6.6.8. Handling Database level Security

If you choose to enable database level SSL within your MySQL installation, there are a number of additional steps required to allow the Replicators to be able to communicate to the database layer

The steps below make the following assumptions:

  • You have enabled SSL using the correct procedures for your distribution of MySQL

  • You have generated, and have access to, the client level certificates and keys

  • If you are installing an Offboard extractor/applier, the client certificates and keys have been copied to the extractor/applier hosts

  1. If SSL has been enabled at the replicator level, then you should have the following parameter enabled within your installation:

    disable-securty-controls=false

    As a result, you should have a number of files within /opt/continuent/share

    shell> ls -l
    total 20
    -rw-rw-r-- 1 tungsten tungsten  104 Jul 18 10:15 jmxremote.access
    -rw-rw-r-- 1 tungsten tungsten  729 Jul 18 10:15 passwords.store
    -rw-rw-r-- 1 tungsten tungsten 2268 Jul 18 10:15 tungsten_keystore.jks
    -rw-rw-r-- 1 tungsten tungsten 1079 Jul 18 10:15 tungsten_truststore.ts

    If this is the case, skip the next step and move onto step 3

  2. If you do not have SSL enabled at the replicator level and you require this, then follow the steps in Section 6.6.1, “Enabling Security” first

    If you do not require SSL at the replicator level, then add the following parameters to your configuration, but do not run tpm update yet

    java-truststore-path=/home/tungsten/tungsten_truststore.ts
    java-truststore-password=tungsten
    java-keystore-path=/home/tungsten/tungsten_keystore.jks
  3. Next, add the following parameters to your installation, but do not run tpm update yet:

    property=replicator.global.db.sslEnabled=true
    property=replicator.global.db.sslOptions=useSSL=true
  4. You now need to convert the mysql client key to PKCS12 format. Adjust the path and filename in the example to suit your environment

    shell> openssl pkcs12 -export -in /home/tungsten/client-cert.pem »
    -inkey /home/tungsten/client-key.pem »
    -name mysql -out /home/tungsten/client-key.p12

    Important

    When prompted for a password, you MUST enter tungsten

  5. We now need to import the key, either into the existing keystore if it exists, or into a new one if SSL is not being enabled at the replicator level

    If replicator SSL already enabled

    shell> keytool -importkeystore -deststorepass tungsten »
    -destkeystore /opt/continuent/share/tungsten_keystore.jks »
    -srckeystore /home/tungsten/client-key.p12 -srcstoretype PKCS12

    If replicator SSL not enabled

    shell> keytool -importkeystore -deststorepass tungsten »
    -destkeystore /home/tungsten/tungsten_keystore.jks »
    -srckeystore /home/tungsten/client-key.p12 -srcstoretype PKCS12

    When prompted for a password, enter tungsten

  6. Next, import the client certificate into the truststore

    If replicator SSL already enabled

    shell> keytool -import -alias mysql -trustcacerts -file /home/tungsten/ca.pem 
    -keystore /opt/continuent/share/tungsten_truststore.ts

    If replicator SSL not enabled

    shell> keytool -import -alias mysql -trustcacerts -file /home/tungsten/ca.pem  »
    -keystore /home/tungsten/tungsten_truststore.ts

    When prompted for a password, enter tungsten

  7. Issue tpm update to apply the configuration

The replicators will be restarted as part of the update process, and should now be using SSL to connect successfully to MySQL