method
2.8.1.2. Enabling Security using the INI Method

By default, security is disabled for the entire installation.

Security can be enabled by using the --disable-security-controls=false option to the tpm command:

Important

Installing from a staging host will automatically generate certificates and configuration for a secured installation. No further changes or actions are required.

For INI-based installations, there are additional steps required to copy the needed certificate files to all of the nodes. Please see Section 2.8.1.2, “Enabling Security using the INI Method” for details.

2.8.1.1. Enabling Security using the Staging Method

Security can be enabled either during initial installation or via an update.

For many reasons, it is much easier to enable SSL at install time. Both procedures follow below.

Enabling During Install

Security can be enabled at install time by using the --disable-security-controls=false option to the tpm configure command. 

shell> tools/tpm configure defaults --disable-security-controls=false \
[...the rest of the configuration options...]
shell> tools/tpm install

Important

Installing from a staging host will automatically generate certificates and configuration for a secured installation. No further changes or actions are required.

Enabling Post-Installation

Security can be enabled after install time by using the --disable-security-controls=false option to the tpm configure command followed by a special invocation of the tpm update command.. 

shell> tools/tpm configure defaults --disable-security-controls=false
shell> tools/tpm update --replace-jgroups-certificate --replace-tls-certificate --replace-release

Warning

This update will force all running processes to be restarted. Connectors MUST be done at the same time or they will no longer be able to communicate with the managers.

2.8.1.2. Enabling Security using the INI Method

Security can be enabled either during initial installation or via an update.

For many reasons, it is much easier to enable SSL at install time. Both procedures follow below.

Enabling During Install

  • First, configure the tungsten.ini file as follows: 

    
disable-security-controls=false
start-and-report=false

  • Next, do the fresh install on each node, which will generate new, different certificates on every node. 

    shell> tools/tpm install

  • You must then select one of the nodes and copy that node's certificate files to all other nodes.

    For example, to seed a 6-node composite cluster, login to db1 and copy both the main and backup files to the other five nodes: 

    shell> for i in `seq 2 6`; do scp /opt/continuent/share/[jpt]* db$i:/opt/continuent/share/; done
shell> for i in `seq 2 6`; do scp /opt/continuent/share/.[jpt]* db$i:/opt/continuent/share/; done

  • On all nodes: 

    shell> startall

Enabling Post-Installation

Security can be enabled after install time by updating the tungsten.ini file, followed by a special invocation of the tpm update command on all nodes.

  • First, configure the tungsten.ini file as follows: 

    
disable-security-controls=false
start-and-report=false

  • Enable Maintenance mode on the cluster 

    shell> cctrl -multi
cctrl> use world
cctrl> set policy maintenance

  • Do the update on each node, which will generate new, different certificates on every node.

    Warning

    This update procedure will force all running Tungsten processes to be stopped. Connectors MUST be done at the same time or they will no longer be able to communicate with the Managers. 

    shell> stopall
shell> tpm query staging
shell> cd {staging_directory}

shell> tools/tpm update --replace-jgroups-certificate --replace-tls-certificate --replace-release

  • As with a fresh install, you must then select one of the nodes and copy that node's certificate files to all other nodes:

    For example, to seed a 6-node composite cluster, login to db1 and copy both the main and backup files to the other five nodes: 

    shell> for i in `seq 2 6`; do scp /opt/continuent/share/[jpt]* db$i:/opt/continuent/share/; done
shell> for i in `seq 2 6`; do scp /opt/continuent/share/.[jpt]* db$i:/opt/continuent/share/; done

  • On all nodes: 

    shell> startall
Prev Up Next
2.8. Deployment Security Home 2.8.2. Disabling Security