5.7.8. Handling Database Level Security

If you choose to enable database level SSL within your MySQL installation, there are a number of additional steps required to allow the Replicators to be able to communicate to the database layer

The steps below make the following assumptions:

  • You have enabled SSL using the correct procedures for your distribution of MySQL

  • You have generated, and have access to, the client level certificates and keys

  • If you are installing an Offboard extractor/applier, the client certificates and keys have been copied to the extractor/applier hosts

  1. If SSL has been enabled within the Tungsten installation, then you should have the following parameter enabled within your configuration:

    disable-security-controls=false

    As a result, you should have a number of files within /opt/continuent/share

    shell> ls -l
    total 20
    -rw-rw-r-- 1 tungsten tungsten  104 Jul 18 10:15 jmxremote.access
    -rw-rw-r-- 1 tungsten tungsten  729 Jul 18 10:15 passwords.store
    -rw-rw-r-- 1 tungsten tungsten 2268 Jul 18 10:15 tungsten_keystore.jks
    -rw-rw-r-- 1 tungsten tungsten 1079 Jul 18 10:15 tungsten_truststore.ts

    Note

    It's important to understand that the paramater above ONLY enables SSL between the various Tungsten components, e.g. between the replicators

    If this is the case, skip the next step and move onto step 3

  2. If you do not have SSL enabled within the installation and you require this, then follow the steps in Section 5.7.1, “Enabling Security” first

    If you do not require SSL between the Replicators, and only require SSL between the replicator and the database, then add the following parameters to your configuration, but do not run tpm update yet.

    java-truststore-path=/home/tungsten/tungsten_truststore.ts
    java-truststore-password=tungsten
    java-keystore-path=/home/tungsten/tungsten_keystore.jks
  3. Next, add the following parameters to your installation, but do not run tpm update yet:

    datasource-ssl-enabled=true
  4. You now need to convert the mysql client key to PKCS12 format. Adjust the path and filename in the example to suit your environment

    shell> openssl pkcs12 -export -in /home/tungsten/client-cert.pem \
    -inkey /home/tungsten/client-key.pem \
    -name mysql -out /home/tungsten/client-key.p12

    Important

    When prompted for a password, you MUST enter tungsten

  5. You now need to import the key, either into the existing keystore if it exists, or into a new one if SSL is not being enabled at the replicator level

    If Tungsten level SSL has been enabled

    shell> keytool -importkeystore -deststorepass tungsten \
    -destkeystore /opt/continuent/share/tungsten_keystore.jks \
    -srckeystore /home/tungsten/client-key.p12 -srcstoretype PKCS12

    If ONLY Database SSL is required

    shell> keytool -importkeystore -deststorepass tungsten \
    -destkeystore /home/tungsten/tungsten_keystore.jks \
    -srckeystore /home/tungsten/client-key.p12 -srcstoretype PKCS12

    When prompted for a password, enter tungsten

  6. Next, import the client certificate into the truststore

    If Tungsten level SSL has been enabled

    shell> keytool -import -alias mysql -trustcacerts -file /home/tungsten/ca.pem \
    -keystore /opt/continuent/share/tungsten_truststore.ts

    If ONLY Database SSL is required

    shell> keytool -import -alias mysql -trustcacerts -file /home/tungsten/ca.pem \
    -keystore /home/tungsten/tungsten_truststore.ts

    When prompted for a password, enter tungsten

  7. Finally, and only if Tungsten level SSL has been enabled, we need to create backups copies of the keystore and truststore as follows:

    shell> cp /opt/continuent/share/tungsten_truststore.ts /opt/continuent/share/tungsten_truststore.ts.orig
    shell> cp /opt/continuent/share/tungsten_keystore.jks /opt/continuent/share/tungsten_keystore.jks.orig
  8. Issue tpm update to apply the configuration

The replicators will be restarted as part of the update process, and should now be using SSL to connect successfully to MySQL