Presentation is loading. Please wait.

Presentation is loading. Please wait.

Connect and Replicate Securely: How to use MySQL with SSL Sheeri K. Cabral, MySQL Team Lead

Published byAdela Cunningham Modified over 8 years ago

Similar presentations

Presentation on theme: "Connect and Replicate Securely: How to use MySQL with SSL Sheeri K. Cabral, MySQL Team Lead"— Presentation transcript:

1 Connect and Replicate Securely: How to use MySQL with SSL Sheeri K. Cabral, MySQL Team Lead cabral@pythian.com

2 ` 2 Is SSL Enabled? mysql> SHOW VARIABLES LIKE '%ssl%'; +---------------+----------+ | Variable_name | Value | +---------------+----------+ | have_openssl | DISABLED | | have_ssl | DISABLED | | ssl_ca | | | ssl_capath | | | ssl_cert | | | ssl_cipher | | | ssl_key | | +---------------+----------+ 7 rows in set (0.00 sec)

3 ` 3 Enable SSL yaSSL w/ official MySQL binary To compile your own or w/OpenSSL:./configure --with-ssl./configure --with-ssl=/path/to/ssl

4 ` 4 Enable SSL In >5.1.10./configure--with-yassl --with-openssl configure --with-*ssl=/path/to/ssl

5 ` 5 SSL Enabled mysql> SHOW VARIABLES LIKE '%ssl%'; +---------------+-------+ | Variable_name | Value | +---------------+-------+ | have_openssl | YES | | have_ssl | YES | | ssl_ca | | | ssl_capath | | | ssl_cert | | | ssl_cipher | | | ssl_key | | +---------------+-------+ 7 rows in set (0.00 sec)

6 ` 6 Can mysql.user handle it? SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='user' AND TABLE_SCHEMA='mysql' AND COLUMN_NAME IN ('ssl_cipher','x509_issuer','x509_subject'); +--------------+ | COLUMN_NAME | +--------------+ | ssl_cipher | | x509_issuer | | x509_subject | +--------------+ 3 rows in set (0.02 sec)

7 ` 7 Create Certificate Authority Used to sign certificates openssl req -new -x509 -keyout cakey.pem \ -out cacert.pem -days 3600 -config openssl.cnf Sample output: Using configuration from openssl.cnf Generating a 1024 bit RSA private key................++++++.........++++++ writing new private key to 'cakey.pem' Enter PEM pass phrase: Verifying password - Enter PEM pass phrase:

8 ` 8 Info for CA You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.

9 ` 9 Info for CA ----- Country Name (2 letter code) [GB]:US State or Province Name (full name) [Some-State]:Massachusetts Locality Name (eg, city) []:Cambridge Organization Name (eg, company) [Internet Widgits Pty Ltd]:The Pythian Group Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:certs.pythian.com Email Address []:cabral@pythian.com

10 ` 10 Create Server Key/Request openssl req -new -keyout server-key.pem -out \ server-req.pem -days 3600 -config openssl.cnf Sample output: Using configuration from openssl.cnf Generating a 1024 bit RSA private key..++++++..........++++++ writing new private key to 'server-key.pem' Enter PEM pass phrase: Verifying password - Enter PEM pass phrase:

11 ` 11 Info for Server Request ----- Country Name (2 letter code) [GB]:US State or Province Name (full name) [Some-State]:Massachusetts Locality Name (eg, city) []:Cambridge Organization Name (eg, company) [Internet Widgits Pty Ltd]:The Pythian Group Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []: db.pythian.com Email Address []:cabral@pythian.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

12 ` 12 Remove Key Passphrase openssl rsa -in server-key.pem -out server-key.pem

13 ` 13 Create Certificate Sign the server certificate request using Certificate Authority generated openssl ca -policy foo -out server-cert.pem \ -config openssl.cnf -infiles server-req.pem Using configuration from openssl.cnf Enter PEM pass phrase: Check that the request matches the signature Signature ok

14 ` 14 Sign the Request The Subjects Distinguished Name is as follows countryName :PRINTABLE:'US' organizationName :PRINTABLE:'The Pythian Group' commonName :PRINTABLE:'db.pythian.com' Certificate is to be certified until Apr 01 14:22:46 2010 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated

15 ` 15 Create Client Request openssl req -new -keyout client-key.pem -out \ client-req.pem -days 3600 -config openssl.cnf Same as Server certificate Including removing the passphrase

16 ` 16 Sign Client Certificate openssl ca -policy foo -out client-cert.pem \ -config openssl.cnf -infiles client-req.pem

17 ` 17 Edit Configs [client] ssl-ca=/path/to/cacert.pem ssl-cert=/path/to/client-cert.pem ssl-key=/path/to/client-key.pem [mysqld] ssl-ca=/path/to/cacert.pem ssl-cert=/path/to/server-cert.pem ssl-key=/path/to/server-key.pem

18 ` 18 User GRANT GRANT... ON... TO... REQUIRE SSL (--ssl-ca required) X509 (--ssl ca, --ssl-key, --ssl-cert, not checked) CIPHER 'cipher' (strength) ISSUER 'issuer' (issuer)

19 ` 19 Connect If you REQUIRE anything, SSL must be used.

20 ` 20 Secure Replication Use a secure user.... No really, that's it!!!

21 ` 21 cabral@pythian.com

Download ppt "Connect and Replicate Securely: How to use MySQL with SSL Sheeri K. Cabral, MySQL Team Lead"

Similar presentations

Completing Facility Security Administrator QualityNet Identity Provisioning System (QIPS) Registration Form.

Completing Facility Security Administrator QualityNet Identity Provisioning System (QIPS) Registration Form.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan.

CONFIDENTIAL © Copyright Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan.
HTTPS/SSL Oleh: Idris Winarno. Persiapan Pastikan repository debian # vim /etc/apt/sources.list deb etch main contrib non-freehttp://kebo.vlsm.org/debian.

HTTPS/SSL Oleh: Idris Winarno. Persiapan Pastikan repository debian # vim /etc/apt/sources.list deb etch main contrib non-freehttp://kebo.vlsm.org/debian.
Apache2 HTTPS. 1. Install webserver Apache # apt-get install apache2 2. Buat direktori untuk menyimpan file https # mkdir /var/www/secure 3. Instalasi.

Apache2 HTTPS. 1. Install webserver Apache # apt-get install apache2 2. Buat direktori untuk menyimpan file https # mkdir /var/www/secure 3. Instalasi.
SSL Implementation Guide Onno W. Purbo

SSL Implementation Guide Onno W. Purbo
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
Apache ssl Objectives Contents Practical Summary Setup Apache + ssl

Apache ssl Objectives Contents Practical Summary Setup Apache + ssl
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Summer School Certificates Diego Romano & Gilda Team.

Summer School Certificates Diego Romano & Gilda Team.
Customizing X.509 Certificate Fields Charles D. Short CS526 – S2008 University of Colorado, Colorado Springs Dr. C. Edward Chow 5/5/2008CDS - UCCS CS526.

Customizing X.509 Certificate Fields Charles D. Short CS526 – S2008 University of Colorado, Colorado Springs Dr. C. Edward Chow 5/5/2008CDS - UCCS CS526.
Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Lockdown of a Basic Pool.

Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Lockdown of a Basic Pool.
Configuring Active Directory Certificate Services Lesson 13.

Configuring Active Directory Certificate Services Lesson 13.
Apache Security with SSL Using FreeBSD SANOG VI IP Services Workshop July 18, 2005 Hervey Allen Network Startup Resource Center.

Apache Security with SSL Using FreeBSD SANOG VI IP Services Workshop July 18, 2005 Hervey Allen Network Startup Resource Center.
Secure Sockets Layer (SSL) Fred Schank Kevin Wetter.

Secure Sockets Layer (SSL) Fred Schank Kevin Wetter.
Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Securing Your Condor Pool With SSL.

Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Securing Your Condor Pool With SSL.
X-Road (X-tee) A platform-independent secure standard interface between databases and information systems to connect databases and information systems.

X-Road (X-tee) A platform-independent secure standard interface between databases and information systems to connect databases and information systems.
IT:Network:Applications.  Single Key (Symmetric) encryption ◦ One “key” or passphrase used to encrypt and decrypt ◦ FAST – good for large amounts of.

IT:Network:Applications.  Single Key (Symmetric) encryption ◦ One “key” or passphrase used to encrypt and decrypt ◦ FAST – good for large amounts of.
This demonstration will help you understand and perform (Internet Explorer Users: Click Browse, then Full Screen, to enlarge your view of this presentation.)

This demonstration will help you understand and perform (Internet Explorer Users: Click Browse, then Full Screen, to enlarge your view of this presentation.)
May 28, 2002Mårten Trolin1 Protocols for e-commerce Traditional credit cards SET SPA/UCAF 3D-Secure Temporary card numbers Direct Payments.

May 28, 2002Mårten Trolin1 Protocols for e-commerce Traditional credit cards SET SPA/UCAF 3D-Secure Temporary card numbers Direct Payments.

Similar presentations

Ads by Google