|
为确保数据库中传输数据的安全性与完整性,防止敏感信息在通信过程中被窃听或篡改,建议为 GreatSQL 服务启用 SSL 加密连接。此举尤其适用于不安全的网络环境(如公有网络),或需满足行业数据安全合规性要求的场景。以下文档将详述配置 GreatSQL 服务器端强制 SSL 连接,并为客户端颁发证书的具体操作步骤。
通过命令,初始化密钥文件,其中 datadir 与数据库数据目录保持一致
/greatsql/gdb/svr/greatsql/bin/mysql_ssl_rsa_setup --datadir=/greatsql/gdb/dbdata/3313/data
chown greatsql.greatsql /greatsql/gdb/dbdata/3313/data/*pem
会产生如下新的文件
$ ll /greatsql/gdb/dbdata/3313/data/*pem
-rw------- 1 greatsql greatsql 1679 Sep 15 11:34 /greatsql/gdb/dbdata/3313/data/ca-key.pem
-rw-r--r-- 1 greatsql greatsql 1115 Sep 15 11:34 /greatsql/gdb/dbdata/3313/data/ca.pem
-rw-r--r-- 1 greatsql greatsql 1115 Sep 15 11:34 /greatsql/gdb/dbdata/3313/data/client-cert.pem
-rw------- 1 greatsql greatsql 1679 Sep 15 11:34 /greatsql/gdb/dbdata/3313/data/client-key.pem
-rw------- 1 greatsql greatsql 1676 Sep 15 11:32 /greatsql/gdb/dbdata/3313/data/private_key.pem
-rw-r--r-- 1 greatsql greatsql 452 Sep 15 11:32 /greatsql/gdb/dbdata/3313/data/public_key.pem
-rw-r--r-- 1 greatsql greatsql 1115 Sep 15 11:34 /greatsql/gdb/dbdata/3313/data/server-cert.pem
-rw------- 1 greatsql greatsql 1679 Sep 15 11:34 /greatsql/gdb/dbdata/3313/data/server-key.pem
在配置文件中,添加全局加密通信要求参数
require_secure_transport=ON
此时通过非 socket 访问数据库均要求 SSL 通信
$ /greatsql/gdb/svr/greatsql/bin/mysql -ubing -p'abc123' -h172.17.134.55 -P3313 --ssl-mode=disable
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 3159 (HY000): Connections using insecure transport are prohibited while --require_secure_transport=ON.
$ /greatsql/gdb/svr/greatsql/bin/mysql -ubing -p'abc123' -h172.17.134.55 -P3313
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 13
Server version: 8.0.32-27 GreatSQL, Release 27, Revision aa66a385910
Copyright (c) 2021-2025 GreatDB Software Co., Ltd
Copyright (c) 2009-2025 Percona LLC and/or its affiliates
Copyright (c) 2000, 2025, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
greatsql> \s
--------------
/greatsql/gdb/svr/greatsql/bin/mysql Ver 8.0.32-27 for Linux on x86_64 (GreatSQL, Release 27, Revision aa66a385910)
Connection id: 13
Current database:
Current user: bing@172.17.134.55
SSL: Cipher in use is ECDHE-RSA-AES128-GCM-SHA256
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 8.0.32-27 GreatSQL, Release 27, Revision aa66a385910
Protocol version: 10
Connection: 172.17.134.55 via TCP/IP
Server characterset: utf8mb4
Db characterset: utf8mb4
Client characterset: utf8mb4
Conn. characterset: utf8mb4
TCP port: 3313
Binary data as: Hexadecimal
Uptime: 6 min 1 sec
Threads: 3 Questions: 19 Slow queries: 0 Opens: 150 Flush tables: 3 Open tables: 69 Queries per second avg: 0.052
--------------
如果要求必须使用正确的 SSL 证书文件才能登录,则需要设置数据库账号权限为 X509
ALTER USER bing require x509;
无证书登录则报错
$ /greatsql/gdb/svr/greatsql/bin/mysql -ubing -p'abc123' -h172.17.134.55 -P3313
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'bing'@'172.17.134.55' (using password: YES)
有证书登录则正常
$ /greatsql/gdb/svr/greatsql/bin/mysql -ubing -p'abc123' -h172.17.134.55 -P3313 --ssl-ca=/greatsql/gdb/dbdata/3313/data/ca.pem --ssl-cert=/greatsql/gdb/dbdata/3313/data/client-cert.pem --ssl-key=/greatsql/gdb/dbdata/3313/data/client-key.pem
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 12
Server version: 8.0.32-27 GreatSQL, Release 27, Revision aa66a385910
Copyright (c) 2021-2025 GreatDB Software Co., Ltd
Copyright (c) 2009-2025 Percona LLC and/or its affiliates
Copyright (c) 2000, 2025, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
greatsql> \s
--------------
/greatsql/gdb/svr/greatsql/bin/mysql Ver 8.0.32-27 for Linux on x86_64 (GreatSQL, Release 27, Revision aa66a385910)
Connection id: 12
Current database:
Current user: bing@172.17.134.55
SSL: Cipher in use is ECDHE-RSA-AES128-GCM-SHA256
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 8.0.32-27 GreatSQL, Release 27, Revision aa66a385910
Protocol version: 10
Connection: 172.17.134.55 via TCP/IP
Server characterset: utf8mb4
Db characterset: utf8mb4
Client characterset: utf8mb4
Conn. characterset: utf8mb4
TCP port: 3313
Binary data as: Hexadecimal
Uptime: 5 min 17 sec
Threads: 3 Questions: 13 Slow queries: 0 Opens: 150 Flush tables: 3 Open tables: 69 Queries per second avg: 0.041
--------------
loose-group_replication_ssl_mode = REQUIRED
loose-group_replication_recovery_use_ssl = 1
任意一种方式配置均能成功启用 SSL
MGR 组内只能通过同一个 ca.pem 生成其他证书,否则连接会失败
通过脚本,生成每个节点的 SSL 相关证书,输入 IP 地址的证书,只能在对应服务器上使用
gen_ca_server_client_cert.sh
[root@gdb01-001 /data/tmp]$ sh gen_ca_server_client_cert.sh 192.168.0.4
未检测到CA文件,正在生成统一CA...
Generating RSA private key, 4096 bit long modulus (2 primes)
.............................................................................++++
................++++
e is 65537 (0x010001)
已生成统一CA: ca.pem, ca-key.pem
正在生成 Server 证书...
Generating RSA private key, 2048 bit long modulus (2 primes)
.......+++++
......+++++
e is 65537 (0x010001)
Signature ok
subject=CN = 192.168.0.4
Getting CA Private Key
192.168.0.4-server-cert.pem: OK
Server证书生成完成:
- 私钥: 192.168.0.4-server-key.pem
- 证书: 192.168.0.4-server-cert.pem
正在生成 Client 证书...
Generating RSA private key, 2048 bit long modulus (2 primes)
......................................................................................+++++
...........................................................................................................................+++++
e is 65537 (0x010001)
Signature ok
subject=CN = 192.168.0.4-client
Getting CA Private Key
192.168.0.4-client-cert.pem: OK
Client证书生成完成:
- 私钥: 192.168.0.4-client-key.pem
- 证书: 192.168.0.4-client-cert.pem
统一 CA: ca.pem / ca-key.pem
Server证书: 192.168.0.4-server-cert.pem / 192.168.0.4-server-key.pem
Client证书: 192.168.0.4-client-cert.pem / 192.168.0.4-client-key.pem
完整流程完成
[root@gdb01-001 /data/tmp]#
[root@gdb01-001 /data/tmp]$ sh gen_ca_server_client_cert.sh 192.168.0.5
检测到已有CA: ca.pem, ca-key.pem,直接使用
正在生成 Server 证书...
Generating RSA private key, 2048 bit long modulus (2 primes)
...........................................................................................................................................+++++
..................................+++++
e is 65537 (0x010001)
Signature ok
subject=CN = 192.168.0.5
Getting CA Private Key
192.168.0.5-server-cert.pem: OK
Server证书生成完成:
- 私钥: 192.168.0.5-server-key.pem
- 证书: 192.168.0.5-server-cert.pem
正在生成 Client 证书...
Generating RSA private key, 2048 bit long modulus (2 primes)
..............................................................................+++++
........+++++
e is 65537 (0x010001)
Signature ok
subject=CN = 192.168.0.5-client
Getting CA Private Key
192.168.0.5-client-cert.pem: OK
Client证书生成完成:
- 私钥: 192.168.0.5-client-key.pem
- 证书: 192.168.0.5-client-cert.pem
统一 CA: ca.pem / ca-key.pem
Server证书: 192.168.0.5-server-cert.pem / 192.168.0.5-server-key.pem
Client证书: 192.168.0.5-client-cert.pem / 192.168.0.5-client-key.pem
完整流程完成
[root@gdb01-001 /data/tmp]#
[root@gdb01-001 /data/tmp]$ sh gen_ca_server_client_cert.sh 192.168.0.3
检测到已有CA: ca.pem, ca-key.pem,直接使用
正在生成 Server 证书...
Generating RSA private key, 2048 bit long modulus (2 primes)
.....................+++++
.........+++++
e is 65537 (0x010001)
Signature ok
subject=CN = 192.168.0.3
Getting CA Private Key
192.168.0.3-server-cert.pem: OK
Server证书生成完成:
- 私钥: 192.168.0.3-server-key.pem
- 证书: 192.168.0.3-server-cert.pem
正在生成 Client 证书...
Generating RSA private key, 2048 bit long modulus (2 primes)
.......+++++
...........+++++
e is 65537 (0x010001)
Signature ok
subject=CN = 192.168.0.3-client
Getting CA Private Key
192.168.0.3-client-cert.pem: OK
Client证书生成完成:
- 私钥: 192.168.0.3-client-key.pem
- 证书: 192.168.0.3-client-cert.pem
统一 CA: ca.pem / ca-key.pem
Server证书: 192.168.0.3-server-cert.pem / 192.168.0.3-server-key.pem
Client证书: 192.168.0.3-client-cert.pem / 192.168.0.3-client-key.pem
完整流程完成
[root@gdb01-001 /data/tmp]#
将 6 个文件 scp 到证书目录,注意调整属主
SSL 文件分发
scp ca-key.pem ca.pem 192.168.0.5-client-key.pem 192.168.0.5-client-cert.pem 192.168.0.5-server-cert.pem 192.168.0.5-server-key.pem 192.168.0.5:/greatsql/gdb/dbdata/3313/ssl_files
scp ca-key.pem ca.pem 192.168.0.4-client-key.pem 192.168.0.4-client-cert.pem 192.168.0.4-server-cert.pem 192.168.0.4-server-key.pem 192.168.0.4:/greatsql/gdb/dbdata/3313/ssl_files
scp ca-key.pem ca.pem 192.168.0.3-client-key.pem 192.168.0.3-client-cert.pem 192.168.0.3-server-cert.pem 192.168.0.3-server-key.pem 192.168.0.3:/greatsql/gdb/dbdata/3313/ssl_files
重命名 SSL 文件名 rename '192.168.0.5-' '' *
[root@gdb01-003 /greatsql/gdb/dbdata/3313/ssl_files]$ ll
total 24K
-rw-r--r-- 1 greatsql greatsql 1.4K Sep 13 20:48 192.168.0.5-client-cert.pem
-rw-r--r-- 1 greatsql greatsql 1.7K Sep 13 20:48 192.168.0.5-client-key.pem
-rw-r--r-- 1 greatsql greatsql 1.4K Sep 13 20:48 192.168.0.5-server-cert.pem
-rw-r--r-- 1 greatsql greatsql 1.7K Sep 13 20:48 192.168.0.5-server-key.pem
-rw-r--r-- 1 greatsql greatsql 3.2K Sep 13 20:48 ca-key.pem
-rw-r--r-- 1 greatsql greatsql 1.8K Sep 13 20:48 ca.pem
[root@gdb01-003 /greatsql/gdb/dbdata/3313/ssl_files]# rename '192.168.0.5-' '' *
[root@gdb01-003 /greatsql/gdb/dbdata/3313/ssl_files]# ll
total 24K
-rw-r--r-- 1 greatsql greatsql 3.2K Sep 13 20:48 ca-key.pem
-rw-r--r-- 1 greatsql greatsql 1.8K Sep 13 20:48 ca.pem
-rw-r--r-- 1 greatsql greatsql 1.4K Sep 13 20:48 client-cert.pem
-rw-r--r-- 1 greatsql greatsql 1.7K Sep 13 20:48 client-key.pem
-rw-r--r-- 1 greatsql greatsql 1.4K Sep 13 20:48 server-cert.pem
-rw-r--r-- 1 greatsql greatsql 1.7K Sep 13 20:48 server-key.pem
并且要在每个实例的配置文件中,添加如下配置
ssl-ca=/greatsql/gdb/dbdata/3313/ssl_files/ca.pem
ssl-cert=/greatsql/gdb/dbdata/3313/ssl_files/server-cert.pem
ssl-key=/greatsql/gdb/dbdata/3313/ssl_files/server-key.pem
验证证书有效期
openssl x509 -in server-cert.pem -noout -dates
在第一个节点直接通过下面的命令初始化好证书
/greatsql/gdb/svr/greatsql/bin/mysql_ssl_rsa_setup --datadir=/greatsql/gdb/dbdata/3313/data
chown greatsql.greatsql /greatsql/gdb/dbdata/3313/data/*pem
在其他节点,直接通过 clone 复制数据,然后通过 scp 复制证书,虽然这样会导致所有节点证书均一致,但是不影响使用
greatsql> SET GLOBAL clone_valid_donor_list='192.168.0.4:3313';
Query OK, 0 rows affected (0.00 sec)
greatsql> CLONE INSTANCE FROM greatsql@192.168.0.4:3313 IDENTIFIED BY '!QAZ2wsx';
scp ca-key.pem ca.pem client-key.pem client-cert.pem server-cert.pem server-key.pem 192.168.0.3:/greatsql/gdb/dbdata/3313/ssl_files
SELECT * FROM performance_schema.replication_group_members;
查看 SSL 生效
greatsql> SHOW VARIABLES LIKE 'group_replication_ssl_mode';
+----------------------------+----------+
| Variable_name | Value |
+----------------------------+----------+
| group_replication_ssl_mode | REQUIRED |
+----------------------------+----------+
1 row in set (0.00 sec)
greatsql> SHOW VARIABLES LIKE 'group_replication_recovery_use_ssl';
+------------------------------------+-------+
| Variable_name | Value |
+------------------------------------+-------+
| group_replication_recovery_use_ssl | ON |
+------------------------------------+-------+
1 row in set (0.00 sec)
合作电话:010-64087828
社区邮箱:greatsql@greatdb.com
