Mysql: Difference between revisions

From Bashlinux
Jump to navigationJump to search
Newer edit →
Content deleted Content added
Manpaz (talk | contribs)
bashlinux, Bureaucrats, Administrators, sysops
711 edits
No edit summary
 
Manpaz (talk | contribs)
bashlinux, Bureaucrats, Administrators, sysops
711 edits
No edit summary
Line 2: Line 2:
= MySQL =
= MySQL =
== MySQL server with SSL ==
== MySQL server with SSL ==
# Create a certificate as described in [[openssl|OpenSSL]] section.
# Create openssl directory structure for MySQL
<pre><nowiki>
mkdir -p /etc/pki/openssl
mkdir -p /etc/pki/openssl/private
mkdir -p /etc/pki/openssl/newcerts
</nowiki></pre>

# Initialize Index database
<pre><nowiki>
touch /etc/pki/openssl/index.txt
</nowiki></pre>

# Create control serial number
<pre><nowiki>
date +%Y%m%d > /etc/pki/openssl/serial
</nowiki></pre>

# Copy default openssl configuration file
<pre><nowiki>
cp /etc/pki/tls/openssl.cnf /etc/pki/openssl/
</nowiki></pre>

# Change the default dir on the new configuration file
<pre><nowiki>
replace ../../CA /etc/pki/openssl -- /etc/pki/openssl/openssl.cnf
</nowiki></pre>

# Generate CA
<pre><nowiki>
openssl req -new -x509 -keyout /etc/pki/openssl/private/cakey.pem -out /etc/pki/openssl/cacert.pem -config /etc/pki/openssl.cnf
</nowiki></pre>

# Create Server REQ and KEY
<pre><nowiki>
openssl req -new -keyout /etc/pki/openssl/server-key.pem -out /etc/pki/openssl/server-req.pem -days 3600 -config /etc/pki/openssl/openssl.cnf
</nowiki></pre>

# Remove passphrase from KEY
<pre><nowiki>
openssl rsa -in /etc/pki/openssl/server-key.pem -out /etc/pki/openssl/server-key.pem
</nowiki></pre>

# Sign server cert
<pre><nowiki>
openssl ca -policy policy_anything -out /etc/pki/openssl/server-cert.pem -config /etc/pki/openssl/openssl.cnf -infiles /etc/pki/openssl/server-req.pem
</nowiki></pre>

# Create REQ and KEY for the client
<pre><nowiki>
openssl req -new -keyout /etc/pki/openssl/client-key.pem -out /etc/pki/openssl/client-req.pem -days 3600 -config /etc/pki/openssl/openssl.cnf
</nowiki></pre>

# Remove passphrase from the client KEY
<pre><nowiki>
openssl rsa -in /etc/pki/openssl/client-key.pem -out /etc/pki/openssl/client-key.pem
</nowiki></pre>

# Sign client cert
<pre><nowiki>
openssl ca -policy policy_anything -out /etc/pki/openssl/client-cert.pem -config /etc/pki/openssl/openssl.cnf -infiles /etc/pki/openssl/client-req.pem
</nowiki></pre>

# Add the following under each directive on `/etc/my.cnf`, if the directive doesn't exists it should be created
# Add the following under each directive on `/etc/my.cnf`, if the directive doesn't exists it should be created

Revision as of 07:49, 5 February 2010

MySQL

MySQL server with SSL

  1. Create a certificate as described in OpenSSL section.
  2. Add the following under each directive on `/etc/my.cnf`, if the directive doesn't exists it should be created
 [client]
 ssl-ca=/etc/pki/openssl/cacert.pem
 ssl-cert=/etc/pki/openssl/client-cert.pem
 ssl-key=/etc/pki/openssl/client-key.pem

 [mysqld]
 ssl-ca=/etc/pki/openssl/cacert.pem
 ssl-cert=/etc/pki/openssl/server-cert.pem
 ssl-key=/etc/pki/openssl/server-key.pem
  1. Restart the server
 service mysqld restart
  1. Test ssl on Mysql
    1. Login into MySQL Server
 mysql -u root -p
  1. Check SSL Cipher
 mysql> show status like 'Ssl_cipher';
 +--------------+-------------------+
 | Variable_name| Value             |
 +--------------+-------------------+
 | Ssl_cipher   | DHE-RSA-AES256-SHA|
 +--------------+-------------------+

 1 row in set (0.01 sec)
 
# Done
Retrieved from "https://wiki.bashlinux.com/index.php?title=Mysql&oldid=540"