四、配置基于ssl的加密
4.1、主服务器上生成私钥
# mkdir /usr/local/MySQL/ssl
# cd /usr/local/mysql/ssl
# umask 077 openssl genrsa 2048 > ca-key.pem
# openssl req -new -x509 -nodes -days 3650 -key ca-key.pem -out ca-cert.pem
4.2、主服务器上生成自签证书
# openssl req -newkey rsa:2048 -days 3650 -nodes -keyout master-key.pem -out master-req.pem
# openssl rsa -in master-key.pem -out master-key.pem
# openssl x509 -req -in master-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out master-cert.pem
权限设置
# chown mysql.mysql -R *
# chmod 600 *
4.3、为从服务器生成证书
# openssl req -newkey rsa:2048 -days 3650 -nodes -keyout slave-key.pem -out slave-req.pem
# openssl x509 -req -in slave-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out slave-cert.pem
将CA证书、签署的slave端证书、master证书及私钥传送到slave服务器上
# scp ca-cert.pem slave-key.pem slave-cert.pem master-cert.pem master-key.pem 192.168.1.201:/usr/local/mysql/ssl/
# scp ca-cert.pem slave-key.pem slave-cert.pem master-cert.pem master-key.pem 192.168.1.202:/usr/local/mysql/ssl/
4.4、配置主从ssl
编辑master服务器my.cnf配置文件
# vim /etc/my.cnf
//添加内容如下
ssl
ssl-ca = /usr/local/mysql/ssl/ca-cert.pem
ssl-cert = /usr/local/mysql/ssl/master-cert.pem
ssl-key = /usr/local/mysql/ssl/master-key.pem
//更改证书属主属组
# chown mysql.mysql -R /usr/local/mysql/ssl
# chmod 600 * /usr/local/mysql/ssl
//重启mysql服务
# service mysqld restart
//在主服务器上创建ssl连接用户
mysql> grant replication client,replication slave on*.* to "ssl"@"192.168.1.201" identified by 'mysql';
mysql> grant replication client,replication slave on*.* to "ssl"@"192.168.1.202" identified by 'mysql';
mysql> flush privileges;
配置从服务器ssl(该步骤两台从服务器相同)
# mkdir /usr/local/mysql/ssl
编辑slave服务器my.cnf配置文件
# vim /etc/my.cnf
//添加内容如下
ssl
ssl-ca = /usr/local/mysql/ssl/ca-cert.pem
ssl-cert = /usr/local/mysql/ssl/slave-cert.pem
ssl-key = /usr/local/mysql/ssl/slave-key.pem
//重启mysql服务
# service mysqld restart
启动从服务器上的复制
mysql > stop slave;
mysql > change master to master_host='192.168.1.152', master_user='ssl',master_password='mysql',MASTER_AUTO_POSITION=1,master_ssl=1,master_ssl_ca='/usr/local/mysql/ssl/ca-cert.pem',master_ssl_cert='/usr/local/mysql/ssl/master-cert.pem',master_ssl_key='/usr/local/mysql/ssl/master-key.pem';
mysql> start slave;
mysql> show slave status \G
可以看到如下信息
mysql> show slave status\G;
*************************** 1. row ***************************
Slave_IO_State: Waiting for master to send event
Master_Host: 192.168.1.152
Master_User: ssl
Master_Port: 3306
Connect_Retry: 60
Master_Log_File: master-bin.000003
Read_Master_Log_Pos: 872
Relay_Log_File: slave2-relay-bin.000002
Relay_Log_Pos: 411
Relay_Master_Log_File: master-bin.000003
Slave_IO_Running: Yes
Slave_SQL_Running: Yes
Replicate_Do_DB:
Replicate_Ignore_DB:
Replicate_Do_Table:
Replicate_Ignore_Table:
Replicate_Wild_Do_Table:
Replicate_Wild_Ignore_Table:
Last_Errno: 0
Last_Error:
Skip_Counter: 0
Exec_Master_Log_Pos: 872
Relay_Log_Space: 616
Until_Condition: None
Until_Log_File:
Until_Log_Pos: 0
Master_SSL_Allowed: Yes
Master_SSL_CA_File: /usr/local/mysql/ssl/ca-cert.pem
Master_SSL_CA_Path:
Master_SSL_Cert: /usr/local/mysql/ssl/master-cert.pem
Master_SSL_Cipher:
Master_SSL_Key: /usr/local/mysql/ssl/master-key.pem
Seconds_Behind_Master: 0
Master_SSL_Verify_Server_Cert: No
Last_IO_Errno: 0
Last_IO_Error:
Last_SQL_Errno: 0
Last_SQL_Error:
Replicate_Ignore_Server_Ids:
Master_Server_Id: 1
Master_UUID: 963e99b9-9674-11e4-9d49-000c297410f1
Master_Info_File: mysql.slave_master_info
SQL_Delay: 0
SQL_Remaining_Delay: NULL
Slave_SQL_Running_State: Slave has read all relay log; waiting for the slave I/O thread to update it
Master_Retry_Count: 86400
Master_Bind:
Last_IO_Error_Timestamp:
Last_SQL_Error_Timestamp:
Master_SSL_Crl:
Master_SSL_Crlpath:
Retrieved_Gtid_Set:
Executed_Gtid_Set: 963e99b9-9674-11e4-9d49-000c297410f1:1-6
Auto_Position: 1
但是到这里之后发现了一个问题,那就是我使用的编译好的mysql二进制包不支持ssl,要想支持需要重新编译mysql,j_0064.gif限于时间有限,这里就不重来了,有需要的朋友就自己折腾下吧。