Enable MySQL SSL
A prerequisite to enabling full security, is to enable SSL within your database if this isn't already configured. To do this, we can use the
mysql_ssl_rsa_setup tool supplied with most distributions of MySQL. If you do not have this tool, or require more detail, you can refer to
"Enabling Database SSL". The steps below summarise the process using the mysql_ssl_rsa_setup.
The first step is to setup the directories for the certs, perform this on ALL hosts in your topology:
shell> sudo mkdir -p /etc/mysql/certsshell> sudo chown -R tungsten: /etc/mysql/certs/NB: The ownership is temporarily set to tungsten so that the subsequent scp will work between hosts.
This next step should be performed on just one single host, for the purpose of this example we will use db1 as the host:
db1> mysql_ssl_rsa_setup -d /etc/mysql/certs/db1> openssl pkcs12 -export -inkey /etc/mysql/certs/client-key.pem \-name mysql -in /etc/mysql/certs/client-cert.pem -out /etc/mysql/certs/client-cert.p12 \-passout pass:tungstenImportantWhen using OpenSSL 3.0 with Java 1.8, you MUST add the
-legacyoption to the openssl command.db1> for host in db2 db3 db4 db5 db6; doscp /etc/mysql/certs/* ${host}:/etc/mysql/certsdoneNext, on every host we need to reset the directory ownership
shell> sudo chown -R mysql: /etc/mysql/certs/shell> sudo chmod g+r /etc/mysql/certs/client-*Now on every host, we need to reconfigure MySQL. Add the following properties into your
my.cnf[mysqld]ssl-ca=/etc/mysql/certs/ca.pemssl-cert=/etc/mysql/certs/server-cert.pemssl-key=/etc/mysql/certs/server-key.pem[client]ssl-cert=/etc/mysql/certs/client-cert.pemssl-key=/etc/mysql/certs/client-key.pemssl-ca=/etc/mysql/certs/ca.pemNext, place your cluster(s) into MAINTENANCE mode
shell> cctrlcctrl> set policy maintenanceRestart MySQL for the new settings to take effect
shell> sudo service mysqld restartFinally, return your cluster(s) into AUTOMATIC mode
shell> cctrlcctrl> set policy automatic