mysql建立ssl安全连接的配置
1、环境、IP、安装包
centOS5.4
虚拟机了两台服务器
mysql-5.1.48.tar.gz
openssl-0.9.8b.tar.gz
wgethttp://www.openssl.org/source/openssl-0.9.8b.tar.gz
server:192.168.189.134
client:192.168.189.133
windows_client:192.168.6.82(本地电脑IP)
2、安装openssl
mkdir/test/setup
cd/test/setup
tar-zxvfopenssl-0.9.8b.tar.gz
cdopenssl-0.9.8b
./config
make&&makeinstall
3、安装mysql
cd/test/setup
tarzxvfmysql-5.1.48.tar.gz
cdmysql-5.1.48
./configure--prefix=/usr/local/mysql--with-ssl--with-vio
cmake-DCMAKE_INSTALL_PREFIX=/usr/local/mysql--with-ssl--with-vio&&make&&makeinstall
make&&makeinstall
useraddmysql
cd/usr/local/mysql
bin/mysql_install_db--user=mysql
chown-Rmysql:mysql.
chown-Rmysql/usr/local/mysql
chgrp-Rmysql.
cpshare/mysql/mysql.server/etc/init.d/mysqld
chmod755/etc/init.d/mysqld
chkconfig--addmysqld
ln-s/usr/local/mysql/bin/mysqld_safe/usr/bin/mysqld_safe
ln-s/usr/local/mysql/share/mysql/mysql.server/usr/bin/mysqld
ln-s/usr/local/mysql/bin/mysql/usr/bin/mysql
ln-s/usr/local/mysql/bin/mysqldump/usr/bin/mysqldump
ln-s/usr/local/mysql/bin/mysqladmin/usr/bin/mysqladmin
ln-s/usr/local/mysql/lib/mysql/usr/lib/mysql
ln-s/usr/local/mysql/include/mysql/usr/include/mysql
echo"/usr/local/mysql/lib/mysql">>/etc/ld.so.conf
ldconfig
cp/usr/local/mysql/share/mysql/my-huge.cnf/etc/my.cnf
问题:可能碰到的问题./configure后会报错
/bin/rm:cannotremove`libtoolt':Nosuchfileordirectory
答案链接:http://holy2010.blog.51cto.com/1086044/448630
4、开启mysql中ssl功能
登录Mysql查看
mysql>showvariableslike'%ssl%';
+---------------+----------+
|Variable_name|Value|
+---------------+----------+
|have_openssl|DISABLED|
|have_ssl|DISABLED|
|ssl_ca||
|ssl_capath||
|ssl_cert||
|ssl_cipher||
|ssl_key||
+---------------+----------+
如果mysql输出如上所述,那么继续操作开启ssl;如果不是,重新编译安装mysql,注意生成makefile时填写参数正确。
退出mysql,编辑/etc/my.cnf
在[mysqld]和[mysqldump]之间,加入下列配置信息:
ssl
保存后重新启动mysql,再次登录mysql
mysql-uroot-p
mysql>showvariableslike'%ssl%';
+---------------+-------+
|Variable_name|Value|
+---------------+-------+
|have_openssl|YES|
|have_ssl|YES|
|ssl_ca||
|ssl_capath||
|ssl_cert||
|ssl_cipher||
|ssl_key||
+---------------+-------+
输出结果显示YES,现在ssl被完美启动起来了。
5、通过openssl生成证书的配置:
在server服务器上生成ssl秘钥
mkdir-p/etc/mysql/newcerts
cd/etc/mysql/newcerts
opensslgenrsa2048>ca-key.pem
opensslreq-new-x509-nodes-days1000-keyca-key.pem>ca-cert.pem
opensslreq-newkeyrsa:2048-days1000-nodes-keyoutserver-key.pem>server-req.pem
opensslx509-req-inserver-req.pem-days1000-CAca-cert.pem-CAkeyca-key.pem-set_serial01>server-cert.pem
opensslreq-newkeyrsa:2048-days1000-nodes-keyoutclient-key.pem>client-req.pem
opensslx509-req-inclient-req.pem-days1000-CAca-cert.pem-CAkeyca-key.pem-set_serial01>client-cert.pem
查看一下都生成了什么文件
[root@puppetnewcerts]#ll/etc/mysql/newcerts
total64
-rw-r--r--1rootroot1541Mar816:36ca-cert.pem
-rw-r--r--1rootroot1675Mar816:33ca-key.pem
-rw-r--r--1rootroot1224Mar816:40client-cert.pem
-rw-r--r--1rootroot1679Mar816:40client-key.pem
-rw-r--r--1rootroot1082Mar816:40client-req.pem
-rw-r--r--1rootroot1224Mar816:39server-cert.pem
-rw-r--r--1rootroot1675Mar816:38server-key.pem
-rw-r--r--1rootroot1082Mar816:38server-req.pem
好了,秘钥生成了,下面需要做的是把ca-cert.pem、client-cert.pem、andclient-key.pem拷贝到client服务器上,首先我们在client服务器上创建同样的文件夹。
mkdir-p/etc/mysql/newcerts
现在在主服务器上把秘钥文件拷贝到client服务器上
scp/etc/mysql/newcerts/ca-cert.pem/etc/mysql/newcerts/client-cert.pem/etc/mysql/newcerts/client-key.pem[email protected]:/etc/mysql/newcerts
继续修改主服务器上的my.cnf
在原先上面添加ssl的地方添加证书路径
ssl
ssl-ca=/etc/mysql/newcerts/ca-cert.pem
ssl-cert=/etc/mysql/newcerts/server-cert.pem
ssl-key=/etc/mysql/newcerts/server-key.pem
重启主服务器的Mysql
进入数据库为client的IP端赋权select权限:
GRANTSELECTON*.*TO'test1'@'client_IP'IDENTIFIEDBY'111111'REQUIRESSL;
配置clinet端的my.cnf
[mysql]下面添加证书路径
ssl-ca/etc/mysql/newcerts/ca-cert.pem
ssl-cert=/etc/mysql/newcerts/client-cert.pem
ssl-key=/etc/mysql/newcerts/client-key.pem
配置完成后,调用mysql程序运行\s或SHOWSTATUSLIKE'SSL%'命令,如果看到SSL:的信息行就说明是加密连接了。如果把SSL相关的配置写进选项文件,则默认是加密连接的。也可用mysql程序的--skip-ssl选项取消加密连接。如果用命令行方式启用加密连接可以这样写:
mysql--ssl-ca=ca-cert.pem--ssl-cert=client-cert.pem--ssl-key=client-key.pem
若是对于windows系统的client的话
把服务器上的证书拷贝到Mysql所在的目录下SSL_key,建立SSL_key目录
my.ini中port=3306下面添加
ssl-ca="C:\wamp\mysql\SSL_key\ca-cert.pem"
ssl-cert="C:\wamp\mysql\SSL_key\client-cert.pem"
ssl-key="C:\wamp\mysql\SSL_key\client-key.pem"
重启生效
也在服务端上为windows赋权
GRANTSELECTON*.*TO'test1'@'windows_client_IP'IDENTIFIEDBY'111111'REQUIRESSL;
由于是虚拟机的环境,本地这个windowsIP为192.168.189.1而不是为实际的IP192.168.7.82赋权
6、在client端测试是否可以用证书登录server端的数据否
mysql-h192.168.189.134-utest1-p
输入密码登录成功
为了证明证书是否起作用
你配置文件中把证书的路径给去掉或则注释掉
再进行登录看是否登录
结果是没有证书登录不上
配置完毕
修改待续~~~~
有个诡异的问题:
我又另外配置了一台服务器但是生成证书后就是无效,客户端只有ssl-key=client-cert.pem这项有用,而且诡异的是用原先机器生成的证书都是正常