Configuring Connector SSL

SSL communication is supported for Tungsten Connector in three different possible combinations:

• SSL from the application to Tungsten Connector; Non-SSL connections from Tungsten Connector to MySQL
• Non-SSL from the application to Tungsten Connector; SSL connections from Tungsten Connector to MySQL
• SSL from the application to Tungsten Connector; SSL connections from Tungsten Connector to MySQL

There are three different tpm properties that control SSL for the connectors when using Proxy mode, these are:

• connector-client-ssl : This controls SSL between your applications and the connectors.
• connector-server-ssl : This controls SSL between the connectors and MySQL.
• connector-ssl : This is an alias that will control both of the above properties.

Additionally, connector-ssl-capable can be used to control whether the connector advertises that it is SSL capable to clients.
When SSL is enabled, this property is also enabled. With some clients, this triggers them to use SSL even if SSL has not been configured. This causes the connections to fail and not operate correctly. In those situations, setting this value to false would be appropriate

The connector also supports application connections using either SSL or Non-SSL communication on the same TCP/IP port. This allows you to choose SSL communication without changing your application ports.

To enable SSL communication with Tungsten Connector you must create suitable certificates keys and keystores, as described in . The keystores used for Tungsten Connector can be the same, or different, to the keystores used for securing the manager and replication communication.

Note

Please note that when operating in Bridge mode, the Connector is only involved in picking the correct server. In this situation the SSL configuration will be identical to the regular MySQL SSL setup, as explained in the MySQL documentation located here

Connector SSL will be enabled by default during installation, the connector-ssl option can be used to explicitly enable this if required when disable-security-controls=true

Before changing the property and enabling Connector SSL, a number of other steps first need to be accomplished.

• Create, activate and test SSL keys for the MySQL server. Refer to "Enabling Database SSL" for steps on accomplishing this,
• Enable and test SSL encrypted traffic between the MySQL server and the Connector. See "Enable and Test SSL encryption from the Connector to the Database"
• Enable and test SSL encrypted traffic between the Application/Client and the Connector. See "Test SSL encryption from the Application to the Database"

Note

If you are installing a new cluster you only need to ensure database SSL has been configured. Everything else will be handled. If you are configuring connector SSL as a post-installation task, then this document explains the various steps required.

Enable and Test SSL encryption from the Connector to the Database

1. Convert MySQL Client Cert to pkcs12 format

   shell> openssl pkcs12 -export \
   -inkey $MYSQL_CERTS_PATH/client-key.pem \
   -in $MYSQL_CERTS_PATH/client-cert.pem \
   -out $MYSQL_CERTS_PATH/client-cert.p12 \
   -passout pass:secret

2. Create tungsten_connector_keystore.jks

   shell> keytool -importkeystore \
   -srckeystore $MYSQL_CERTS_PATH/client-cert.p12 \
   -srcstoretype PKCS12 \
   -destkeystore $CONN_CERTS_PATH/tungsten_connector_keystore.jks \
   -deststorepass secret \
   -srcstorepass secret

3. Import the CA Cert into the KeyStore

   shell> keytool -import -alias mysqlServerCACert -file $MYSQL_CERTS_PATH/ca-cert.pem \
   -keystore $CONN_CERTS_PATH/tungsten_connector_keystore.jks \
   -storepass secret -noprompt

4. Import the CA Cert into the TrustStore

   shell> keytool -import -alias mysqlServerCACert -file $MYSQL_CERTS_PATH/ca-cert.pem \
   -keystore $CONN_CERTS_PATH/tungsten_connector_truststore.ts \
   -storepass secret -noprompt

5. For INI-based deployments only, copy the certs to all Connector nodes (repeat as needed so that every Connector node has the same certificates)

   shell> rsync -av $CONN_CERTS_PATH/ connectorHost:$CONN_CERTS_PATH/

6. Set proper ownership and permissions on ALL Connector nodes

   shell> sudo chown tungsten: $CONN_CERTS_PATH/tungsten_connector_*

7. Add the new MySQL user to the Connector's user.map config file.

   See "user.map File Format" for more information.

   shell> vi /opt/continuent/tungsten/tungsten-connector/conf/user.map
   ssl_user secret theSvcName

8. Update the Connector configuration to enable SSL

   • Staging Method

     Update all nodes (DB & Connector) in the cluster

     shell> tpm query staging
     shell> cd {STAGING_DIR}
     shell> tools/tpm configure {yourServiceName} \
     --connector-ssl=true \
     --java-connector-keystore-password=secret \
     --java-connector-truststore-password=secret \
     --java-connector-truststore-path=$CONN_CERTS_PATH/tungsten_connector_truststore.ts \
     --java-connector-keystore-path=$CONN_CERTS_PATH/tungsten_connector_keystore.jks
     
     shell> tools/tpm update

   • INI Method

     Repeat these two steps on each node (DB & Connector)

     shell> vi /etc/tungsten/tungsten.ini
     [defaults]
     ...
     # enable SSL from the connector to the DB
     connector-ssl=true
     java-connector-keystore-password=secret
     java-connector-truststore-password=secret
     java-connector-truststore-path=$CONN_CERTS_PATH/tungsten_connector_truststore.ts
     java-connector-keystore-path=$CONN_CERTS_PATH/tungsten_connector_keystore.jks
     ...
     
     shell> tpm update

9. Test SSL connectivity through the connector

   1. Connect as the default application user

      shell> tpm connector

   2. Check the connection status

      Note

      Expecting "SSL.IN=false SSL.OUT=true"

      SSL.IN is false because the tpm connector command calls the mysql client in non-SSL mode.

      SSL.OUT is true because the connection to the database is encrypted, even if the connection from the mysql client is not.

      This can be verified with the sudo tcpdump -X port 13306 command. Without the encryption, queries and responses are sent in plaintext and are visible in the output of tcpdump. When encryption is enabled, the queries and results are no longer visible.

      mysql> tungsten connection status;
      +---------------------------------------------------------------------------------+
      | Message                                                                         |
      +---------------------------------------------------------------------------------+
      | db1@east(master:ONLINE) STATUS(OK), QOS=RW_STRICT **SSL.IN=false SSL.OUT=true** |
      +---------------------------------------------------------------------------------+
      1 row in set (0.00 sec)

   3. Check the SSL status

      Note

      Expecting "SSL: Not in use"

      SSL is not in use because the tpm connector command calls the mysql client in non-SSL mode.

      The connection to the database is encrypted, even if the connection from the mysql client is not.

      This can be verified with the sudo tcpdump -X port 13306 command. Without the encryption, queries and responses are sent in plaintext and are visible in the output of tcpdump. When encryption is enabled, the queries and results are no longer visible.

      mysql> status
      --------------
      mysql  Ver 14.14 Distrib 5.5.42-37.1, for Linux (x86_64) using readline 5.1
      
      Connection id:      70
      Current database:   
      Current user:      app_user@app1
      **SSL:         Not in use**
      Current pager:      stdout
      Using outfile:      ''
      Using delimiter:   ;
      Server version:      5.5.42-37.1-log-tungsten Percona Server (GPL), Release 37.1, Revision 39acee0
      Protocol version:   10
      Connection:      app1 via TCP/IP
      Server characterset:   latin1
      Db     characterset:   latin1
      Client characterset:   latin1
      Conn.  characterset:   latin1
      TCP port:      3306
      Uptime:         2 hours 27 min 53 sec
      
      Threads: 4  Questions: 41474  Slow queries: 0  Opens: 47 
      Flush tables: 2  Open tables: 10  Queries per second avg: 4.674
      --------------

important

If you are able to login to MySQL and see that the "tungsten connection status;" is SSL.OUT=true, then you have successfully configured the communication between the Connector and MySQL to use SSL.

Test SSL encryption from the Application to the Database

1. Connect as the SSL-enabled application user through the Connector host

   shell> mysql -u ssl_user -psecret -h 127.0.0.1 -P 3306 --ssl-ca=/etc/mysql/certs/ca-cert.pem

2. Check the connection status

   Note

   Expecting "SSL.IN=true SSL.OUT=true"

   SSL.IN is true because the mysql client was invoked in SSL mode. Communications from the mysql client to the connector are encrypted.

   SSL.out is true because the connection to the Database from the Connector is encrypted.

   mysql> tungsten connection status;
   +--------------------------------------------------------------------------------+
   | Message                                                                        |
   +--------------------------------------------------------------------------------+
   | db1@east(master:ONLINE) STATUS(OK), QOS=RW_STRICT **SSL.IN=true SSL.OUT=true** |
   +--------------------------------------------------------------------------------+
   1 row in set (0.00 sec)

3. Check the SSL status

   Note

   Expecting "Cipher in use is XXX-XXX-XXXXXX-XXX"

   SSL is in use because the mysql client was invoked in SSL mode.

   The connection from the mysql client to the database is encrypted.

   mysql> status
   --------------
   mysql  Ver 14.14 Distrib 5.5.42-37.1, for Linux (x86_64) using readline 5.1
   
   Connection id:      68
   Current database:   
   Current user:      ssl_user@app1
   **SSL:         Cipher in use is DHE-RSA-AES256-SHA**
   Current pager:      stdout
   Using outfile:      ''
   Using delimiter:   ;
   Server version:      5.5.42-37.1-log-tungsten Percona Server (GPL), Release 37.1, Revision 39acee0
   Protocol version:   10
   Connection:      app1 via TCP/IP
   Server characterset:   latin1
   Db     characterset:   latin1
   Client characterset:   latin1
   Conn.  characterset:   latin1
   TCP port:      3306
   Uptime:         2 hours 33 min 32 sec
   
   Threads: 4  Questions: 43065  Slow queries: 0  Opens: 47 
   Flush tables: 2  Open tables: 10  Queries per second avg: 4.674
   --------------

important

If you are able to login to MySQL and see that the "tungsten connection status;" is "SSL.IN=true SSL.OUT=true", and the "status;" contains "Cipher in use is XXX-XXX-XXXXXX-XXX", then you have successfully configured SSL-encrypted communication between the Application/Client and MySQL through the Connector.