基于SSL的mysql主从复制

原创作品，允许转载，转载时请务必以超链接形式标明文章 原始出处 、作者信息和本声明。否则将追究法律责任。/article/4546162.html
基于SSL的mysql主从复制
【背景】
MySQL的协议是明文的，当复制一些重要数据时。有时需要用到SSL功能，以保证数据的安全性。
【准备】
准备前期准备
一.主从时间一致性

1234	[root@node3 support-files]# crontab -e ####主节点*/3 * * * * /usr/sbin/ntpdate 172.16.0.1 &> /dev/null[root@node1 CA ]# crontab -e ####从节 */3 * * * * /usr/sbin/ntpdate 172.16.0.1 &> /dev/null

二.主从复制使用最小小权限
三.CA是放在主节点
四.如果想要使用SSL功能，需要自己编译定制。这里不在演示：corosync+pacemaker+mysql有详细。




######双节点编译安装MySQL。
【配置各节点证书】
###############################CA生成私钥###################################

12345

[root@node1 CA ]#(umask 077;openssl genrsa -out private/cakey.pem 1024)Generating RSA private key, 1024 bit long modulus...................++++++................++++++e is 65537 (0x10001)

###############################CA生成自签证书################################

123456789101112131415161718

[root@node1 CA ]#openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365You are about to be asked to enter information that will be incorporated into yourcertificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blank For some fieldsthere will be a default value,If you enter '.',the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:HALocality Name (eg, city) [Default City]:ZZOrganization Name (eg, company) [Default Company Ltd]:mageduOrganizational Unit Name (eg, section) []:14qiCommon Name (eg,your name or your server's hostname) []:cacertEmail Address []:admin.stu11.com[root@node1 CA ]# touch index.txt [root@node1 CA ]# echo 01 > serial

#################################为master生成私钥###################################

1234567

[root@node1 CA ]# cd /etc/mysql/ssl/[root@node1 ssl ]# (umask 077;openssl genrsa -out master.key 1024)Generating RSAprivate key, 1024 bit long modulus...................................++++++.............................++++++e is 65537 (0x10001)

###############################为master生成证书签署请求##############################

1234567891011121314151617181920

[root@node1ssl ]# openssl req -new -key master.key -out master.csr -days 365 You are about to be asked to enter information that will be incorporated into yourcertificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blank For some fieldsthere will be a default value,If you enter '.',the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:HALocality Name (eg, city) [Default City]:ZZOrganization Name (eg, company) [Default Company Ltd]:mageduOrganizational Unit Name (eg, section) []:14qiCommon Name (eg, your name or your server's hostname) []:master.crtEmail Address[]:admin@stu11.comPlease enter thefollowing 'extra' attributesto be sent with your certificate requestA challenge password[]:An optional company name []:

###############################为master签署证书######################################

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849

[root@node1 ssl ]#openssl ca -in master.csr -out master.crt -days 365Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1) Validity Not Before: Jan 25 07:12:12 2015GMT Not After : Jan 25 07:12:12 2016GMT Subject: countryName = CN stateOrProvinceName = HA organizationName = magedu organizationalUnitName = 14qi commonName = master.crt emailAddress = admin@stu11.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 93:50:74:97:39:91:86:5A:1F:C6:2F:6A:87:FB:77:04:7B:70:33:5C X509v3 Authority Key Identifier: keyid:C0:69:22:4E:9A:E5:BD:13:2B:BD:93:7B:0F:99:E6:0F:3A:FA:40:7ECertificate is to becertified until Jan 25 07:12:12 2016 GMT (365 days)Sign thecertificate? [y/n]:y1 out of 1certificate requests certified, commit? [y/n]yWrite out databasewith 1 new entriesData Base Updated[root@node1 ssl ]#lsmaster.crt master.csr master.key[root@node1 ssl ]#chown -R mysql:mysql *[root@node1 ssl ]#lltotal 16 -rw-r--r-- 1 mysql mysql 1013 Jan 25 15:12 cacert.pem-rw-r--r-- 1 mysql mysql 3161 Jan 25 15:12 master.crt-rw-r--r-- 1 mysql mysql 680 Jan 25 15:11 master.csr-rw------- 1 mysql mysql 887 Jan 25 15:09 master.key

#################################为slave生成私钥###################################

12345

[root@node3 ssl]# (umask 077;openssl genrsa -out slave.key 1024)Generating RSA private key, 1024 bit long modulus..........................++++++.........................++++++e is 65537 (0x10001)

###############################为slave生成签署请求################################

12345678910111213141516171819

[root@node3 ssl]# openssl req -new -key slave.key -out slave.csr -days 365You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value, If you enter '.',the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:HALocality Name (eg, city) [Default City]:ZZOrganization Name (eg, company) [Default Company Ltd]:mageduOrganizational Unit Name (eg, section) []:14qiCommon Name (eg, your name or your server's hostname) []:slave.certEmail Address []:admin@stu11.com Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:

###############################slave签署与收回###################################

1234567891011121314151617181920212223242526272829303132333435363738394041424344

[root@node3 ssl]# scp slave.csr 172.16.249.141:/etc/pki/CA/ [root@node1 CA ]# openssl ca -in slave.csr -out slave.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that therequest matches the signatureSignature okCertificate Details: Serial Number: 2 (0x2) Validity Not Before: Jan 25 07:21:11 2015GMT Not After : Jan 25 07:21:11 2016GMT Subject: countryName = CN stateOrProvinceName = HA organizationName = magedu organizationalUnitName = 14qi commonName = slave.cert emailAddress = admin@stu11.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: F8:06:AD:F0:1D:8A:78:62:ED:A7:FF:BB:7A:F6:79:14:D4:FB:26:39 X509v3 Authority Key Identifier: keyid:C0:69:22:4E:9A:E5:BD:13:2B:BD:93:7B:0F:99:E6:0F:3A:FA:40:7ECertificate is to be certified until Jan 25 07:21:11 2016 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated[root@node1 CA ]# scp slave.crt 172.16.11.3:/etc/mysql/ssl/[root@node1 CA ]# scp cacert.pem 172.16.11.3:/etc/mysql/ssl/[root@node3 ssl]# chown -R mysql:mysql *[root@node3 ssl]# lltotal 16-rw-r--r-- 1 mysql mysql 1013 Jan 25 15:22 cacert.pem-rw-r--r-- 1 mysql mysql 3161 Jan 25 15:21 slave.crt-rw-r--r-- 1 mysql mysql 680 Jan 25 15:19 slave.csr-rw------- 1 mysql mysql 887 Jan 25 15:14 slave.key

########################配置主节点使用SSL###################################
################主节点配置文件

1234567891011

41 thread_concurrency = 8 42 datadir = /mydata ####数据目录 43 innodb_file_per_table =on ####每表一个innodb 44 skip_name_resolve =on ####跳过名称解析 45 ssl ####开启ssl功能 46 ssl_ca =/etc/mysql/ssl/cacert.pem ####指定ca位置 47 ssl_key = /etc/mysql/ssl/master.key ####主节点密钥 48 ssl_cert = /etc/mysql/ssl/master.crt ####主节点证书 63log-bin=/bin/log/master-bin ####二进制文件开启 66 binlog_format=mixed ####二进制文件格式 71 server-id = 10 ####唯一的server-id

12345678

[root@node1 CA ]# service mysqld start ####启动主节点Starting MySQL [ OK ]##############授权一个可以让从节点复制的用户，并请强制要求使用##############mysql> grant replication slave,replication client on *.* to 'cpuser'@'%' identified by'magedu' require ssl;Query OK, 0 rows affected (0.00 sec) mysql> flush privileges;Query OK, 0 rows affected (0.00 sec)

########################配置从节点使用SSL###################################
################从节点配置文件

1234567891011121314

41 thread_concurrency= 842 datadir = /mydata ####数据目录43 innodb_file_per_table =on ####每表一个innodb44 skip_name_resolve =on ####跳过名称解析45 ssl ###开启ssl功能46 ssl_ca =/etc/mysql/ssl/cacert.pem ####指定ca位置47 ssl_key = /etc/mysql/ssl/slave.key ####主节点密钥48 ssl_cert = /etc/mysql/ssl/slave.crt ####主节点证书66 binlog_format=mixed ####二进制文件格式71 server-id = 10 ####唯一的server-id72relay-log=relay-bin ####开启中继日志73read-only = on ####从节点只读[root@node3 CA ]# service mysqld start ####启动主节点Starting MySQL [ OK ]

1234567

mysql> showmaster status;+-------------------+----------+--------------+------------------------------------+|File | Position |Binlog_Do_DB | Binlog_Ignore_DB |+-------------------+----------+--------------+------------------------------------+|master-bin.000006 | 669 | | |+-------------------+----------+--------------+------------------------------------+

############################配置从节点使用ssl连接主节点##################################

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253

mysql> change master tomaster_host='172.16.249.141',master_user='cpuser',master_password='magedu',master_log_file='master-bin.000006',master_log_pos=669,master_ssl=1,master_ssl_ca='/etc/mysql/ssl/cacert.pem',master_ssl_cert='/etc/mysql/ssl/slave.crt',master_ssl_key='/etc/mysql/ssl/slave.key';Query OK, 0 rows affected (0.14 sec)mysql> start slave; #####启动从节点线程Query OK, 0 rows affected (0.01 sec)mysql> show slave status\G; #####查看状态*******************************************1. row ************************************* Slave_IO_State: Waiting for master to send event Master_Host: 172.16.249.141 Master_User: cpuser Master_Port: 3306 Connect_Retry: 60 Master_Log_File: master-bin.000006 Read_Master_Log_Pos: 669 Relay_Log_File: relay-bin.000002 Relay_Log_Pos: 536 Relay_Master_Log_File: master-bin.000006 Slave_IO_Running: Yes ####IO线程准备就绪 Slave_SQL_Running: Yes ####SQL线程准备就绪 Replicate_Do_DB: Replicate_Ignore_DB: Replicate_Do_Table: Replicate_Ignore_Table: Replicate_Wild_Do_Table: Replicate_Wild_Ignore_Table: Last_Errno: 0 Last_Error: Skip_Counter: 0 Exec_Master_Log_Pos: 669 Relay_Log_Space: 827 Until_Condition: None Until_Log_File: Until_Log_Pos: 0 Master_SSL_Allowed: Yes Master_SSL_CA_File: /etc/mysql/ssl/cacert.pem Master_SSL_CA_Path: Master_SSL_Cert: /etc/mysql/ssl/slave.crt Master_SSL_Cipher: Master_SSL_Key: /etc/mysql/ssl/slave.key Seconds_Behind_Master: 0 Master_SSL_Verify_Server_Cert: No Last_IO_Errno: 0 Last_IO_Error: Last_SQL_Errno: 0 Last_SQL_Error: Replicate_Ignore_Server_Ids: Master_Server_Id: 10 Master_SSL_Crl: /etc/mysql/ssl/cacert.pem Master_SSL_Crlpath: Using_Gtid: No Gtid_IO_Pos:

###############################测试结果############################################
#####主节点创建库tb1



####从节点正常复制过来了



至此，基于SSL的主从复制配置完毕！！！！！
本文出自 “我和Linux的那些年” 博客，请务必保留此出处/article/4546162.html