MySQL基于SSL协议的主从复制

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了MySQL基于SSL协议的主从复制相关的知识,希望对你有一定的参考价值。

   数据对于大部分公司来说都是最重要的部分,而mysql的服务器在同步数据时,默认是使用明文进行传输,所以接下来就来说说MySQL基于SSL协议进行密文传输数据的主从复制模式。


逻辑拓扑:


    技术分享

    接下来的实验中Master节点服务器即使Master节点数据库服务器,同时也是CA。


环境准备:

    一、主从服务器时间需要同步:

            [[email protected] ~]# chronyc sources

            210 Number of sources = 1

            MS Name/IP address         Stratum Poll Reach LastRx Last sample

            ===============================================================================

            ^* server.magelinux.com          3   7   377    82    +71us[ +148us] +/-  100ms

 

           [[email protected] ~]# chronyc  sources

           210 Number of sources = 1

           MS Name/IP address         Stratum Poll Reach LastRx Last sample

           ===============================================================================

           ^* server.magelinux.com          3   7   377    95   +116us[ +155us] +/-  100ms


    二、主节点node9搭建好CA环境:

            [[email protected] ~]# cd /etc/pki/CA   

            [[email protected] CA]# touch index.txt serial

            [[email protected] CA]# echo 01 > serial                           

            [[email protected] CA]# (umask 077;openssl genrsa -out cakey.pem 2048)          

            [[email protected] CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650

            You are about to be asked to enter information that will be incorporated

            into your certificate request.

        What you are about to enter is what is called a Distinguished Name or a DN.

        There are quite a few fields but you can leave some blank

        For some fields there will be a default value,

        If you enter ‘.‘, the field will be left blank.

        -----

        Country Name (2 letter code) [XX]:CN

        State or Province Name (full name) []:BeiJing

        Locality Name (eg, city) [Default City]:BeiJing

        Organization Name (eg, company) [Default Company Ltd]:hisen

        Organizational Unit Name (eg, section) []:Ops

        Common Name (eg, your name or your server‘s hostname) []:ca.hisen.com

        Email Address []:admin.com


    三、主节点node9生成证书申请,并由CA进行签署:

        [[email protected] ~]# cd /var/lib/mysql/ssl/

        [[email protected] ssl]# (umask 077;openssl genrsa -out master.key 2048)

 

        [[email protected] ssl]# openssl req -new -key master.key -out master.csr -days 3650

        You are about to be asked to enter information that will be incorporated

        into your certificate request.

        What you are about to enter is what is called a Distinguished Name or a DN.

        There are quite a few fields but you can leave some blank

        For some fields there will be a default value,

        If you enter ‘.‘, the field will be left blank.

        -----

        Country Name (2 letter code) [XX]:CN

        State or Province Name (full name) []:BeiJing

        Locality Name (eg, city) [Default City]:BeiJing

        Organization Name (eg, company) [Default Company Ltd]:hisen

        Organizational Unit Name (eg, section) []:Ops

        Common Name (eg, your name or your server‘s hostname) []:master.hisen.com

        Email Address []:master.com

         

        Please enter the following ‘extra‘ attributes

        to be sent with your certificate request

        A challenge password []:

        An optional company name []:

                          

        [[email protected] ssl]# openssl ca -in master.csr -out master.crt -days 2048

        Using configuration from /etc/pki/tls/openssl.cnf

        Check that the request matches the signature

        Signature ok

        Certificate Details:

                Serial Number: 1 (0x1)

                Validity

                    Not Before: Feb 22 11:21:11 2017 GMT

                    Not After : Oct  2 11:21:11 2022 GMT

                Subject:

                    countryName               = CN

                    stateOrProvinceName       = BeiJing

                    organizationName          = hisen

                    organizationalUnitName    = Ops

                    commonName                = master.hisen.com

                    emailAddress              = master.com

                X509v3 extensions:

                    X509v3 Basic Constraints:

                        CA:FALSE

                    Netscape Comment:

                        OpenSSL Generated Certificate

                    X509v3 Subject Key Identifier:

                        2B:1D:F7:18:00:89:1B:CB:6D:09:59:4B:5E:03:78:BA:60:6A:62:BB

                    X509v3 Authority Key Identifier:

                        keyid:C4:30:C5:87:EB:80:6C:87:AE:60:71:FC:E9:79:1F:5A:31:57:5B:88

         

        Certificate is to be certified until Oct  2 11:21:11 2022 GMT (2048 days)

        Sign the certificate? [y/n]:y

         

         

        1 out of 1 certificate requests certified, commit? [y/n]y

        Write out database with 1 new entries

        Data Base Updated

        
    四、从节点node10生成证书,并由CA进行签署:


        [[email protected] ~]# cd /var/lib/mysql/ssl

        [[email protected] ssl]# (umask 077;openssl genrsa -out slave.key 2048)

        Generating RSA private key, 2048 bit long modulus

        ..+++

        ...........................................................+++

        e is 65537 (0x10001)

         

        [[email protected] ssl]# (umask 077;openssl genrsa -out slave.key 2048)

        Generating RSA private key, 2048 bit long modulus

        ..+++

        ...........................................................+++

        e is 65537 (0x10001)

        [[email protected] ssl]# openssl req -new -key slave.key -out slave.csr -days 3650

        You are about to be asked to enter information that will be incorporated

        into your certificate request.

        What you are about to enter is what is called a Distinguished Name or a DN.

        There are quite a few fields but you can leave some blank

        For some fields there will be a default value,

        If you enter ‘.‘, the field will be left blank.

        -----

        Country Name (2 letter code) [XX]:CN

        State or Province Name (full name) []:BeiJing 

        Locality Name (eg, city) [Default City]:BeiJing

        Organization Name (eg, company) [Default Company Ltd]:hisen

        Organizational Unit Name (eg, section) []:Ops

        Common Name (eg, your name or your server‘s hostname) []:slave.hisen.com

        Email Address []:slave.com

         

        Please enter the following ‘extra‘ attributes

        to be sent with your certificate request

        A challenge password []:

        An optional company name []:

         

                   [[email protected] ssl]# scp slave.csr 192.168.17.90:/root

         

        [[email protected] ~]# openssl ca -in slave.csr -out slave.crt -days 3650

        Using configuration from /etc/pki/tls/openssl.cnf

        Check that the request matches the signature

        Signature ok

        Certificate Details:

                Serial Number: 2 (0x2)

                Validity

                    Not Before: Feb 22 11:27:17 2017 GMT

                    Not After : Feb 20 11:27:17 2027 GMT

                Subject:

                    countryName               = CN

                    stateOrProvinceName       = BeiJing

                    organizationName          = hisen

                    organizationalUnitName    = Ops

                    commonName                = slave.hisen.com

                    emailAddress              = slave.com

                X509v3 extensions:

                    X509v3 Basic Constraints:

                        CA:FALSE

                    Netscape Comment:

                        OpenSSL Generated Certificate

                    X509v3 Subject Key Identifier:

                        68:31:D7:B1:03:5A:C0:6E:A3:58:4D:67:53:AC:F7:F5:1E:2A:19:4E

                    X509v3 Authority Key Identifier:

                        keyid:C4:30:C5:87:EB:80:6C:87:AE:60:71:FC:E9:79:1F:5A:31:57:5B:88

         

        Certificate is to be certified until Feb 20 11:27:17 2027 GMT (3650 days)

        Sign the certificate? [y/n]:y

         

         

        1 out of 1 certificate requests certified, commit? [y/n]y

        Write out database with 1 new entries

        Data Base Updated

           [[email protected] ~]# scp slave.crt 192.168.17.100:/var/lib/mysql/ssl/


    五、将node9的CA证书复制给Master和Slave各一份:

        [[email protected] ~]# cp /etc/pki/CA/cacert.pem /var/lib/mysql/ssl/    #复制CA证书到本地

        [[email protected] ~]# scp /etc/pki/CA/cacert.pem 192.168.17.100:/var/lib/mysql/ssl/   #复制CA到node10


    六、修改/var/lib/mysql/ssl/下文件的属主属组以及给予最小权限:

        [[email protected] ~]# chown -R mysql:mysql /var/lib/mysql/ssl/ ; chmod 600 /var/lib/mysql/ssl/*  

        [[email protected] ~]# chown -R mysql:mysql /var/lib/mysql/ssl/ ; chmod 600 /var/lib/mysql/ssl/* 


MySQL文件配置:

Master:        

        [mysqld]

        datadir=/var/lib/mysql

        socket=/var/lib/mysql/mysql.sock

        symbolic-links=0

        skip_name_resolve=ON

        innodb_file_per_table=1

        server_id=2

        log-bin=master-log

        ssl                                    #开启SSL

        ssl_ca=/var/lib/mysql/ssl/cacert.pem       #Master节点CA证书存放位置

        ssl_cert=/var/lib/mysql/ssl/master.crt   #Master节点证书

        ssl_key=/var/lib/mysql/ssl/master.key     #Master节点key

 

Slave:

        [mysqld]

        datadir=/var/lib/mysql

        socket=/var/lib/mysql/mysql.sock

        symbolic-links=0

        skip_name_resolve=ON

        innodb_file_per_table=ON

        server_id=3

        relay-log=relay-log

        read-only=1

        ssl                                    #开启SSL

        ssl_ca=/var/lib/mysql/ssl/cacert.pem    #Slave节点CA证书存放位置

        ssl_cert=/var/lib/mysql/ssl/slave.crt  #Slave节点证书

        ssl_key=/var/lib/mysql/ssl/slave.key    #Slave节点key

        
MySQL服务配置:

    一、启动MySQL服务,并查看MySQL中SSL信息:

        [[email protected] ~]# systemctl start mariadb.service   #启动node9的MySQL服务

        MariaDB [(none)]> SHOW GLOBAL VARIABLES LIKE ‘%ssl%‘;  #查看node9的SSL信息

        +---------------+-------------------------------+

        | Variable_name | Value                         |

        +---------------+-------------------------------+

        | have_openssl  | YES                           |

        | have_ssl      | YES                           |

        | ssl_ca        | /var/lib/mysql/ssl/cacert.pem |

        | ssl_capath    |                               |

        | ssl_cert      | /var/lib/mysql/ssl/master.crt |

        | ssl_cipher    |                               |

        | ssl_key       | /var/lib/mysql/ssl/master.key |

        +---------------+-------------------------------+

        7 rows in set (0.01 sec)

 

        [[email protected] ssl]# systemctl start mariadb.service  #启动node10的MySQL服务

        MariaDB [(none)]> SHOW GLOBAL VARIABLES LIKE ‘%ssl%‘;  #查看node10的SSL信息

        +---------------+-------------------------------+

        | Variable_name | Value                         |

        +---------------+-------------------------------+

        | have_openssl  | YES                           |

        | have_ssl      | YES                           |

        | ssl_ca        | /var/lib/mysql/ssl/cacert.pem |

        | ssl_capath    |                               |

        | ssl_cert      | /var/lib/mysql/ssl/slave.crt  |

        | ssl_cipher    |                               |

        | ssl_key       | /var/lib/mysql/ssl/slave.key  |

        +---------------+-------------------------------+

        7 rows in set (0.00 sec)


    二、Master节点授权一个能用于SSL协议进行复制信息的用户,并测试用户:


        MariaDB [(none)]> GRANT REPLICATION SLAVE,REPLICATION CLIENT ON *.* TO ‘userssl‘@‘192.168.17.%‘ IDENTIFIED BY ‘passwordssl‘ REQUIRE SSL;

        Query OK, 0 rows affected (0.00 sec)   #授权一个仅能够通过SSL复制数据的用户

         

        MariaDB [(none)]> FLUSH PRIVILEGES;     #刷新权限

        Query OK, 0 rows affected (0.00 sec)

         

        [[email protected] ~]# mysql -uuserssl -ppasswordssl -h192.168.17.90 \

        > --ssl_ca=/var/lib/mysql/ssl/cacert.pem \

        > --ssl_cert=/var/lib/mysql/ssl/master.crt \

        > --ssl_key=/var/lib/mysql/ssl/master.key              #测试用户能否使用SSL协议登录

        Welcome to the MariaDB monitor.  Commands end with ; or \g.

        Your MariaDB connection id is 4

        Server version: 5.5.44-MariaDB-log MariaDB Server

         

        Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.

         

        Type ‘help;‘ or ‘\h‘ for help. Type ‘\c‘ to clear the current input statement.

         

        MariaDB [(none)]> 


    三、配置Slave节点,指向Master节点:

        Master节点当前正在使用的binlog文件:master-log.000004,以及binlog位置:512       

        MariaDB [(none)]> SHOW MASTER STATUS;

        +-------------------+----------+--------------+------------------+

        | File              | Position | Binlog_Do_DB | Binlog_Ignore_DB |

        +-------------------+----------+--------------+------------------+

        | master-log.000004 |      512 |              |                  |

        +-------------------+----------+--------------+------------------+

        1 row in set (0.00 sec)

       

          

        Slave节点配置:

        MariaDB [(none)]> CHANGE MASTER TO

            -> MASTER_HOST=‘192.168.17.90‘,

            -> MASTER_USER=‘userssl‘,

            -> MASTER_PASSWORD=‘passwordssl‘,

            -> MASTER_LOG_FILE=‘master-log.000004‘,

            -> MASTER_LOG_POS=512,

            -> MASTER_SSL=1,

            -> MASTER_SSL_CA=‘/var/lib/mysql/ssl/cacert.pem‘,

            -> MASTER_SSL_CERT=‘/var/lib/mysql/ssl/slave.crt‘,

            -> MASTER_SSL_KEY=‘/var/lib/mysql/ssl/slave.key‘;

        Query OK, 0 rows affected (0.01 sec)

         

        MariaDB [(none)]> START SLAVE;   启动SLAVE功能

        Query OK, 0 rows affected (0.01 sec)

         

        MariaDB [(none)]> SHOW SLAVE STATUS\G;  查看SLAVE状态信息

        *************************** 1. row ***************************

                       Slave_IO_State: Waiting for master to send event

                          Master_Host: 192.168.17.90

                          Master_User: userssl

                          Master_Port: 3306

                        Connect_Retry: 60

                      Master_Log_File: master-log.000004

                  Read_Master_Log_Pos: 512

                       Relay_Log_File: relay-log.000002

                        Relay_Log_Pos: 530

                Relay_Master_Log_File: master-log.000004

                     Slave_IO_Running: Yes

                    Slave_SQL_Running: Yes

                      Replicate_Do_DB:

                  Replicate_Ignore_DB:

                   Replicate_Do_Table:

               Replicate_Ignore_Table:

              Replicate_Wild_Do_Table:

          Replicate_Wild_Ignore_Table:

                           Last_Errno: 0

                           Last_Error:

                         Skip_Counter: 0

                  Exec_Master_Log_Pos: 512

                      Relay_Log_Space: 818

                      Until_Condition: None

                       Until_Log_File:

                        Until_Log_Pos: 0

                   Master_SSL_Allowed: Yes

                   Master_SSL_CA_File: /var/lib/mysql/ssl/cacert.pem

                   Master_SSL_CA_Path:

                      Master_SSL_Cert: /var/lib/mysql/ssl/slave.crt

                    Master_SSL_Cipher:

                       Master_SSL_Key: /var/lib/mysql/ssl/slave.key

                Seconds_Behind_Master: 0

        Master_SSL_Verify_Server_Cert: No

                        Last_IO_Errno: 0

                        Last_IO_Error:

                       Last_SQL_Errno: 0

                       Last_SQL_Error:

          Replicate_Ignore_Server_Ids:

                     Master_Server_Id: 2

        1 row in set (0.00 sec)

        

    四、测试主从同步数据:

        Master节点:       

        MariaDB [(none)]> CREATE DATABASE hisendb;  node9主节点创建hisendb数据库

        Query OK, 1 row affected (0.00 sec)

         

        MariaDB [(none)]> USE hisendb;

        Database changed

        MariaDB [hisendb]> CREATE TABLE friends(id INT UNSIGNED PRIMARY KEY NOT NULL,Name VARCHAR(20) NOT NULL,Age TINYINT,Gender ENUM(‘F‘,‘M‘));

        Query OK, 0 rows affected (0.01 sec)    #在hisendb数据库中创建friends表

         

        MariaDB [hisendb]> INSERT INTO friends VALUES (1,‘Xu He‘,25,‘M‘),(2,‘Xu Mingying‘,27,‘F‘),(3,‘Tian Tao‘,26,‘M‘),(4,‘LiangJuntao‘,28,‘M‘);

        Query OK, 4 rows affected (0.00 sec)   #在friends表中插入数据

        Records: 4  Duplicates: 0  Warnings: 0

         

        MariaDB [hisendb]> SELECT * FROM friends;   #查看结果

        +----+--------------+------+--------+

        | id | Name         | Age  | Gender |

        +----+--------------+------+--------+

        |  1 | Xu He        |   25 | M      |

        |  2 | Xu Mingying  |   27 | F      |

        |  3 | Tian Tao     |   26 | M      |

        |  4 | Liang Juntao |   28 | M      |

        +----+--------------+------+--------+

        4 rows in set (0.00 sec)

 

        Slave节点:

        MariaDB [(none)]> USE hisendb; 

        Reading table information for completion of table and column names

        You can turn off this feature to get a quicker startup with -A

         

        Database changed

        MariaDB [hisendb]> SELECT * FROM friends;  #在从节点可以查看主节点写入的数据

        +----+--------------+------+--------+

        | id | Name         | Age  | Gender |

        +----+--------------+------+--------+

        |  1 | Xu He        |   25 | M      |

        |  2 | Xu Mingying  |   27 | F      |

        |  3 | Tian Tao     |   26 | M      |

        |  4 | Liang Juntao |   28 | M      |

        +----+--------------+------+--------+

        4 rows in set (0.00 sec)

 

        由上可知,主从已经完成基于SSL协议的数据复制。



 






本文出自 “DevOps” 博客,请务必保留此出处http://hisen2devops.blog.51cto.com/10109340/1909326

以上是关于MySQL基于SSL协议的主从复制的主要内容,如果未能解决你的问题,请参考以下文章

mysql基于SSL实现主从复制

MySql之基于ssl安全连接的主从复制

MySQL - 基于SSL安全连接的主从复制

mysql基于ssl的主从复制

基于 SSL 实现MySQL主从复制

mysql/mariadb基于ssl的主从复制