最近半年太忙,没有更新多少内容,今天测试了Mysql主从的SSL加密访问方式。现将测试笔记列于此,深层原理未细究,如有错误之处,烦请指出。
一。概述:
1.架构: 2主2从,从同时只连1个主,可以自由在这2个主库之间做切换。2.假设2主2从,已经配好,使用的是GTID的连接方式。本文只需要将此改为SSL连接
3.具体信息如下:
master1:
hostname: db01 ip: 10.100.31.141
master2:
hostname: db02 ip: 10.100.31.142
slave1:
hostname: db11 ip: 10.100.31.151
slave2:
hostname: db12 ip: 10.100.31.152
4. 在2个master机器上重新创建 slave user,需要加require ssl
grant replication slave,replication client on *.* to slave@'%' identified by 'slave' require ssl;
5. 版本信息:
[root@db01 ~]# mysql --version
mysql Ver 15.1 Distrib 10.1.8-MariaDB, for Linux (x86_64) using readline 5.1
[root@db01 ~]# cat /etc/issue
CentOS release 6.6 (Final)
Kernel \r on an \m
二。操作系统中配置SSL
1.配置MASTER1的SSL
1.1.在master1创建CA服务器cd /etc/pki/CA
rm -rf *
mkdir private newcerts certs crl
(umask 077;openssl genrsa -out private/cakey.pem 2048)
openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 36500
touch index.txt serial crlnumber
echo 01 > serial
==============================================================================
[root@db01 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 36500
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:exiao
Organizational Unit Name (eg, section) []:mysql
Common Name (eg, your name or your server's hostname) []:db01
Email Address []:
==============================================================================
1.2. 为master1(db01)本身签发证书
# mkdir /data01/mysql/ssl
# cd /data01/mysql/ssl/
(umask 077;openssl genrsa -out master_db01.key 2048)
openssl req -new -key master_db01.key -out master_db01.csr -days 36500
openssl ca -in master_db01.csr -out master_db01.crt -days 36500
==============================================&