mysql replication支持ssl，一主一從 +CA服務器

時間 2019-11-15

標籤 mysql replication 支持 ssl 服務器欄目 MySQL 简体版

原文原文鏈接

先檢查主機上有沒有安裝openssl這個軟件： rpm -qa |grep openssl

一、將Master服務器本身作成CA服務器
[root@gyf ~]# cd /etc/pki/CA/

[root@gyf CA]# ll
total 16
drwxr-xr-x. 2 root root 4096 2月 22 2013 certs 發證的目錄
drwxr-xr-x. 2 root root 4096 2月 22 2013 crl   吊銷證書的目錄
drwxr-xr-x. 2 root root 4096 2月 22 2013 newcerts 發新證的目錄
drwx------. 2 root root 4096 2月 24 18:55 private 私鑰目錄
（1）先給本身生成私鑰，必須放在CA目錄下的private下

(umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)

使用（），只讓umask 077在子shell生效，genrsa一種加密工具 -out 輸出文件保存位置私鑰長度 2048

（2）生成 CA 證書請求

爲了獲取一個 CA 根證書，咱們須要先製做一份證書請求。先前生成的 CA 密鑰對被用於對證書請求籤名。

[root@gyf CA]# openssl req -new -x509 -days 365 -key private/cakey.pem -out cacret.pem

    req 用於生成證書請求的 OpenSSL 命令。

    -new 生成一個新的證書請求。該參數將令 OpenSSL 在證書請求生成過程當中要求用戶填寫一些相應的字段。

    -x509 加密協議，

    -days 365 從生成之時算起，證書時效爲 365 天。

    -key ./private/cakey.pem 指定 ./private/cakey.pem 爲證書所使用的密鑰對文件。

    -out careq.pem 生成的證書請求保存到文件 cacert.pem 。
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN 國家代碼
State or Province Name (full name) []:HeNan
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []: Cent64 做爲ca 填寫主機名
Email Address []:
//生成index.txt(證書的索引)
[root@gyf CA]# touch index.txt
//證書的序列號
[root@gyf CA]# echo 01 > serial
此命令可自動建立serial文件
二、爲Master建立證書申請並由CA服務器簽發證書
[root@gyf CA]# mkdir /usr/local/mysql/ssl
[root@gyf CA]# (umask 077;openssl genrsa -out master.key 2048)
[root@gyf ssl]# openssl ca -in master.csr -out master.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
unable to load number from /etc/pki/CA/serial
error while loading serial number
140460142339912:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:f_int.c:215:
通常是由於serial文件中沒有賦初值
[root@gyf CA]# echo 01 > serial

[root@Cent64 ssl]# openssl ca -in master.csr -out master.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Feb 25 07:30:37 2014 GMT
            Not After : Feb 25 07:30:37 2015 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HeNan
            organizationName          = Default Company Ltd
            commonName                = Cent64
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                B2:AF:8C:EA:4D:56:91:D6:B3:7B:05:12:9A:08:EE:7D:55:78:FC:F4
            X509v3 Authority Key Identifier:
                keyid:62:72:F2:6C:01:26:6B:04:84:0E:72:C6:84:58:13:A1:63:C3:2E:4F

Certificate is to be certified until Feb 25 07:30:37 2015 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

三、爲Slave服務器建立證書申請

[root@gyf ~]# mkdir /usr/local/mysql/ssl
[root@gyf ~]# cd /usr/local/mysql/ssl/
[root@gyf ssl]# (umask 077;openssl genrsa -out slave.key 2048)
[root@Cent67 ssl]# openssl req -new -key slave.key -out slave.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HeNan
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:Cent67
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:mysql
An optional company name []:

四、爲Slave服務器簽署證書
######將證書申請請求拷貝到CA服務器簽署
[root@Cent67 ssl]# scp slave.csr root@10.10.54.64:/tmp/

[root@Cent64 ssl]# openssl ca -in /tmp/slave.csr -out /tmp/slave.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Feb 25 07:32:55 2014 GMT
            Not After : Feb 25 07:32:55 2015 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HeNan
            organizationName          = Default Company Ltd
            commonName                = Cent67
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                73:A7:EA:D4:E4:A5:DF:CD:A0:48:7D:39:90:85:76:82:E7:AF:B4:54
            X509v3 Authority Key Identifier:
                keyid:62:72:F2:6C:01:26:6B:04:84:0E:72:C6:84:58:13:A1:63:C3:2E:4F

Certificate is to be certified until Feb 25 07:32:55 2015 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

######簽署好證書申請拷貝到Slave服務器
[root@Cent64 ssl]# scp /tmp/slave.crt root@10.10.54.67:/usr/local/mysql/ssl/

五、將CA證書拷貝到Slave服務器併爲Master拷貝一份
[root@Cent64 ssl]# scp /etc/pki/CA/cacert.pem root@10.10.54.67:/usr/local/mysql/ssl/

[root@Cent64 ssl]# cp /etc/pki/CA/cacert.pem /usr/local/mysql/ssl/

六、修改Master與Slave服務器證書屬主、屬組爲"mysql"用戶
######修改Master服務器
[root@Cent64 ssl]# chown -R mysql.mysql /usr/local/mysql/ssl
[root@Cent64 ssl]# ll /usr/local/mysql/ssl/
total 20
-rw-r--r-- 1 mysql mysql 1310 2月 25 15:35 cacert.pem
-rw-r--r-- 1 mysql mysql 4419 2月 25 15:30 master.crt
-rw-r--r-- 1 mysql mysql 1029 2月 25 15:30 master.csr
-rw------- 1 mysql mysql 1675 2月 25 15:30 master.key

######修改slave服務器
[root@Cent67 ssl]# chown -R mysql.mysql /usr/local/mysql/ssl
[root@Cent67 ssl]# ll /usr/local/mysql/ssl/
total 20
-rw-r--r-- 1 mysql mysql 1310 2月 25 17:05 cacert.pem
-rw-r--r-- 1 mysql mysql 4419 2月 25 17:04 slave.crt
-rw-r--r-- 1 mysql mysql 1029 2月 25 17:02 slave.csr
-rw------- 1 mysql mysql 1679 2月 25 17:02 slave.key

七、
在Master與Slave服務器修改主配置文件開啓SSL加密功能
mysql5.5複製配置

1.規劃網絡和主從機器
master:10.10.54.64
slave:10.10.54.67

2.master config
vim /etc/my.cnf
log-bin=master-bin
server-id=1
binlog_formate=mixed
#開啓SSL功能
[mysqld]
ssl                                               #開啓SSL功能
ssl_ca = /usr/local/mysql/ssl/cacert.pem          #指定CA文件位置
ssl_cert = /usr/local/mysql/ssl/master.crt #指定證書文件位置
ssl_key = /usr/local/mysql/ssl/master.key   #指定密鑰所在位置
######查看master服務器SSL是否開啓
mysql> show variables like '%ssl%';
+---------------+---------------------------------+
| Variable_name | Value                           |
+---------------+---------------------------------+
| have_openssl | YES                             |
| have_ssl      | YES                             |
| ssl_ca        | /usr/local/mysql/ssl/cacert.pem |
| ssl_capath    |                                 |
| ssl_cert      | /usr/local/mysql/ssl/master.crt |
| ssl_cipher    |                                 |
| ssl_key       | /usr/local/mysql/ssl/master.key |
+---------------+---------------------------------+

3.slave config
log-bin=slave-bin
binlog_formate=mixed
server-id=10
必須大於主
#開啓SSL功能
[mysqld]
ssl                                               #開啓SSL功能
ssl_ca = /usr/local/mysql/ssl/cacert.pem          #指定CA文件位置
ssl_cert = /usr/local/mysql/ssl/slave.crt #指定證書文件位置
ssl_key = /usr/local/mysql/ssl/slave.key   #指定密鑰所在位置
######查看Slave服務器SSL是否開啓
[root@slave ~]# mysql
mysql> show variables like '%ssl%';
+---------------+---------------------------------+
| Variable_name | Value                           |
+---------------+---------------------------------+
| have_openssl | YES                             |
| have_ssl      | YES                             |
| ssl_ca        | /usr/local/mysql/ssl/cacert.pem |
| ssl_capath    |                                 |
| ssl_cert      | /usr/local/mysql/ssl/slave.crt |
| ssl_cipher    |                                 |
| ssl_key       | /usr/local/mysql/ssl/slave.key |
+---------------+---------------------------------+

4.在master上面建立一個複製用戶並授予權限
mysql> grant replication slave on *.* to 'gyf'@'10.10.54.67' identified by 'aaa12345'require ssl;;
mysql> flush privileges;
//在slave上測試是否能用複製用戶登陸
[root@gyf ~]# mysql -ugyf -paaa12345 -h10.10.54.64 -ssl-ca=/usr/local/mysql/ssl/cacert.pem --ssl-cert=/usr/local/mysql/ssl/slave.crt --ssl-key=/usr/local/mysql/ssl/slave.key

5.查看master上二進制日誌和position位置
root@(none) 17:08>show master status;
+-------------------+----------+--------------+------------------+
| File              | Position | Binlog_Do_DB | Binlog_Ignore_DB |
+-------------------+----------+--------------+------------------+
| master-bin.000007 |      343 |              |                  |
+-------------------+----------+--------------+------------------+

CHANGE MASTER TO MASTER_LOG_FILE='mysql-bin.000001', MASTER_LOG_POS=107;

拓展：重置master reset master
6.備份master上的數據,把備份maste數據庫還原到從庫上
[root@gyf ~]# mysqldump -uroot -paaa12345 --databases employees |mysql -uroot -paaa12345 -h10.10.54.67

[root@nan86 tmp]# mysqldump -uroot -paaa12345 --master-data=2 --single-transaction --flush-logs --database employees >employees.sql

[root@gyf ~]# mysqldump -uroot -paaa12345 --databases employees |mysql -uroot -paaa12345 -h10.10.54.67

[root@gyf tmp]# mysql -uroot -paaa12345 -h10.10.54.67<employees.sql
ERROR 1130 (HY000): Host '10.10.54.64' is not allowed to connect to this MySQL server

mysql> grant all privileges on *.* to root@10.10.54.64 identified by 'aaa12345';
mysql> flush privileges;

[root@nan86 tmp]# mysql -uroot -paaa12345 -h10.10.54.67<employees.sql

7.在slave上面change master操做
mysql> change master to master_host='10.10.54.64',master_user='gyf',
    master_password='aaa12345',
   master_log_file='master-bin.000001',master_log_pos=107,master_ssl=1,
master_ssl_ca='/usr/local/mysql/ssl/cacert.pem',
master_ssl_cert='/usr/local/mysql/ssl/slave.crt',
master_ssl_key='/usr/local/mysql/ssl/slave.key';

8.啓動slave
root@(none) 19:02>start slave;
9.查看slave狀態
肯定slave上的I/O線程和SQL線程狀態爲YES
root@(none) 19:02>show slave status\G;
*************************** 1. row ***************************
               Slave_IO_State: Waiting for master to send event
                  Master_Host: 10.10.54.64
                  Master_User: gyf
                  Master_Port: 3306
                Connect_Retry: 60
              Master_Log_File: master-bin.000007
          Read_Master_Log_Pos: 343
               Relay_Log_File: Cent67-relay-bin.000002
                Relay_Log_Pos: 254
        Relay_Master_Log_File: master-bin.000007
             Slave_IO_Running: Yes
            Slave_SQL_Running: Yes

//能夠單獨停掉某一個線程
mysql> STOP SLAVE IO_THREAD;
mysql> STOP SLAVE SQL_THREAD;

###測試
在master上

root@(none) 17:11>create database a;

root@(none) 17:25>show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| a                  |
| employees          |
| mysql              |
| performance_schema |
| test               |
+--------------------+
在slave上
root@(none) 19:04>show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| a                  |
| employees          |
| mysql              |
| performance_schema |
| test               |
+--------------------+mysql