Академический Документы
Профессиональный Документы
Культура Документы
1. SSH - download and use a software that has been designed to sure comminications.
2. SSL - Setup and use SSL
Many Linux deamons such a mysqld, httpd, vsftpd etc support SSL
In MySQL you can decide which users are to use SSL or to Implement it for all
users.
Use a common CA for both clients and server
Server:
ssl_cert is the Pubblic Key
ssl_key is the Private Key
##Create a directory that will house all your keys for mysql
##/etc/ssl/mysql
cd /etc/ssl/
mkdir mysql
cd mysql/
openssl req -new -x509 -nodes -days 3660 -key ca-key.pem -out ca.pem
## The two keys ( ca-key.pem and ca.pem) can now be used to generate subsequent
keys.
## You will need a signing request to create a web of trust for the clients and
servers.
## You need a private key which is used as input to generate the output which is
the request.
## So create server request and private key (Generating a 1024 bit RSA private key)
## The Private key is used as input to generate a request key(a signing request
key)
openssl req -newkey rsa:2048 -days 3660 -nodes -keyout server-key.pem -out server-
req.pem
## Since we are generating the Private key and signing request for MySQL usage(for
the mysql deamon - mysqld),
## Lets generate a private key and a signing request with a more representative
name to signify the deamon that will use it.
openssl req -newkey rsa:2048 -days 3660 -nodes -keyout mysql-server-key.pem -out
mysql-server-req.pem
3. Remove passphrase or password from the private key. This helps protect the
private key.
4. Now sign the server certificate using the request and the keys from the CA
generated at the begining( ca-key.pem and ca.pem).
## openssl x509 -req -in server-req.pem -days 3660 -CA ca.pem -CAkey ca-key.pem
-set_serial 01 -out server-cert.pem
openssl x509 -req -in mysql-server-req.pem -days 3660 -CA ca.pem -CAkey ca-key.pem
-set_serial 01 -out mysql-server-cert.pem
The server certificate to be used by mysql has been created and is called mysql-
server-cert.pem
We can also create client certificates to be used by the mysql clients: steps
1. Create client request and key : openssl req -newkey rsa:2048 -days 3660 -nodes
-keyout client-key.pem -out client-req.pem
2. Remove the passphrase from the key: openssl rsa -in client-key.pem -out client-
key.pem
3. Sign client cert: openssl x509 -req -in client-req.pem -days 3660 -CA ca.pem
-CAkey ca-key.pem -set_serial 01 -out client-cert.pem
Note: The client cert is signed the request and the keys from the CA generated at
the begining( ca-key.pem and ca.pem)
## Many Linux deamons such a mysqld, httpd, vsftpd etc support SSL but since am
working on certificates to be used by mysql i have tagged mysql on both the mysql
## cetificates to be used by the server and the clients.
openssl req -newkey rsa:2048 -days 3660 -nodes -keyout mysql-client-key.pem -out
mysql-client-req.pem
openssl rsa -in mysql-client-key.pem -out mysql-client-key.pem
openssl x509 -req -in mysql-client-req.pem -days 3660 -CA ca.pem -CAkey ca-key.pem
-set_serial 01 -out mysql-client-cert.pem
I had to update openssl: I was having erors without the updated version of open
ssl:
[root@centos01 mysql]# openssl req -newkey rsa:2048 -days 3660 -nodes -keyout
mysql-client-key.pem -out mysql-client-req.pem
Generating a 2048 bit RSA private key
.....................................................................+++
.........................................................................+++
writing new private key to 'mysql-client-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Florida
Locality Name (eg, city) [Default City]:Clearwater
Organization Name (eg, company) [Default Company Ltd]:Clarity
Organizational Unit Name (eg, section) []:Release
Common Name (eg, your name or your server's hostname) []:centos01
Email Address []:sefange@clarityservices.com
# Verify the server and clients certificates you created for mysql: openssl verify
-CAfile ca.pem server-cert.pem client-cert.pem
[client]
ssl-ca=/etc/ssl/mysql/ca.pem
ssl-cert=/etc/ssl/mysql/mysql-client-cert.pem
ssl-key=/etc/ssl/mysql/mysql-client-key.pem
[mysqld]
#
# Remove leading # and set to the amount of RAM for the most important data
# cache in MySQL. Start at 70% of total RAM for dedicated server, else 10%.
# innodb_buffer_pool_size = 128M
#
# Remove leading # to turn on a very important data integrity option: logging
# changes to the binary log between backups.
# log_bin
#
# Remove leading # to set options mainly useful for reporting servers.
# The server defaults are faster for transactions and fast SELECTs.
# Adjust sizes as needed, experiment to find the optimal values.
# join_buffer_size = 128M
# sort_buffer_size = 2M
# read_rnd_buffer_size = 2M
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
ssl-ca=/etc/ssl/mysql/ca.pem
ssl-cert=/etc/ssl/mysql/mysql-server-cert.pem
ssl-key=/etc/ssl/mysql/mysql-server-key.pem
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
You are enforcing ssl conection via unix socket. Please consider
switching ssl off as it does not make connection via unix socket
any more secure.
mysql> \s
--------------
mysql Ver 14.14 Distrib 5.7.18-15, for Linux (x86_64) using 6.0
Connection id: 6
Current database:
Current user: root@localhost
SSL: Cipher in use is ECDHE-RSA-AES128-GCM-SHA256
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.7.18-15 Percona Server (GPL), Release 15, Revision
bff2cd9
Protocol version: 10
Connection: Localhost via UNIX socket
Server characterset: latin1
Db characterset: latin1
Client characterset: utf8
Conn. characterset: utf8
UNIX socket: /var/lib/mysql/mysql.sock
Uptime: 1 min 47 sec
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
You are enforcing ssl conection via unix socket. Please consider
switching ssl off as it does not make connection via unix socket
any more secure.
mysql> \s
--------------
mysql Ver 14.14 Distrib 5.7.18-15, for Linux (x86_64) using 6.0
Connection id: 7
Current database:
Current user: root@localhost
SSL: Cipher in use is ECDHE-RSA-AES128-GCM-SHA256
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.7.18-15 Percona Server (GPL), Release 15, Revision
bff2cd9
Protocol version: 10
Connection: Localhost via UNIX socket
Server characterset: latin1
Db characterset: latin1
Client characterset: utf8
Conn. characterset: utf8
UNIX socket: /var/lib/mysql/mysql.sock
Uptime: 8 min 32 sec