Rechercher dans le manuel MySQL
17.3.9 Setting Up Replication to Use Encrypted Connections
To use an encrypted connection for the transfer of the binary log required during replication, both the master and the slave servers must support encrypted network connections. If either server does not support encrypted connections (because it has not been compiled or configured for them), replication through an encrypted connection is not possible.
Setting up encrypted connections for replication is similar to doing so for client/server connections. You must obtain (or create) a suitable security certificate that you can use on the master, and a similar certificate (from the same certificate authority) on each slave. You must also obtain suitable key files.
For more information on setting up a server and client for encrypted connections, see Section 6.4.1, “Configuring MySQL to Use Encrypted Connections”.
To enable encrypted connections on the master, you must create or
obtain suitable certificate and key files, and then add the
following configuration options to the master's configuration
within the [mysqld]
section of the master's
my.cnf
file, changing the file names as
necessary:
[mysqld]
ssl-ca=cacert.pem
ssl-cert=server-cert.pem
ssl-key=server-key.pem
The paths to the files may be relative or absolute; we recommend that you always use complete paths for this purpose.
The options are as follows:
--ssl-ca
: The path name of the Certificate Authority (CA) certificate file. (--ssl-capath
is similar but specifies the path name of a directory of CA certificate files.)--ssl-cert
: The path name of the server public key certificate file. This can be sent to the client and authenticated against the CA certificate that it has.--ssl-key
: The path name of the server private key file.
To enable encrypted connections on the slave, use the
CHANGE MASTER TO
statement. You can
either name the slave certificate and SSL private key files
required for the encrypted connection in the
[client]
section of the slave's
my.cnf
file, or you can explicitly specify
that information using the CHANGE MASTER
TO
statement. For more information on the
CHANGE MASTER TO
statement, see Section 13.4.2.1, “CHANGE MASTER TO Syntax”.
To name the slave certificate and key files using an option file, add the following lines to the
[client]
section of the slave'smy.cnf
file, changing the file names as necessary:[client] ssl-ca=cacert.pem ssl-cert=client-cert.pem ssl-key=client-key.pem
Restart the slave server, using the
--skip-slave-start
option to prevent the slave from connecting to the master. UseCHANGE MASTER TO
to specify the master configuration, and add theMASTER_SSL
option to connect using encryption:- -> MASTER_HOST='master_hostname',
- -> MASTER_USER='repl',
- -> MASTER_PASSWORD='password',
- -> MASTER_SSL=1;
Setting
MASTER_SSL=1
for a replication connection and then setting no furtherMASTER_SSL_
options corresponds to settingxxx
--ssl-mode=REQUIRED
for the client, as described in Section 6.4.2, “Command Options for Encrypted Connections”. WithMASTER_SSL=1
, the connection attempt only succeeds if an encrypted connection can be established. A replication connection does not fall back to an unencrypted connection, so there is no setting corresponding to the--ssl-mode=PREFERRED
setting for replication. IfMASTER_SSL=0
is set, this corresponds to--ssl-mode=DISABLED
.To name the slave certificate and SSL private key files using the
CHANGE MASTER TO
statement, if you did not do this in the slave'smy.cnf
file, add the appropriateMASTER_SSL_
options:xxx
- -> MASTER_SSL_CA = 'ca_file_name',
- -> MASTER_SSL_CAPATH = 'ca_directory_name',
- -> MASTER_SSL_CERT = 'cert_file_name',
- -> MASTER_SSL_KEY = 'key_file_name',
These options correspond to the
--ssl-
options with the same names, as described in Section 6.4.2, “Command Options for Encrypted Connections”. For these options to take effect,xxx
MASTER_SSL=1
must also be set. For a replication connection, specifying a value for either ofMASTER_SSL_CA
orMASTER_SSL_CAPATH
, or specifying these options in the slave'smy.cnf
file, corresponds to setting--ssl-mode=VERIFY_CA
. The connection attempt only succeeds if a valid matching Certificate Authority (CA) certificate is found using the specified information.To activate host name identity verification, add the
MASTER_SSL_VERIFY_SERVER_CERT
option:- -> MASTER_SSL_VERIFY_SERVER_CERT=1,
This option corresponds to the
--ssl-verify-server-cert
option, which was deprecated from MySQL 5.7 and removed in MySQL 8.0. For a replication connection, specifyingMASTER_SSL_VERIFY_SERVER_CERT=1
corresponds to setting--ssl-mode=VERIFY_IDENTITY
, as described in Section 6.4.2, “Command Options for Encrypted Connections”. For this option to take effect,MASTER_SSL=1
must also be set. Host name identity verification does not work with self-signed certificates.To activate certificate revocation list (CRL) checks, add the
MASTER_SSL_CRL
orMASTER_SSL_CRLPATH
option:- -> MASTER_SSL_CRL = 'crl_file_name',
- -> MASTER_SSL_CRLPATH = 'crl_directory_name',
These options correspond to the
--ssl-
options with the same names, as described in Section 6.4.2, “Command Options for Encrypted Connections”. If they are not specified, no CRL checking takes place.xxx
To specify lists of permitted ciphers and encryption protocols for the replication connection, add the
MASTER_SSL_CIPHER
andMASTER_TLS_VERSION
options:- -> MASTER_SSL_CIPHER = 'cipher_list',
- -> MASTER_TLS_VERSION = 'protocol_list',
The
MASTER_TLS_VERSION
option specifies the encryption protocols permitted for the replication connection. The format is like that for thetls_version
system variable, with one or more protocol names separated by commas. TheMASTER_SSL_CIPHER
option specifies the list of permitted ciphers for the replication connection, with one or more cipher names separated by colons. The protocols and ciphers that you can use in these lists depend on the SSL library used to compile MySQL. For information on how to specify these options, see Section 6.4.6, “Encrypted Connection Protocols and Ciphers”.After the master information has been updated, start the slave replication process:
You can use the
SHOW SLAVE STATUS
statement to confirm that an encrypted connection was established successfully.Requiring encrypted connections on the slave does not ensure that the master requires encrypted connections from slaves. If you want to ensure that the master only accepts replication slaves that connect using encrypted connections, create a replication user account on the master using the
REQUIRE SSL
option, then grant that user theREPLICATION SLAVE
privilege. For example:If you have an existing replication user account on the master, you can add
REQUIRE SSL
to it with this statement:
Traduction non disponible
Le manuel MySQL n'est pas encore traduit en français sur l'infobrol. Seule la version anglaise est disponible pour l'instant.
Document créé le 26/06/2006, dernière modification le 26/10/2018
Source du document imprimé : https://www.gaudry.be/mysql-rf-replication-solutions-encrypted-connections.html
L'infobrol est un site personnel dont le contenu n'engage que moi. Le texte est mis à disposition sous licence CreativeCommons(BY-NC-SA). Plus d'info sur les conditions d'utilisation et sur l'auteur.
Références
Ces références et liens indiquent des documents consultés lors de la rédaction de cette page, ou qui peuvent apporter un complément d'information, mais les auteurs de ces sources ne peuvent être tenus responsables du contenu de cette page.
L'auteur de ce site est seul responsable de la manière dont sont présentés ici les différents concepts, et des libertés qui sont prises avec les ouvrages de référence. N'oubliez pas que vous devez croiser les informations de sources multiples afin de diminuer les risques d'erreurs.