Mysql5.7 add SSL authentication

mysql5.7 increase ssl authentication

One 、 Check the server mysql Environmental Science

1. Check to see if it's on ssl,"have_ssl" by YES When , The database is encrypted .

show global variables like '%ssl%';

2. Check the database version

select version();

3. Check the database port

show variables like 'port';

4. View the database storage path

show variables like 'datadir';

Two . Configure certificate

adopt openssl Make the generated certificate

1. Generate a CA Private key

openssl genrsa 2048 > ca-key.pem

2. adopt CA Private key generates digital certificate

 openssl req -new -x509 -nodes -days 99999 -key ca-key.pem -out ca.pem

3. establish mysql Server private key and request certificate

openssl req -newkey rsa:2048 -days 99999 -nodes -keyout server-key.pem -out server-req.pem

4. Convert the private key to RSA Private key file format

openssl rsa -in server-key.pem -out server-key.pem

5. use CA Certificate generates a server's digital certificate

openssl x509 -req -in server-req.pem -days 99999 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

6. Create client's RSA Private key and digital certificate

openssl req -newkey rsa:2048 -days 99999 -nodes -keyout client-key.pem -out client-req.pem

Be careful ： there Common Name The field needs to be filled in the... Of the application server ip Or domain name , That is to say, connect to the server ip

7. Convert the generated private key to RAS Private key file format

openssl rsa -in client-key.pem -out client-key.pem

8. use CA Certificate to generate a client's digital certificate

openssl x509 -req -in client-req.pem -days 99999 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

Be careful ： Copy the generated client certificate to the application server ,client-*

9. View all ssl file

ca-key.pem  
ca.pem
client-cert.pem
client-key.pem
client-req.pem
server-cert.pem
server-key.pem
server-req.pem

3、 ... and 、 Database configuration ssl certificate

1. take CA Certificate and server ssl Document to mysql Data directory

 cp ca.pem server-*.pem /www/server/data

Be careful :/www/server/data Is the path to the database , Collected while viewing the environment , Change according to the actual situation

2. modify msql Database directory CA Certificate and server ssl The user and group to which the file belongs

chown -v mysql.mysql  /www/server/data{ca,server*}.pem

3. modify mysql The configuration file , add to ssl Call configuration

vi /etc/my.cnf
 stay mysqld Add below 
[mysqld]
ssl-ca=/www/server/data/ca.pem
ssl-cert=/www/server/data/server-cert.pem
ssl-key=/www/server/data/server-key.pem

4. restart mysql service , Check the database ssl Open status ,have_openssl And have_ssl Values are YES Express ssl Open successfully

service mysqld restart
show variables like 'have%ssl%';

5. test ssl Usability

grant all on *.* to 'test'@'127.0.0.1' identified by 'test' require SSL;

Be careful ： Need to put 127.0.0.1 Change to the application server ip

6. Password connection test

mysql -utest -ptest -h 127.0.0.1 
 Error will be reported at this time ：
ERROR 1045 (28000): Access denied for user 'test1'@'124.222.67.220' (using password: YES)
YES Means the password is correct , But it didn't pass ssl verification 

Be careful ： If MySQL Port is not 3306, You need to add parameters after it (-P Port number )

7. Through the client key and certificate ssl+ Password connection test , And view the properties

mysql -utest -ptest -h 127.0.0.1 --ssl-cert=client-cert.pem --ssl-key=client-key.pem

 After entering the database ,\s View the properties 
 Before encryption ：
SSL: Not in use
 After encryption ：
SSL: Cipher in use is DHE-RSA-AES256-GCM-SHA384

Be careful ： Startup time , Need to be in client-cert.pem and client-key.pem Start under the certificate directory , Or change the path of the certificate at startup

 example :mysql -utest -ptest -h 127.0.0.1 --ssl-cert=/root/client-cert.pem --ssl-key=/root/client-key.pem