ClustrixDB supports SSL and authentication with the sha256_password plugin. 

Some security regulations require stronger protection of user passwords stored in the database. The sha256_password plugin provides a more secure method of storing user password credentials in ClustrixDB as compared to the default mysql_native_password plugin. When a user account is configured to use the sha256_password plugin, that user must then always connect using an SSL protected connection.

The instructions below provide steps for configuring ClustrixDB for SSL encrypted connections, and also configure ClustrixDB user accounts to use SHA256 password security along with SSL encrypted connections. To use this feature, use the instructions below to generate certificates and keys, copy them to all nodes, configure the database and users to use SSL when applicable (requires a mysql client 5.6.38 or higher).

NOTE:  You can use these instructions to generate the certs and keys for the nodes and clients, but the /etc/my.cnf directives for the server do not apply and you must use the ClustrixDB-specific instructions below to bind the server keys and certs.

ClustrixDB Configuration for SSL Encrypted Connections

Connecting from a client using an encrypted connections

The MariaDB client SSL parameters can be defined in /etc/my.cnf.d/client.cnf or on the command line.

Sample entry in /etc/my.cnf.d/client.cnf

[client-mariadb]
ssl-ca=/user/.ssh/ca-cert.pem
ssl-cert=/user/.ssh/client-cert.pem
ssl-key=/user/.ssh/client-key.pem

Command-line example of specifying the cert and key:

shell> mysql --ssl-cert=/user/.ssh/client-cert.pem --ssl-key=/user/.ssh/client-key.pem -u username -h hostname -p

The MySQL client version must be 5.6.38, 5.7 or higher client.

If you are using the mysql 5.6.38 client, you must specify the cipher type:

shell> mysql --ssl-cipher=AES256-SHA -u username -h hostname -p

If you are using the mysql 5.7 client, there are no special options required: 

shell> mysql username -h hostname  -p      

The output of \s will show whether TLS is enabled:

sql> \s

and show as part of the output the type of encryption in use:

Cipher in use is AES256-SHA

This query will show the type of encryption used for all sessions:

sql> select * from system.sessions;

Create a new user using sha256_password authentication:

sql> CREATE USER 'seymour2'@'%' IDENTIFIED WITH sha256_password BY 'foo';

Caveats for SHA2 usage