先检查主机上有没有安装openssl这个软件: rpm -qa |grep openssl
1、将Master服务器自己做成CA服务器
[root@gyf ~]# cd /etc/pki/CA/
[root@gyf CA]# ll
total 16
drwxr-xr-x. 2 root root 4096 2月 22 2013 certs 发证的目录
drwxr-xr-x. 2 root root 4096 2月 22 2013 crl 吊销证书的目录
drwxr-xr-x. 2 root root 4096 2月 22 2013 newcerts 发新证的目录
drwx------. 2 root root 4096 2月 24 18:55 private 私钥目录
(1)先给自己生成私钥,必须放在CA目录下的private下
(umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
使用(),只让umask 077在子shell生效,genrsa一种加密工具 -out 输出文件保存位置 私钥长度 2048
(2)生成 CA 证书请求
为了获取一个 CA 根证书,我们需要先制作一份证书请求。先前生成的 CA 密钥对被用于对证书请求签名。
[root@gyf CA]# openssl req -new -x509 -days 365 -key private/cakey.pem -out cacret.pem
req 用于生成证书请求的 OpenSSL 命令。
-new 生成一个新的证书请求。该参数将令 OpenSSL 在证书请求生成过程中要求用户填写一些相应的字段。
-x509 加密协议,
-days 365 从生成之时算起,证书时效为 365 天。
-key ./private/cakey.pem 指定 ./private/cakey.pem 为证书所使用的密钥对文件。
-out careq.pem 生成的证书请求保存到文件 cacert.pem 。
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN 国家代码
State or Province Name (full name) []:HeNan
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []: Cent64 作为ca 填写主机名
Email Address []:
//生成index.txt(证书的索引)
[root@gyf CA]# touch index.txt
//证书的序列号
[root@gyf CA]# echo 01 > serial
此命令可自动创建serial文件
2、为Master创建证书申请并由CA服务器签发证书
[root@gyf CA]# mkdir /usr/local/mysql/ssl
[root@gyf CA]# (umask 077;openssl genrsa -out master.key 2048)
[root@gyf ssl]# openssl ca -in master.csr -out master.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
unable to load number from /etc/pki/CA/serial
error while loading serial number
140460142339912:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:f_int.c:215:
一般是因为serial文件中没有赋初值
[root@gyf CA]# echo 01 > serial
[root@Cent64 ssl]# openssl ca -in master.csr -out master.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Feb 25 07:30:37 2014 GMT
Not After : Feb 25 07:30:37 2015 GMT
Subject:
countryName = CN
stateOrProvinceName = HeNan
organizationName = Default Company Ltd
commonName = Cent64
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B2:AF:8C:EA:4D:56:91:D6:B3:7B:05:12:9A:08:EE:7D:55:78:FC:F4
X509v3 Authority Key Identifier:
keyid:62:72:F2:6C:01:26:6B:04:84:0E:72:C6:84:58:13:A1:63:C3:2E:4F
Certificate is to be certified until Feb 25 07:30:37 2015 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
3、为Slave服务器创建证书申请
[root@gyf ~]# mkdir /usr/local/mysql/ssl
[root@gyf ~]# cd /usr/local/mysql/ssl/
[root@gyf ssl]# (umask 077;openssl genrsa -out slave.key 2048)
[root@Cent67 ssl]# openssl req -new -key slave.key -out slave.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HeNan
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:Cent67
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:mysql
An optional company name []:
4、为Slave服务器签署证书
######将证书申请请求拷贝到CA服务器签署
[root@Cent67 ssl]# scp slave.csr [email protected]:/tmp/
[root@Cent64 ssl]# openssl ca -in /tmp/slave.csr -out /tmp/slave.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Feb 25 07:32:55 2014 GMT
Not After : Feb 25 07:32:55 2015 GMT
Subject:
countryName = CN
stateOrProvinceName = HeNan
organizationName = Default Company Ltd
commonName = Cent67
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
73:A7:EA:D4:E4:A5:DF:CD:A0:48:7D:39:90:85:76:82:E7:AF:B4:54
X509v3 Authority Key Identifier:
keyid:62:72:F2:6C:01:26:6B:04:84:0E:72:C6:84:58:13:A1:63:C3:2E:4F
Certificate is to be certified until Feb 25 07:32:55 2015 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
######签署好证书申请拷贝到Slave服务器
[root@Cent64 ssl]# scp /tmp/slave.crt [email protected]:/usr/local/mysql/ssl/
5、将CA证书拷贝到Slave服务器并为Master拷贝一份
[root@Cent64 ssl]# scp /etc/pki/CA/cacert.pem [email protected]:/usr/local/mysql/ssl/
[root@Cent64 ssl]# cp /etc/pki/CA/cacert.pem /usr/local/mysql/ssl/
6、修改Master与Slave服务器证书属主、属组为"mysql"用户
######修改Master服务器
[root@Cent64 ssl]# chown -R mysql.mysql /usr/local/mysql/ssl
[root@Cent64 ssl]# ll /usr/local/mysql/ssl/
total 20
-rw-r--r-- 1 mysql mysql 1310 2月 25 15:35 cacert.pem
-rw-r--r-- 1 mysql mysql 4419 2月 25 15:30 master.crt
-rw-r--r-- 1 mysql mysql 1029 2月 25 15:30 master.csr
-rw------- 1 mysql mysql 1675 2月 25 15:30 master.key
######修改slave服务器
[root@Cent67 ssl]# chown -R mysql.mysql /usr/local/mysql/ssl
[root@Cent67 ssl]# ll /usr/local/mysql/ssl/
total 20
-rw-r--r-- 1 mysql mysql 1310 2月 25 17:05 cacert.pem
-rw-r--r-- 1 mysql mysql 4419 2月 25 17:04 slave.crt
-rw-r--r-- 1 mysql mysql 1029 2月 25 17:02 slave.csr
-rw------- 1 mysql mysql 1679 2月 25 17:02 slave.key
7、
在Master与Slave服务器修改主配置文件开启SSL加密功能
mysql5.5复制配置
1.规划网络和主从机器
master:10.10.54.64
slave:10.10.54.67
2.master config
vim /etc/my.cnf
log-bin=master-bin
server-id=1
binlog_formate=mixed
#开启SSL功能
[mysqld]
ssl #开启SSL功能
ssl_ca = /usr/local/mysql/ssl/cacert.pem #指定CA文件位置
ssl_cert = /usr/local/mysql/ssl/master.crt #指定证书文件位置
ssl_key = /usr/local/mysql/ssl/master.key #指定密钥所在位置
######查看master服务器SSL是否开启
mysql> show variables like '%ssl%';
+---------------+---------------------------------+
| Variable_name | Value |
+---------------+---------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /usr/local/mysql/ssl/cacert.pem |
| ssl_capath | |
| ssl_cert | /usr/local/mysql/ssl/master.crt |
| ssl_cipher | |
| ssl_key | /usr/local/mysql/ssl/master.key |
+---------------+---------------------------------+
3.slave config
log-bin=slave-bin
binlog_formate=mixed
server-id=10
必须大于主
#开启SSL功能
[mysqld]
ssl #开启SSL功能
ssl_ca = /usr/local/mysql/ssl/cacert.pem #指定CA文件位置
ssl_cert = /usr/local/mysql/ssl/slave.crt #指定证书文件位置
ssl_key = /usr/local/mysql/ssl/slave.key #指定密钥所在位置
######查看Slave服务器SSL是否开启
[root@slave ~]# mysql
mysql> show variables like '%ssl%';
+---------------+---------------------------------+
| Variable_name | Value |
+---------------+---------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /usr/local/mysql/ssl/cacert.pem |
| ssl_capath | |
| ssl_cert | /usr/local/mysql/ssl/slave.crt |
| ssl_cipher | |
| ssl_key | /usr/local/mysql/ssl/slave.key |
+---------------+---------------------------------+
4.在master上面创建一个复制用户并授予权限
mysql> grant replication slave on *.* to 'gyf'@'10.10.54.67' identified by 'aaa12345'require ssl;;
mysql> flush privileges;
//在slave上测试是否能用复制用户登录
[root@gyf ~]# mysql -ugyf -paaa12345 -h10.10.54.64 -ssl-ca=/usr/local/mysql/ssl/cacert.pem --ssl-cert=/usr/local/mysql/ssl/slave.crt --ssl-key=/usr/local/mysql/ssl/slave.key
5.查看master上二进制日志和position位置
root@(none) 17:08>show master status;
+-------------------+----------+--------------+------------------+
| File | Position | Binlog_Do_DB | Binlog_Ignore_DB |
+-------------------+----------+--------------+------------------+
| master-bin.000007 | 343 | | |
+-------------------+----------+--------------+------------------+
CHANGE MASTER TO MASTER_LOG_FILE='mysql-bin.000001', MASTER_LOG_POS=107;
拓展:重置master reset master
6.备份master上的数据,把备份maste数据库还原到从库上
[root@gyf ~]# mysqldump -uroot -paaa12345 --databases employees |mysql -uroot -paaa12345 -h10.10.54.67
[root@nan86 tmp]# mysqldump -uroot -paaa12345 --master-data=2 --single-transaction --flush-logs --database employees >employees.sql
[root@gyf ~]# mysqldump -uroot -paaa12345 --databases employees |mysql -uroot -paaa12345 -h10.10.54.67
[root@gyf tmp]# mysql -uroot -paaa12345 -h10.10.54.67<employees.sql
ERROR 1130 (HY000): Host '10.10.54.64' is not allowed to connect to this MySQL server
mysql> grant all privileges on *.* to [email protected] identified by 'aaa12345';
mysql> flush privileges;
[root@nan86 tmp]# mysql -uroot -paaa12345 -h10.10.54.67<employees.sql
7.在slave上面change master操作
mysql> change master to master_host='10.10.54.64',master_user='gyf',
master_password='aaa12345',
master_log_file='master-bin.000001',master_log_pos=107,master_ssl=1,
master_ssl_ca='/usr/local/mysql/ssl/cacert.pem',
master_ssl_cert='/usr/local/mysql/ssl/slave.crt',
master_ssl_key='/usr/local/mysql/ssl/slave.key';
8.启动slave
root@(none) 19:02>start slave;
9.查看slave状态
确定slave上的I/O线程和SQL线程状态为YES
root@(none) 19:02>show slave status\G;
*************************** 1. row ***************************
Slave_IO_State: Waiting for master to send event
Master_Host: 10.10.54.64
Master_User: gyf
Master_Port: 3306
Connect_Retry: 60
Master_Log_File: master-bin.000007
Read_Master_Log_Pos: 343
Relay_Log_File: Cent67-relay-bin.000002
Relay_Log_Pos: 254
Relay_Master_Log_File: master-bin.000007
Slave_IO_Running: Yes
Slave_SQL_Running: Yes
//可以单独停掉某一个线程
mysql> STOP SLAVE IO_THREAD;
mysql> STOP SLAVE SQL_THREAD;
###测试
在master上
root@(none) 17:11>create database a;
root@(none) 17:25>show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| a |
| employees |
| mysql |
| performance_schema |
| test |
+--------------------+
在slave上
root@(none) 19:04>show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| a |
| employees |
| mysql |
| performance_schema |
| test |
+--------------------+