MySQL5.6 創(chuàng)建SSL文件方法
官方文檔:https://dev.mysql.com/doc/refman/5.6/en/creating-ssl-files-using-openssl.html#creating-ssl-files-using-openssl-unix-command-line
Create clean environment
mkdir /home/mysql/mysqlcerts cd /home/mysql/mysqlcerts
Create CA certificate
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem
Create server certificate, remove passphrase, and sign it
server-cert.pem = public key, server-key.pem = private key
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
Create client certificate, remove passphrase, and sign it
client-cert.pem = public key, client-key.pem = private key
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
server-cert.pem: OK
client-cert.pem: OK
MySQL5.7 創(chuàng)建SSL文件方法
官方文檔:https://dev.mysql.com/doc/refman/5.7/en/creating-ssl-rsa-files-using-mysql.html
mkdir -p /home/mysql/mysqlcerts
/usr/local/mysql-5.7.21-linux-glibc2.12-x86_64/bin/mysql_ssl_rsa_setup --datadir=/home/mysql/mysqlcerts/
主庫(kù)創(chuàng)建SSL后進(jìn)行配置
從庫(kù) 192.168.1.222
mkdir -p /home/mysql/mysqlcerts
主庫(kù)
chown -R mysql.mysql /home/mysql/mysqlcerts/
scp ca.pem client-cert.pem client-key.pem root@192.168.1.222:/home/mysql/mysqlcerts/
主庫(kù)授權(quán)
GRANT REPLICATION SLAVE ON *.* TO 'repl'@'192.168.1.222' identified by '' require ssl;
主庫(kù) my.cnf
#SSL
ssl-ca=/home/mysql/mysqlcerts/ca.pem
ssl-cert=/home/mysql/mysqlcerts/server-cert.pem
ssl-key=/home/mysql/mysqlcerts/server-key.pem
restart mysql
從庫(kù)
chown -R mysql.mysql /home/mysql/mysqlcerts/
my.cnf
ssl-ca=/home/mysql/mysqlcerts/ca.pem
ssl-cert= /home/mysql/mysqlcerts/client-cert.pem
ssl-key= /home/mysql/mysqlcerts/client-key.pem
創(chuàng)建復(fù)制:
change master to master_host='',master_user='',master_password='',master_log_file='mysql-bin.000001',master_log_pos=154, master_ssl=1, master_ssl_ca='/home/mysql/mysqlcerts/ca.pem', master_ssl_cert='/home/mysql/mysqlcerts/client-cert.pem', master_ssl_key='/home/mysql/mysqlcerts/client-key.pem' ,MASTER_CONNECT_RETRY=10;
驗(yàn)證:
主庫(kù)配置SSL認(rèn)證后,客戶端默認(rèn)以SSL方式登錄
mysql -utest -h192.168.1.223 -ptest -P3307
(該賬號(hào)不論是否配置require ssl 均能登錄)
不以SSL方式登錄命令為:
mysql -utest -h192.168.1.223 -ptest -P3307 --ssl-mode=DISABLED
(如該賬號(hào)配置了require ssl 則無(wú)法登錄)
您可能感興趣的文章:- 全面解讀MySQL主從復(fù)制,從原理到安裝配置
- Windows下MySQL主從復(fù)制的配置方法
- mysql主從復(fù)制讀寫分離的配置方法詳解
- Mysql 5.7從節(jié)點(diǎn)配置多線程主從復(fù)制的方法詳解
- mysql(master/slave)主從復(fù)制原理及配置圖文詳解
- mysql5.6 主從復(fù)制同步詳細(xì)配置(圖文)
- 深入解析半同步與異步的MySQL主從復(fù)制配置
- MySQL主從復(fù)制配置心跳功能介紹
- MySQL主從復(fù)制的原理及配置方法(比較詳細(xì))
- mysql主從復(fù)制配置過(guò)程