MySQL: Enable Encrypted/SSL Connections

Server Side configuration

  • Check if the MySQL Supports encryption already:

mysql> show global variables like ‘%ssl%’;

+—————+———-+

| Variable_name | Value    |

+—————+———-+

| have_openssl  | DISABLED |

| have_ssl      | DISABLED |

| ssl_ca        |          |

| ssl_capath    |          |

| ssl_cert      |          |

| ssl_cipher    |          |

| ssl_crl       |          |

| ssl_crlpath   |          |

| ssl_key       |          |

+—————+———-+

9 rows in set (0.00 sec)

  • Create the SSL certificates and keys(Fill the details when prompted). Create in the data directory, preferably :

# Create CA certificate

openssl genrsa 2048 > ca-key.pem

openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem

# Create server certificate, remove passphrase, and sign it

# server-cert.pem = public key, server-key.pem = private key

openssl req -newkey rsa:2048 -days 3600 \

        -nodes -keyout server-key.pem -out server-req.pem

openssl rsa -in server-key.pem -out server-key.pem

openssl x509 -req -in server-req.pem -days 3600 \

        -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

# Create client certificate, remove passphrase, and sign it

# client-cert.pem = public key, client-key.pem = private key

openssl req -newkey rsa:2048 -days 3600 \

        -nodes -keyout client-key.pem -out client-req.pem

openssl rsa -in client-key.pem -out client-key.pem

openssl x509 -req -in client-req.pem -days 3600 \

        -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

  • Add the below lines to the config file – my.cnf and restart mysql :

[mysqld]

ssl-ca=ca.pem

ssl-cert=server-cert.pem

ssl-key=server-key.pem

  • Check now whether mysql is ssl enabled:

mysql> show global variables like ‘%ssl%’;

+—————+—————–+

| Variable_name | Value           |

+—————+—————–+

| have_openssl  | YES             |

| have_ssl      | YES             |

| ssl_ca        | ca.pem          |

| ssl_capath    |                 |

| ssl_cert      | server-cert.pem |

| ssl_cipher    |                 |

| ssl_crl       |                 |

| ssl_crlpath   |                 |

| ssl_key       | server-key.pem  |

+—————+—————–+

9 rows in set (0.00 sec)

Client configuration

  • Connect to mysql normally and check[Over TCP/IP]:

If enabled at server side, clients by default make use of SSL Connections. However, un-encrypted connections too possible by mentioning –ssl=0 while connecting.

  • So, to mandate SSL usage, create user with REQUIRE SSL option:

mysql> grant all on *.* to require_ssl_user identified by ‘****’ REQUIRE SSL;

Query OK, 0 rows affected, 1 warning (0.00 sec)

  • To make use of SSL, connect mentioning the ssl certificate path:

# mysql –ssl-ca=/var/lib/mysql/ca.pem

mysql> \s

————–

mysql  Ver 14.14 Distrib 5.7.22, for Linux (x86_64) using  EditLine wrapper

Connection id:                        4

Current database:  

Current user:                          root@localhost

SSL:                                           Cipher in use is DHE-RSA-AES256-SHA

  • To make the client to supply the certificate and key files, create user with REQUIRE X509 option:

  mysql> grant all on *.* to requirex509_ssl_user identified by ‘****’ REQUIRE X509;

Query OK, 0 rows affected, 1 warning (0.00 sec)

  • For users with REQUIRE X509 to connect , client key and certificate to be supplied:

# mysql -ussl_user_x509 -p’Root123#’ –ssl-ca=/var/lib/mysql/ca.pem –ssl-cert=/var/lib/mysql/client-cert.pem –ssl-key=/var/lib/mysql/client-key.pem

mysql> \s

————–

mysql  Ver 14.14 Distrib 5.7.22, for Linux (x86_64) using  EditLine wrapper

Connection id:                        8

Current database:  

Current user:                          ssl_user_x509@localhost

SSL:                                           Cipher in use is DHE-RSA-AES256-SHA

  • Copy the cert files to client server to enable encryption.

Galera MySQL Cluster Setup !

So, here I’m writing this post amidst of COVID-19(#coronavirus) effect !

Yeah, I got a chance to learn and implement or vice-versa  this Galera MySQL Cluster . It’s a pretty simple and effective MySQL clustering solution if you’re looking for one. Although there’s good competition from Percona XtraDB cluster and MySQL’s own InnoDB cluster, Galera seems to be the old yet advanced clustering solution, which to be frank I’ve not compared.

I’ve implemented InnoDB Cluster earlier, but yet to write a post on that. There are so many bugs with InnoDB cluster as I know. Anyhow they would be resolved with the further releases.

Okay let’s talk about Galera MySQL Clustering!

Galera Cluster is a Multi-Master, Active-Active Cluster. Reads and Writes can be done on any of the nodes. Oh, of course, there are drawbacks as it’s Synchronous Replication. While it’s not practical for every High-Availability requirement, may be it’s best suited for the custom designed architecture.

I’m going to show you 3 node cluster setup in a VirtualBox.

You can install Galera Cluster through your Host’s repo using yum or other providers. But I don’t recommend that and here I show you the installation through RPM packages as I’m using Oracle Linux 7 . You can download the RPM packages from here. 

Choose and download the MySQL RPM version as per your requirement. I’ve used MySQL 5.7. But don’t forget to download the Galera-3 package available over there in that download page. That’s very crucial.

So, below is the list of packages that I’ve downloaded:

 mysql-wsrep-libs-5.7-5.7.29-25.21.el7.x86_64.rpm
mysql-wsrep-common-5.7-5.7.29-25.21.el7.x86_64.rpm
mysql-wsrep-5.7-5.7.29-25.21.el7.x86_64.rpm
mysql-wsrep-client-5.7-5.7.29-25.21.el7.x86_64.rpm
mysql-wsrep-devel-5.7-5.7.29-25.21.el7.x86_64.rpm
mysql-wsrep-test-5.7-5.7.29-25.21.el7.x86_64.rpm
mysql-wsrep-server-5.7-5.7.29-25.21.el7.x86_64.rpm
mysql-wsrep-libs-compat-5.7-5.7.29-25.21.el7.x86_64.rpm
socat-1.7.3.2-2.el7.x86_64.rpm
galera-3-25.3.29-1.el7.x86_64.rpm

Oh yeah, that ‘socat’ is a package required for the bidirectional relay. Without that this clustering won’t work. This is one advantage of using repository installation like yum. That installs all the dependent packages.

 

—Yet to complete this–

 

rsync: Remote File Transfer

While we usually deal with huge data, we come across situations where we need to copy such data from one server/host to a remote host.

One of the useful command is ‘rsync’, which is faster than the traditional scp command!

Below is the syntax with example :

[root@myhost file_path]# rsync -avrz /file_path/* user@12.12.12.12:/destination_path/ >> /log_path/rsync.log 2>> /log_path/rsync.err

where as,

-a -> Its same as –archive, which means to say preserver everything as it is. No changes between source and destination

-v -> Its same as –verbose, which displays information about the current execution

-r -> Its same as –recursive, copy directory and sub-directories, recursively

-z -> Its same as –compress, which compress data while its being transferred

Linux: awk – Grouping Data in a file

Consider the below file:

# cat test.csv
aa 1 qwer
ab 2 tyui
aa 3 poiu
ab 2 mnb
bb 1 njio
ba 2 njtwe

test.csv is a tab separated file with 3 columns.

Here, I want to segregate the whole lines with matching 1st and 2nd columns into separate files.

Like below:
# cat file_bb_1.csv
bb 1 njio

# cat file_ba_2.csv
ba 2 njtwe

# cat file_ab_2.csv
ab 2 tyui
ab 2 mnb

# cat file_aa_3.csv
aa 3 poiu

# cat file_aa_1.csv
aa 1 qwer
Though you can do this manually, think of a file with more than million lines.

Here, ‘awk’, being an powerful data manipulation tool,comes to our help.
Below is the command we can use:

#cat test.csv | awk ‘{a=$1;b=$2; print $0 >> “file_” a “_” b “.csv”}’

[You can give any name instead of ‘file_’]