18.5.2 Group Replication Secure Socket Layer (SSL) Support

Inhoudsopgave

Group communication connections and distributed recovery connections can be secured using SSL. The following sections explain how to configure connections.

Configuring SSL for Group Communication

Secure sockets can be used for group communication connections between members of a group. The Group Replication system variable group_replication_ssl_mode is used to activate the use of SSL for group communication connections and specify the security mode for the connections. The default setting means that SSL is not used. The option has the following possible values:

Table 18.2 group_replication_ssl_mode configuration values

Value	Description
DISABLED	Establish an unencrypted connection (the default).
REQUIRED	Establish a secure connection if the server supports secure connections.
VERIFY_CA	Like REQUIRED, but additionally verify the server TLS certificate against the configured Certificate Authority (CA) certificates.
VERIFY_IDENTITY	Like VERIFY_CA, but additionally verify that the server certificate matches the host to which the connection is attempted.

The remainder of the configuration for Group Replication's group communication connections is taken from the server's SSL configuration. For more information on the options for configuring the server SSL, see Command Options for Encrypted Connections. The server SSL options that are applied to Group Replication's group communication connections are as follows:

Table 18.3 SSL Options

Server Configuration	Description
`ssl_key`	The path name of the SSL private key file in PEM format. On the client side, this is the client private key. On the server side, this is the server private key.
`ssl_cert`	The path name of the SSL public key certificate file in PEM format. On the client side, this is the client public key certificate. On the server side, this is the server public key certificate.
`ssl_ca`	The path name of the Certificate Authority (CA) certificate file in PEM format.
`ssl_capath`	The path name of the directory that contains trusted SSL certificate authority (CA) certificate files in PEM format.
`ssl_crl`	The path name of the file containing certificate revocation lists in PEM format.
`ssl_crlpath`	The path name of the directory that contains certificate revocation list files in PEM format.
`ssl_cipher`	The list of permissible ciphers for connection encryption.
`tls_version`	For client programs, a list of the TLS protocols the client permits for encrypted connections.

Important

In the list of TLS protocols specified in the tls_version system variable, ensure the specified versions are contiguous (for example, TLSv1,TLSv1.1,TLSv1.2,TLSv1.3). If there are any gaps in the list of protocols (for example, if you specified TLSv1.1,TLSv1.3, omitting TLS 1.2) Group Replication might be unable to make group communication connections.

The following example shows a section from a my.cnf file that configures SSL on a server, and activates SSL for Group Replication group communication connections:

[mysqld]
ssl_ca = "cacert.pem"
ssl_capath = "/.../ca_directory"
ssl_cert = "server-cert.pem"
ssl_cipher = "DHE-RSA-AEs256-SHA"
ssl_crl = "crl-server-revoked.crl"
ssl_crlpath = "/.../crl_directory"
ssl_key = "server-key.pem"
group_replication_ssl_mode= REQUIRED

Important

The ALTER INSTANCE RELOAD TLS statement, which reconfigures the server's SSL context from the current values of the system variables that define the context, does not change the SSL context for Group Replication's group communication connections while Group Replication is running. To apply the reconfiguration to these connections, you must issue STOP GROUP_REPLICATION followed by START GROUP_REPLICATION to restart Group Replication.

Inhoudsopgave Haut

Configuring SSL for Distributed Recovery

When a member joins the group, distributed recovery is carried out using a combination of a remote cloning operation, if available and appropriate, and an asynchronous replication connection. Both methods of state transfer require a replication user that has been set up for distributed recovery, as described in Section 18.2.1.3, “User Credentials”. A replication user that requires an SSL connection must be created before the server joining the group (the joining member) connects to the donor. Typically, this is set up at the time you are provisioning a server to join the group.

To create a replication user for distributed recovery that requires an SSL connection, issue these statements:

donor> SET SQL_LOG_BIN=0;
donor> CREATE USER 'rec_ssl_user'@'%' REQUIRE SSL;
donor> GRANT replication slave ON *.* TO 'rec_ssl_user'@'%';
donor> GRANT BACKUP_ADMIN ON *.* TO 'rec_ssl_user'@'%';
donor> SET SQL_LOG_BIN=1;

Assuming that all servers already in the group have a replication user set up to use SSL, you configure joining members to use those credentials when connecting to the donor by configuring the Group Replication recovery channel to use the credentials, as follows:

new_member> CHANGE MASTER TO MASTER_USER="rec_ssl_user" FOR CHANNEL "group_replication_recovery";

To configure secure distributed recovery connections, use Group Replication's dedicated distributed recovery SSL options. These options correspond to the server SSL options that are used for group communication connections, but they are only applied for distributed recovery connections. By default, distributed recovery connections do not use SSL, even if you activated SSL for group communication connections, and the server SSL options are not applied for distributed recovery connections. You must configure these connections separately.

If a remote cloning operation is used as part of distributed recovery, Group Replication automatically configures the clone plugin's SSL options to match your settings for the distributed recovery SSL options. (For details of how the clone plugin uses SSL, see Configuring a Secure Connection for Cloning.)

The distributed recovery SSL options are as follows:

group_replication_recovery_use_ssl: Set to ON to make Group Replication use SSL for distributed recovery connections, including remote cloning operations and state transfer from a donor's binary log.
group_replication_recovery_ssl_ca: The path name of the Certificate Authority (CA) file to use for distributed recovery connections. Group Replication automatically configures the clone SSL option clone_ssl_ca to match this.
group_replication_recovery_ssl_capath: The path name of a directory that contains trusted SSL certificate authority (CA) certificate files.
group_replication_recovery_ssl_cert: The path name of the SSL public key certificate file to use for distributed recovery connections. Group Replication automatically configures the clone SSL option clone_ssl_cert to match this.
group_replication_recovery_ssl_key: The path name of the SSL private key file to use for distributed recovery connections. Group Replication automatically configures the clone SSL option clone_ssl_cert to match this.
group_replication_recovery_ssl_verify_server_cert: Makes the distributed recovery connection check the server's Common Name value in the donor sent certificate. Setting this option to ON is the equivalent for distributed recovery connections of setting VERIFY_IDENTITY for the group_replication_ssl_mode option for group communication connections.
group_replication_recovery_ssl_crl: The path name of a file containing certificate revocation lists.
group_replication_recovery_ssl_crlpath: The path name of a directory containing certificate revocation lists.
group_replication_recovery_ssl_cipher: A list of permissible ciphers for connection encryption for the distributed recovery connection. Specify a list of one or more cipher names, separated by colons. For information about which encryption ciphers MySQL supports, see Section 6.3.2, “Encrypted Connection Protocols and Ciphers”.

For example, issuing the following statements enables the use of SSL for distributed recovery connections, and identifies the paths to the certificate authority (CA) file, the public key certificate file, and the private key file that must be used for those connections:

new_member> SET GLOBAL group_replication_recovery_use_ssl=1;
new_member> SET GLOBAL group_replication_recovery_ssl_ca= '.../cacert.pem';
new_member> SET GLOBAL group_replication_recovery_ssl_cert= '.../client-cert.pem';
new_member> SET GLOBAL group_replication_recovery_ssl_key= '.../client-key.pem';

Zoek in de MySQL-handleiding

Nederlandse vertaling

U hebt gevraagd om deze site in het Nederlands te bezoeken. Voor nu wordt alleen de interface vertaald, maar nog niet alle inhoud.

Als je me wilt helpen met vertalingen, is je bijdrage welkom. Het enige dat u hoeft te doen, is u op de site registreren en mij een bericht sturen waarin u wordt gevraagd om u toe te voegen aan de groep vertalers, zodat u de gewenste pagina's kunt vertalen. Een link onderaan elke vertaalde pagina geeft aan dat u de vertaler bent en heeft een link naar uw profiel.

Bij voorbaat dank.

Document heeft de 26/06/2006 gemaakt, de laatste keer de 26/10/2018 gewijzigd
Bron van het afgedrukte document:https://www.gaudry.be/nl/mysql-rf-group-replication-secure-socket-layer-support-ssl.html

De infobrol is een persoonlijke site waarvan de inhoud uitsluitend mijn verantwoordelijkheid is. De tekst is beschikbaar onder CreativeCommons-licentie (BY-NC-SA). Meer info op de gebruiksvoorwaarden en de auteur.

Referenties

Manuel MySQL : https://dev.mysql.com/

Deze verwijzingen en links verwijzen naar documenten die geraadpleegd zijn tijdens het schrijven van deze pagina, of die aanvullende informatie kunnen geven, maar de auteurs van deze bronnen kunnen niet verantwoordelijk worden gehouden voor de inhoud van deze pagina.
De auteur Deze site is als enige verantwoordelijk voor de manier waarop de verschillende concepten, en de vrijheden die met de referentiewerken worden genomen, hier worden gepresenteerd. Vergeet niet dat u meerdere broninformatie moet doorgeven om het risico op fouten te verkleinen.

Inhoudsopgave Haut