How To configure replication in MySQL using SSL encryption on Debian Lenny

Original author: Falko Timme
  • Transfer
This guide describes how to configure database replication in MySQL using an SSL encryption connection.
MySQL replication synchronizes the database, which allows you to have an exact copy of the database on another server. All database updates on the main server are automatically replicated to another server, which allows you to protect the database from hardware failures. This article will show how to implement exampledb database replication from server (ip address to server (ip address using SSL connection.

Both servers work on Debian Lenny but the configuration can be applied on almost all distributions without changes. The exampledb database with tables and data already existing only on the main one. All commands are run with root privileges.
If MySQL server is not installed on both servers, then proceed with the installation by executing the command on the primary and secondary servers:
aptitude install mysql-server mysql-client

You will be prompted to enter the root password for MySQL, both on the primary and secondary server.
Now let's check the SSL connection support with MySQL. Let's go into MySQL and enter the command at the MySQL command prompt:
mysql -u root -p
mysql> show variables like '%ssl%';
| Variable_name | Value    |
| have_openssl  | DISABLED |
| have_ssl      | DISABLED |
| ssl_ca        |          |
| ssl_capath    |          |
| ssl_cert      |          |
| ssl_cipher    |          |
| ssl_key       |          |
7 rows in set (0.00 sec)

If the output is as follows, then this means that MySQL was compiled with SSL support, but as you can see from the have_openssl DISABLED table and have_ssl DISABLED is not active.

To enable SSL support, you need to edit the my.cnf file which is located in / etc / mysql /
vi /etc/mysql/my.cnf

Find the * Security Features lines and add the ssl line
# * Security Features
# Read the manual, too, if you want chroot!
# chroot = /var/lib/mysql/
# For generating SSL certificates I recommend the OpenSSL GUI "tinyca".
# ssl-ca=/etc/mysql/cacert.pem
# ssl-cert=/etc/mysql/server-cert.pem
# ssl-key=/etc/mysql/server-key.pem

Restart MySQL:
/etc/init.d/mysql restart

and check if ssl support is active
mysql -u root -p
show variables like '%ssl%';
mysql> show variables like '%ssl%';
| Variable_name | Value |
| have_openssl  | YES   |
| have_ssl      | YES   |
| ssl_ca        |       |
| ssl_capath    |       |
| ssl_cert      |       |
| ssl_cipher    |       |
| ssl_key       |       |
7 rows in set (0.00 sec)

The output shows that ssl is enabled.
Next, configure MySQL for listening on all interfaces, commenting out the line bind-address = in /etc/mysql/my.cnf:
vi /etc/mysql/my.cnf
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address           =

MySQL restore:
/etc/init.d/mysql restart

Now let's see what hangs on our ports:
netstat -tap | grep mysql
server1:~# netstat -tap | grep mysql
tcp        0      0 *:mysql                 *:*                     LISTEN      3771/mysqld

Apparently, MySQL is broadcast on all interfaces.
Now we need to create CA, servers and client certificates for SSL connections. I usually create them in the / etc / mysql / newcerts
directory. Create a newcerts directory:
mkdir /etc/mysql/newcerts && cd /etc/mysql/newcerts

Make sure OpenSSL is installed:
aptitude install openssl

Create a CA certificate:
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem

Next, create a certificate for the server ...:
openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem > server-req.pem
openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem

and for the client:
openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem > client-req.pem
openssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem

The output should look like this:
ls -l
server1:/etc/mysql/newcerts# ls -l
total 32
-rw-r--r-- 1 root root 1346 2010-08-18 20:13 ca-cert.pem
-rw-r--r-- 1 root root 1675 2010-08-18 20:13 ca-key.pem
-rw-r--r-- 1 root root 1099 2010-08-18 20:14 client-cert.pem
-rw-r--r-- 1 root root 1675 2010-08-18 20:14 client-key.pem
-rw-r--r-- 1 root root 956 2010-08-18 20:14 client-req.pem
-rw-r--r-- 1 root root 1099 2010-08-18 20:14 server-cert.pem
-rw-r--r-- 1 root root 1679 2010-08-18 20:14 server-key.pem
-rw-r--r-- 1 root root 956 2010-08-18 20:14 server-req.pem

Now we need to transfer the certificates ca-cert.pem, client-cert.pem and client-key.pem to the second server. Create a directory on the second server:
mkdir /etc/mysql/newcerts

Let's go back to server1 and pass the certificates as follows:
scp /etc/mysql/newcerts/ca-cert.pem root@
scp /etc/mysql/newcerts/client-cert.pem root@
scp /etc/mysql/newcerts/client-key.pem root@

Next, open server1 /etc/mysql/my.cnf and make changes to the * Security Features area by uncommenting the lines ssl-ca, ssl-cert and ssl-key:
vi /etc/mysql/my.cnf
# * Security Features
# Read the manual, too, if you want chroot!
# chroot = /var/lib/mysql/
# For generating SSL certificates I recommend the OpenSSL GUI "tinyca".

Restart MySQL:
/etc/init.d/mysql restart

Now we will create the replication user slave_user, which will be used on server2, to access the database on server1
mysql -u root -p
GRANT REPLICATION SLAVE ON *.* TO 'slave_user'@'%' IDENTIFIED BY 'slave_password' REQUIRE SSL;

The REQUIRE SSL line is optional, if you leave it, slave_user will be allowed to connect through an encrypted and non-encrypted connection. When using SSL, only an encrypted connection will be allowed.

(If the replication user has already been created and you need to specify only an SSL connection, then you need to change the user as follows:
GRANT USAGE ON *.* TO 'slave_user'@'%' REQUIRE SSL;


In addition, we must specify MySQL where to store our logs for replication, and also indicate which server is the main and which is replication:
vi /etc/mysql/my.cnf
# The following can be used as easy to replay backup logs or for replication.
# note: if you are setting up a replication slave, see README.Debian about
#       other settings you may need to change.
server-id               = 1
log_bin                 = /var/log/mysql/mysql-bin.log
expire_logs_days        = 10
max_binlog_size         = 100M
binlog_do_db            = exampledb

MySQL restart
/etc/init.d/mysql restart

Next, we need to carry out several operations:
1. Lock the exampledb database on server1
2. Find out the master status server1
3. Create a dump of SQL exampledb (for import to server2)
4. Unlock our database
mysql -u root -p
USE exampledb;
| File             | Position | Binlog_Do_DB | Binlog_Ignore_DB |
| mysql-bin.000001 |       98 | exampledb    |                  |
1 row in set (0.00 sec)

Now, without leaving the mysql console (since the database lock will be removed) we will backup and transfer it to server2
cd /tmp
mysqldump -u root -pyourrootsqlpassword --opt exampledb > snapshot.sql
scp snapshot.sql root@

After the operation, you can safely unlock our database

This completes the setup of server1. Let's set up server2 by opening the muscle config:
vi /etc/mysql/my.cnf

make sure that we have the following line settings (if we don’t have them, add it):

The value of server-id = 2 is unique and it should differ from the value on server1

Restart MySQL:
/etc/init.d/mysql restart

Before you start configuring replication, create an empty database:
mysql -u root -p

Now you can import the dump of the snapshot.sql database on server2
/usr/bin/mysqladmin --user=root --password=yourrootsqlpassword stop-slave
cd /tmp
mysql -u root -pyourrootsqlpassword exampledb < snapshot.sql

We go into MySQL and execute the command so that server2 is a secondary server, and server1 is defined as the primary server:
mysql -u root -p
CHANGE MASTER TO MASTER_HOST='', MASTER_USER='slave_user', MASTER_PASSWORD='slave_password', MASTER_LOG_FILE='mysql-bin.000001', MASTER_LOG_POS=98, MASTER_SSL=1, MASTER_SSL_CA = '/etc/mysql/newcerts/ca-cert.pem', MASTER_SSL_CERT = '/etc/mysql/newcerts/client-cert.pem', MASTER_SSL_KEY = '/etc/mysql/newcerts/client-key.pem';

* MASTER_HOST - the IP address or host name in our case is ip
* MASTER_USER - the replication user for the primary server
* MASTER_PASSWORD - User Password
* MASTER_LOG_FILE - Value The log file on server1 that we learned will execute the SHOW MASTER STATUS command;
* MASTER_LOG_POS - The value obtained by executing the SHOW MASTER STATUS command;
* MASTER_SSL - Creates a connection between the primary and secondary server using SSL
* MASTER_SSL_CA - Path to the CA certificate (server2)
* MASTER_SSL_CERT - Path to the client-cert.pem certificate (server2)
* MASTER_SSL_KEY - Path to the client-key.pem certificate (server2)

And finally

Now check the status of server2
*************************** 1. row ***************************
             Slave_IO_State: Waiting for master to send event
                Master_User: slave_user
                Master_Port: 3306
              Connect_Retry: 60
            Master_Log_File: mysql-bin.000001
        Read_Master_Log_Pos: 98
             Relay_Log_File: mysqld-relay-bin.000002
              Relay_Log_Pos: 235
      Relay_Master_Log_File: mysql-bin.000001
           Slave_IO_Running: Yes
          Slave_SQL_Running: Yes
            Replicate_Do_DB: exampledb
                 Last_Errno: 0
               Skip_Counter: 0
        Exec_Master_Log_Pos: 98
            Relay_Log_Space: 235
            Until_Condition: None
              Until_Log_Pos: 0
         Master_SSL_Allowed: Yes
         Master_SSL_CA_File: /etc/mysql/newcerts/ca-cert.pem
            Master_SSL_Cert: /etc/mysql/newcerts/client-cert.pem
             Master_SSL_Key: /etc/mysql/newcerts/client-key.pem
      Seconds_Behind_Master: 0
1 row in set (0.00 sec)

After that, you can exit MySQL:

That's all, the server setup is done. If you did everything correctly, then replication is configured correctly and is operational.

Thank you very much for your attention!
PS If you find a piece of paper or an incorrectly formulated sentence, please inform the PM.

Also popular now: