Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space ML1 and version 9.2

...

The instructions below provide steps for configuring ClustrixDB for SSL encrypted connections, and also configure ClustrixDB user accounts to use SHA256 password security along with SSL encrypted connections. To use this feature, use the instructions below to generate certificates and keys, copy them to all nodes, configure the database and users to use SSL when applicable (requires a mysql client 5.6.38 or higher).

NOTE:  You can use these instructions to generate the certs and keys for the nodes and clients, but the /etc/my.cnf directives for the server do not apply and you must use the ClustrixDB-specific instructions below to bind the server keys and certs.

ClustrixDB Configuration for SSL Encrypted Connections

Include+
ALTER CLUSTER RELOAD SSL
ALTER CLUSTER RELOAD SSL
scrollEditorUrlhttp://docs.clustrix.com/display/ML1/.ALTER+CLUSTER+RELOAD+SSL+v9.1
scrollEditorDisplayTitleALTER CLUSTER RELOAD SSL

Connecting from a client using an encrypted connections

The MariaDB client SSL parameters can be defined in /etc/my.cnf.d/client.cnf or on the command line.

Sample entry in /etc/my.cnf.d/client.cnf

[client-mariadb]
ssl-ca=/user/.ssh/ca-cert.pem
ssl-cert=/user/.ssh/client-cert.pem
ssl-key=/user/.ssh/client-key.pem

Command-line example of specifying the cert and key:

shell> mysql --ssl-cert=/user/.ssh/client-cert.pem --ssl-key=/user/.ssh/client-key.pem -u username -h hostname -p

The MySQL client version must be 5.6.38, 5.7 or higher client.

...

sql> select * from system.sessions;

Setting Up Users

...

sql> ALTER USER '[email protected]'%' IDENTIFIED WITH sha256_password BY 'foo';

To set it back to use mysql_native_password:

...

sql> ALTER USER 'seymour'@’%’ IDENTIFIED WITH mysql_native_password by 'foo';

Create a new user using sha256_password authentication:

sql> CREATE USER 'seymour2'@'%' IDENTIFIED WITH sha256_password BY 'foo';

...

...

Users with a password encrypted with SHA256 must use encrypted connections to connect to ClustrixDB. If a secure connection is not available, the user will encounter an error and be unable to connect.

Caveats for SHA2 usage

  • Certificates and keys must exist on all nodes and be owned by the clxd user

  • ClustrixDB does not support configuration a default authentication plugin other than mysql_native_password

  • ClustrixDB does not support RSA password encryption

  • Using encrypted connections have a performance overhead

  • The ssl options cipherissuer, and subject are not supported and generate syntax errors.