Mysql: Difference between revisions
From Bashlinux
Jump to navigationJump to search
Content deleted Content added
No edit summary |
Redirected page to MySQL |
||
| (13 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
#REDIRECT [[MySQL]] |
|||
__NOTOC__ |
|||
= MySQL = |
|||
== MySQL server with SSL == |
|||
# Create openssl directory structure for MySQL |
|||
<pre><nowiki> |
|||
mkdir -p /etc/pki/openssl |
|||
mkdir -p /etc/pki/openssl/private |
|||
mkdir -p /etc/pki/openssl/newcerts |
|||
</nowiki></pre> |
|||
# Initialize Index database |
|||
<pre><nowiki> |
|||
touch /etc/pki/openssl/index.txt |
|||
</nowiki></pre> |
|||
# Create control serial number |
|||
<pre><nowiki> |
|||
date +%Y%m%d > /etc/pki/openssl/serial |
|||
</nowiki></pre> |
|||
# Copy default openssl configuration file |
|||
<pre><nowiki> |
|||
cp /etc/pki/tls/openssl.cnf /etc/pki/openssl/ |
|||
</nowiki></pre> |
|||
# Change the default dir on the new configuration file |
|||
<pre><nowiki> |
|||
replace ../../CA /etc/pki/openssl -- /etc/pki/openssl/openssl.cnf |
|||
</nowiki></pre> |
|||
# Generate CA |
|||
<pre><nowiki> |
|||
openssl req -new -x509 -keyout /etc/pki/openssl/private/cakey.pem -out /etc/pki/openssl/cacert.pem -config /etc/pki/openssl.cnf |
|||
</nowiki></pre> |
|||
# Create Server REQ and KEY |
|||
<pre><nowiki> |
|||
openssl req -new -keyout /etc/pki/openssl/server-key.pem -out /etc/pki/openssl/server-req.pem -days 3600 -config /etc/pki/openssl/openssl.cnf |
|||
</nowiki></pre> |
|||
# Remove passphrase from KEY |
|||
<pre><nowiki> |
|||
openssl rsa -in /etc/pki/openssl/server-key.pem -out /etc/pki/openssl/server-key.pem |
|||
</nowiki></pre> |
|||
# Sign server cert |
|||
<pre><nowiki> |
|||
openssl ca -policy policy_anything -out /etc/pki/openssl/server-cert.pem -config /etc/pki/openssl/openssl.cnf -infiles /etc/pki/openssl/server-req.pem |
|||
</nowiki></pre> |
|||
# Create REQ and KEY for the client |
|||
<pre><nowiki> |
|||
openssl req -new -keyout /etc/pki/openssl/client-key.pem -out /etc/pki/openssl/client-req.pem -days 3600 -config /etc/pki/openssl/openssl.cnf |
|||
</nowiki></pre> |
|||
# Remove passphrase from the client KEY |
|||
<pre><nowiki> |
|||
openssl rsa -in /etc/pki/openssl/client-key.pem -out /etc/pki/openssl/client-key.pem |
|||
</nowiki></pre> |
|||
# Sign client cert |
|||
<pre><nowiki> |
|||
openssl ca -policy policy_anything -out /etc/pki/openssl/client-cert.pem -config /etc/pki/openssl/openssl.cnf -infiles /etc/pki/openssl/client-req.pem |
|||
</nowiki></pre> |
|||
# Add the following under each directive on `/etc/my.cnf`, if the directive doesn't exists it should be created |
|||
<pre><nowiki> |
|||
[client] |
|||
ssl-ca=/etc/pki/openssl/cacert.pem |
|||
ssl-cert=/etc/pki/openssl/client-cert.pem |
|||
ssl-key=/etc/pki/openssl/client-key.pem |
|||
[mysqld] |
|||
ssl-ca=/etc/pki/openssl/cacert.pem |
|||
ssl-cert=/etc/pki/openssl/server-cert.pem |
|||
ssl-key=/etc/pki/openssl/server-key.pem |
|||
</nowiki></pre> |
|||
# Restart the server |
|||
<pre><nowiki> |
|||
service mysqld restart |
|||
</nowiki></pre> |
|||
# Test ssl on Mysql |
|||
## Login into MySQL Server |
|||
<pre><nowiki> |
|||
mysql -u root -p |
|||
</nowiki></pre> |
|||
# Check SSL Cipher |
|||
<pre><nowiki> |
|||
mysql> show status like 'Ssl_cipher'; |
|||
+--------------+-------------------+ |
|||
| Variable_name| Value | |
|||
+--------------+-------------------+ |
|||
| Ssl_cipher | DHE-RSA-AES256-SHA| |
|||
+--------------+-------------------+ |
|||
1 row in set (0.01 sec) |
|||
</nowiki></pre> |
|||
# Done |
|||
Latest revision as of 02:09, 10 June 2015
Redirect to:
