Difference between revisions of "Mysql"
From Bashlinux
Line 2: | Line 2: | ||
= MySQL = |
= MySQL = |
||
== MySQL server with SSL == |
== MySQL server with SSL == |
||
+ | # Create a certificate as described in [[openssl|OpenSSL]] section. |
||
− | # Create openssl directory structure for MySQL |
||
− | |||
− | <pre><nowiki> |
||
− | mkdir -p /etc/pki/openssl |
||
− | mkdir -p /etc/pki/openssl/private |
||
− | mkdir -p /etc/pki/openssl/newcerts |
||
− | </nowiki></pre> |
||
− | |||
− | # Initialize Index database |
||
− | |||
− | <pre><nowiki> |
||
− | touch /etc/pki/openssl/index.txt |
||
− | </nowiki></pre> |
||
− | |||
− | # Create control serial number |
||
− | |||
− | <pre><nowiki> |
||
− | date +%Y%m%d > /etc/pki/openssl/serial |
||
− | </nowiki></pre> |
||
− | |||
− | # Copy default openssl configuration file |
||
− | |||
− | <pre><nowiki> |
||
− | cp /etc/pki/tls/openssl.cnf /etc/pki/openssl/ |
||
− | </nowiki></pre> |
||
− | |||
− | # Change the default dir on the new configuration file |
||
− | |||
− | <pre><nowiki> |
||
− | replace ../../CA /etc/pki/openssl -- /etc/pki/openssl/openssl.cnf |
||
− | </nowiki></pre> |
||
− | |||
− | # Generate CA |
||
− | |||
− | <pre><nowiki> |
||
− | openssl req -new -x509 -keyout /etc/pki/openssl/private/cakey.pem -out /etc/pki/openssl/cacert.pem -config /etc/pki/openssl.cnf |
||
− | </nowiki></pre> |
||
− | |||
− | # Create Server REQ and KEY |
||
− | |||
− | <pre><nowiki> |
||
− | openssl req -new -keyout /etc/pki/openssl/server-key.pem -out /etc/pki/openssl/server-req.pem -days 3600 -config /etc/pki/openssl/openssl.cnf |
||
− | </nowiki></pre> |
||
− | |||
− | # Remove passphrase from KEY |
||
− | |||
− | <pre><nowiki> |
||
− | openssl rsa -in /etc/pki/openssl/server-key.pem -out /etc/pki/openssl/server-key.pem |
||
− | </nowiki></pre> |
||
− | |||
− | # Sign server cert |
||
− | |||
− | <pre><nowiki> |
||
− | openssl ca -policy policy_anything -out /etc/pki/openssl/server-cert.pem -config /etc/pki/openssl/openssl.cnf -infiles /etc/pki/openssl/server-req.pem |
||
− | </nowiki></pre> |
||
− | |||
− | # Create REQ and KEY for the client |
||
− | |||
− | <pre><nowiki> |
||
− | openssl req -new -keyout /etc/pki/openssl/client-key.pem -out /etc/pki/openssl/client-req.pem -days 3600 -config /etc/pki/openssl/openssl.cnf |
||
− | </nowiki></pre> |
||
− | |||
− | # Remove passphrase from the client KEY |
||
− | |||
− | <pre><nowiki> |
||
− | openssl rsa -in /etc/pki/openssl/client-key.pem -out /etc/pki/openssl/client-key.pem |
||
− | </nowiki></pre> |
||
− | |||
− | # Sign client cert |
||
− | |||
− | <pre><nowiki> |
||
− | openssl ca -policy policy_anything -out /etc/pki/openssl/client-cert.pem -config /etc/pki/openssl/openssl.cnf -infiles /etc/pki/openssl/client-req.pem |
||
− | </nowiki></pre> |
||
− | |||
# Add the following under each directive on `/etc/my.cnf`, if the directive doesn't exists it should be created |
# Add the following under each directive on `/etc/my.cnf`, if the directive doesn't exists it should be created |
||
Revision as of 07:49, 5 February 2010
MySQL
MySQL server with SSL
- Create a certificate as described in OpenSSL section.
- Add the following under each directive on `/etc/my.cnf`, if the directive doesn't exists it should be created
[client] ssl-ca=/etc/pki/openssl/cacert.pem ssl-cert=/etc/pki/openssl/client-cert.pem ssl-key=/etc/pki/openssl/client-key.pem [mysqld] ssl-ca=/etc/pki/openssl/cacert.pem ssl-cert=/etc/pki/openssl/server-cert.pem ssl-key=/etc/pki/openssl/server-key.pem
- Restart the server
service mysqld restart
- Test ssl on Mysql
- Login into MySQL Server
mysql -u root -p
- Check SSL Cipher
mysql> show status like 'Ssl_cipher'; +--------------+-------------------+ | Variable_name| Value | +--------------+-------------------+ | Ssl_cipher | DHE-RSA-AES256-SHA| +--------------+-------------------+ 1 row in set (0.01 sec)
# Done