The rotate_certs Command

Applies to: Tungsten Clustering for MySQL

Version availability

Available in 7.2.0 and later.

The rotate_certs command allows a seamless upgrade of MySQL certificates (on the MySQL server side).

Usage

rotate_certs [options]

Where:

Option	Description	Product	Version
--alias Aliases: -a	Specify the new alias.	CT	7.2.0
--all	Do import, restart, update and reconfig.	CT	7.2.0
--copy Aliases: -c	Copy the new MySQL Certs to the other nodes, requires root ssh via sudo.	CT	7.2.0
--dir Aliases: -d	Specify the directory of the certs.	CT	7.2.0
--dryrun Aliases: -n	Do not execute, only display what would be run.	CT	7.2.0
--end Aliases: -e	Specify the ending db number for --copy	CT	7.2.0
--generate Aliases: --gen-g	Create the MySQL Certs in the directory provided.	CT	7.2.0
--import Aliases: -i	Import the new MySQL certs into the four Tungsten files.	CT	7.2.0
--one	Do generate and copy.	CT	7.2.0
--pattern	Specify the hostname pattern. Default: db	CT	7.2.0
--reconfig	Execute connector reconfig to deploy the new certs.	CT	7.2.0
--remove Aliases: --rm	Remove the certs dir first, used only with --generate.	CT	7.2.0
--restart	Restart mysqld via sudo service mysqld restart.	CT	7.2.0
--running Aliases: -r	Specify --running --force to tpm cert commands, used only with --import	CT	7.2.0
--start Aliases: -s	Specify the starting db number for --copy Default: 2	CT	7.2.0
--systemd	When issuing --restart, use the systemctl syntax instead.	CT	7.2.0
--update	Change the alias in security.properties for Client <> Connector communication	CT	7.2.0

The update should be made one node at a time, starting with a Replica, switching to it, and then doing the other Replicas.

Examples

On a single node:

shell> rotate_certs --one --dir /etc/mysql/certs2 --alias mysql_new -rm -n

or:

shell> rotate_certs --generate --dir /etc/mysql/certs2 --alias mysql_new --rm -n
shell> rotate_certs --copy --dir /etc/mysql/certs2 -n

On all nodes:

shell> rotate_certs --all --dir /etc/mysql/certs2 --alias mysql_new --running -n

or:

shell> rotate_certs --import --dir /etc/mysql/certs2 --alias mysql_new --running -n
shell> rotate_certs --restart --systemd -n
shell> rotate_certs --update --alias mysql_new -n
shell> rotate_certs --reconfig -n

Standard Workflow Summary

1. On a Single Node:

   shell> rotate_certs --generate
   shell> rotate_certs --copy

2. On all nodes, Starting with a replica:

   shell> rotate_certs --import

3. Edit my.cnf manually

   shell> rotate_certs --restart
   shell> rotate_certs --update
   shell> rotate_certs --reconfig

Standard Workflow Details

Database Nodes:

1. Generate the new mysql certs (rotate_certs --generate)

2. Copy the new mysql certs to all database and Connector nodes (rotate_certs --copy)

3. Add the new cert to four keystores/truststores (rotate_certs --import)

4. Update my.cnf with the new cert location (manual)

5. Restart mysqld on the first Replica when ready and only after the keystores have been updated on that node (rotate_certs --restart)

6. Switch to the above Replica, and repeat Steps 3-6 on the rest of the nodes (manual via cctrl)

Connector Nodes:

Before using the new certs on the client application side:

• Update security.properties: connector.security.keystore.alias.client.to.connector=[new_alias] (rotate_certs --update)
• Run connector reconfigure (rotate_certs --reconfig)
• If applications rely on the [client] stanza in my.cnf, make sure this section is updated with the new cert locations only after the Connectors have been reconfigured (see above two steps)

Standard Workflow Notes

• This procedure to be done in AUTOMATIC policy mode
• After mysqld restart, the Replica being updated will briefly show as failed; this is expected and the node will be brought online automatically by the Manager. Similarly, the Replicator will briefly show suspect, then come back online.
• Once all nodes have been updated:
  • Update all /etc/tungsten/tungsten.ini files with the new aliases to be used by default via java-mysql-alias, then run tpm update
  • A best practice is to remove the old alias from the keystores and truststores as this will avoid Tungsten trying too many aliases next time certs are updated. i.e. tpm cert rm ke,ts,ck,ct [OLD_ALIAS_HERE]