mysql replication支持ssl(一主一從)
因爲mysql的主從複製是明文傳送的,但若是在生產環境中跨網絡咱們使用的主從仍是明文傳送的話,
就保證不了數據的安全性,爲了解決這一問題,
咱們須要加密進行傳送,也就是基於SSL的加密方法進行傳輸數據。
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
修改配置文件
在Master上:
vi /etc/my.cnf
[mysqld]
log-bin=master-bin
binlog_format=mixed
server-id=1
ssl
/etc/init.d/mysqld restart
在Slave上:
vi /etc/my.cnf
[mysqld]
log-bin=slave-bin
binlog_format=mixed
server-id=10
ssl
/etc/init.d/mysqld restart
(1)將master服務器本身作成CA服務器
[root@nan86 tmp]# cd /etc/pki/CA/
[root@nan86 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.......+++
........+++
e is 65537 (0x10001)
[root@nan86 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ShangHai
Locality Name (eg, city) [Default City]:PuDong
Organization Name (eg, company) [Default Company Ltd]:Allen
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server's hostname) []:master.allen.com
Email Address []:
[root@nan86 CA]# touch index.txt
[root@nan86 CA]# echo 01>serial
(2)爲master建立證書申請並由CA服務器簽發證書
[root@nan86 CA]# mkdir /usr/local/mysql/ssl
[root@nan86 CA]# cd /usr/local/mysql/ssl/
[root@nan86 ssl]# (umask 077;openssl genrsa -out master.key 2048)
Generating RSA private key, 2048 bit long modulus
.................+++
................................................................................................................+++
e is 65537 (0x10001)
[root@nan86 ssl]# openssl req -new -key master.key -out master.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ShangHai
Locality Name (eg, city) [Default City]:PuDong
Organization Name (eg, company) [Default Company Ltd]:Allen
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server's hostname) []:master.allen.com
Email Address []:master@allen.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@nan86 ssl]# openssl ca -in master.csr -out master.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Feb 24 10:41:53 2014 GMT
Not After : Feb 24 10:41:53 2015 GMT
Subject:
countryName = CN
stateOrProvinceName = ShangHai
organizationName = Allen
organizationalUnitName = Tech
commonName = master.allen.com
emailAddress = master@allen.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
AA:9B:97:2D:72:00:38:55:DB:77:86:3E:87:1C:30:C4:12:BA:69:F0
X509v3 Authority Key Identifier:
keyid:F4:DD:53:C2:28:E4:C9:1B:F0:CA:1F:5F:79:35:E5:32:4E:7A:55:39
Certificate is to be certified until Feb 24 10:41:53 2015 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
(3)爲slave服務器建立證書申請
在slave
[root@nan85 ~]# mkdir /usr/local/mysql/ssl
[root@nan85 ~]# cd /usr/local/mysql/ssl/
[root@nan85 ssl]# (umask 077;openssl genrsa -out slave.key 2048)
Generating RSA private key, 2048 bit long modulus
.......................................+++
.........+++
e is 65537 (0x10001)
[root@nan85 ssl]# openssl req -new -key slave.key -out slave.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ShangHai
Locality Name (eg, city) [Default City]:PuDong
Organization Name (eg, company) [Default Company Ltd]:Allen
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server's hostname) []:slave.allen.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
(4)爲slave服務器簽署證書
#####將證書申請請求拷貝到CA服務器簽署
slave上
[root@nan85 ssl]# scp slave.csr 10.10.54.86:/tmp/
在master上
[root@nan86 tmp]# openssl ca -in /tmp/slave.csr -out /tmp/slave.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Feb 24 11:09:32 2014 GMT
Not After : Feb 24 11:09:32 2015 GMT
Subject:
countryName = CN
stateOrProvinceName = ShangHai
organizationName = Allen
organizationalUnitName = Tech
commonName = slave.allen.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
7C:5A:7F:49:88:29:8C:C3:33:7B:E7:46:71:C8:68:47:60:F5:69:27
X509v3 Authority Key Identifier:
keyid:F4:DD:53:C2:28:E4:C9:1B:F0:CA:1F:5F:79:35:E5:32:4E:7A:55:39
Certificate is to be certified until Feb 24 11:09:32 2015 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#####簽署好證書申請拷貝到slave服務器
在主上:
[root@nan86 tmp]# scp /tmp/slave.crt 10.10.54.85:/usr/local/mysql/ssl/
(5)將CA證書拷貝到slave服務器一份併爲master拷貝一份
主機:
[root@nan86 tmp]# scp /etc/pki/CA/cacert.pem 10.10.54.85:/usr/local/mysql/ssl/
[root@nan86 tmp]# cp /etc/pki/CA/cacert.pem /usr/local/mysql/ssl/
(6)修改master和slave服務器證書屬主、屬組爲"mysql"用戶
主機:
[root@nan86 tmp]# chown -R mysql.mysql /usr/local/mysql/ssl/
[root@nan86 tmp]# ll /usr/local/mysql/ssl/
total 20
-rw-r--r-- 1 mysql mysql 1330 2月 24 19:17 cacert.pem
-rw-r--r-- 1 mysql mysql 4532 2月 24 18:42 master.crt
-rw-r--r-- 1 mysql mysql 1054 2月 24 18:39 master.csr
-rw------- 1 mysql mysql 1679 2月 24 18:36 master.key
從機:
[root@nan85 ssl]# chown -R mysql.mysql /usr/local/mysql/ssl/
[root@nan85 ssl]# ll /usr/local/mysql/ssl/
total 20
-rw-r--r-- 1 mysql mysql 1330 2月 24 19:16 cacert.pem
-rw-r--r-- 1 mysql mysql 4456 2月 24 19:13 slave.crt
-rw-r--r-- 1 mysql mysql 1009 2月 24 18:47 slave.csr
-rw------- 1 mysql mysql 1675 2月 24 18:45 slave.key
(7)在master與slave服務器修改主配置文件開啓SSL加密功能
####修改master數據庫
[root@nan86 tmp]# vim /etc/my.cnf
ssl_ca=/usr/local/mysql/ssl/cacert.pem
ssl_cert=/usr/local/mysql/ssl/master.crt
ssl_key=/usr/local/mysql/ssl/master.key
[root@nan86 tmp]# /etc/init.d/mysqld restart
####修改slave數據庫
[root@nan85 ssl]# vim /etc/my.cnf
ssl_ca=/usr/local/mysql/ssl/cacert.pem
ssl_cert=/usr/local/mysql/ssl/slave.crt
ssl_key=/usr/local/mysql/ssl/slave.key
[root@nan85 ssl]# /etc/init.d/mysqld restart
(8)在master服務器查看SSL加密是否開啓,而後建立受權一個基於密鑰認證的用戶
mysql> show variables like '%ssl%';
+---------------+---------------------------------+
| Variable_name | Value |
+---------------+---------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /usr/local/mysql/ssl/cacert.pem |
| ssl_capath | |
| ssl_cert | /usr/local/mysql/ssl/master.crt |
| ssl_cipher | |
| ssl_key | /usr/local/mysql/ssl/master.key |
+---------------+---------------------------------+
mysql> grant replication client,replication slave on *.* to 'slave'@'10.10.54.85' identified by 'slave' require ssl;
Query OK, 0 rows affected (1.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
(9)查看master服務器二進制日誌文件和事件位置用於slave服務器連接從這個位置開始複製
mysql> show master status;
+-------------------+----------+--------------+------------------+
| File | Position | Binlog_Do_DB | Binlog_Ignore_DB |
+-------------------+----------+--------------+------------------+
| master-bin.000021 | 806 | | |
+-------------------+----------+--------------+------------------+
1 row in set (0.00 sec)
(10)測試使用加密用戶指定的密鑰連接服務器
在slave上
[root@nan85 ssl]# mysql -uroot -p123 -h 10.10.54.86 --ssl-ca=/usr/local/mysql/ssl/cacert.pem --ssl-cert=/usr/local/mysql/ssl/slave.crt --ssl-key=/usr/local/mysql/ssl/slave.key
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 33
Server version: 5.5.30-log Source distribution
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
(11)查看slave服務器SSL是否開啓並鏈接master服務器
#####產看是否開啓SSL
mysql> show variables like '%ssl%';
+---------------+---------------------------------+
| Variable_name | Value |
+---------------+---------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /usr/local/mysql/ssl/cacert.pem |
| ssl_capath | |
| ssl_cert | /usr/local/mysql/ssl/slave.crt |
| ssl_cipher | |
| ssl_key | /usr/local/mysql/ssl/slave.key |
+---------------+---------------------------------+
#####連接master服務器
change master to
master_host='10.10.54.86',master_user='slave',master_password='slave',
master_log_file='master-bin.000021',master_log_pos=806,master_ssl=1,
master_ssl_ca='/usr/local/mysql/ssl/cacert.pem',
master_ssl_cert='/usr/local/mysql/ssl/slave.crt',
master_ssl_key='/usr/local/mysql/ssl/slave.key';
#####獲取命令幫助
###@@@@@@@@@@@
mysql> help change master to
| MASTER_SSL = {0|1} #是否使用SSL功能
| MASTER_SSL_CA = 'ca_file_name' #CA證書位置
| MASTER_SSL_CERT = 'cert_file_name' #指定本身的證書文件
| MASTER_SSL_KEY = 'key_file_name' #指定本身的密鑰文件
(12)查看slave服務器的狀態
mysql> start slave;
Query OK, 0 rows affected (0.00 sec)
mysql> show slave status\G;
*************************** 1. row ***************************
Slave_IO_State: Connecting to master
Master_Host: 10.10.54.86
Master_User: slave
Master_Port: 3306
Connect_Retry: 60
Master_Log_File: master-bin.000021
Read_Master_Log_Pos: 353
Relay_Log_File: nan85-relay-bin.000001
Relay_Log_Pos: 4
Relay_Master_Log_File: master-bin.000021
Slave_IO_Running: Connecting
Slave_SQL_Running: Yes
Replicate_Do_DB: a
Replicate_Ignore_DB:
Replicate_Do_Table:
Replicate_Ignore_Table:
Replicate_Wild_Do_Table:
Replicate_Wild_Ignore_Table:
Last_Errno: 0
Last_Error:
Skip_Counter: 0
Exec_Master_Log_Pos: 353
Relay_Log_Space: 107
Until_Condition: None
Until_Log_File:
Until_Log_Pos: 0
Master_SSL_Allowed: Yes
Master_SSL_CA_File: /usr/local/mysql/ssl/cacert.pem
Master_SSL_CA_Path:
Master_SSL_Cert: /usr/local/mysql/ssl/slave.crt
Master_SSL_Cipher:
Master_SSL_Key: /usr/local/mysql/ssl/slave.key
Seconds_Behind_Master: NULL
Master_SSL_Verify_Server_Cert: No
Last_IO_Errno: 0
Last_IO_Error:
Last_SQL_Errno: 0
Last_SQL_Error:
Replicate_Ignore_Server_Ids:
Master_Server_Id: 0
1 row in set (0.00 sec)
ERROR:
No query specified
基於SSL複製的結果驗證
(1)在master服務器上建立數據庫
[root@nan86 tmp]# mysql -uroot -p123456 -e 'create database slave;'
[root@nan86 tmp]# mysql -uroot -p123456 -e 'show databases';
+--------------------+
| Database |
+--------------------+
| information_schema |
| employees |
| mysql |
| performance_schema |
| slave |
| test |
+--------------------+
(2)登陸slave服務器驗證slave數據庫是否存在
[root@nan85 ssl]# mysql -uroot -p123456 -e 'show databases';
+--------------------+
| Database |
+--------------------+
| information_schema |
| employees |
| mysql |
| performance_schema |
| slave |
| test |
+--------------------+
相關文章
- 1. mysql replication支持ssl,一主一從 +CA服務器
- 2. mysql主從(replication)
- 3. Linux Centos下MySQL主從Replication同步配置(一主一從)
- 4. mysql replication(主從複製)(一)MS模式
- 5. MySQL Replication之主從切換
- 6. MYSQL Replication 主從配置
- 7. MySQL 5.5主從複製(Replication)
- 8. MySQL Replication主從複製
- 9. MySQL 的主從 Replication同步
- 10. 【MySQL 5.7.17】從主從複製到Group Replication
- 更多相關文章...
- • 一對一關聯查詢 - MyBatis教程
- • R 繪圖 - 中文支持 - R 語言教程
- • RxJava操作符(一)Creating Observables
- • Kotlin學習(一)基本語法
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. mysql replication支持ssl,一主一從 +CA服務器
- 2. mysql主從(replication)
- 3. Linux Centos下MySQL主從Replication同步配置(一主一從)
- 4. mysql replication(主從複製)(一)MS模式
- 5. MySQL Replication之主從切換
- 6. MYSQL Replication 主從配置
- 7. MySQL 5.5主從複製(Replication)
- 8. MySQL Replication主從複製
- 9. MySQL 的主從 Replication同步
- 10. 【MySQL 5.7.17】從主從複製到Group Replication