Difference between revisions of "Secure MySQL Connection"
| (18 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
==Overview== | ==Overview== | ||
| + | '''<span style="color:#FF0000">Currently this feature is only supported on Windows master and remote servers.</span>''' | ||
MySQL supports secure (encrypted) connections between MySQL clients and the server using the Secure Sockets Layer (SSL) protocol. This article explains how to configure your MySQL server and TCAdmin. | MySQL supports secure (encrypted) connections between MySQL clients and the server using the Secure Sockets Layer (SSL) protocol. This article explains how to configure your MySQL server and TCAdmin. | ||
| − | == | + | ==Configure the MySQL Server== |
'''The following instructions are provided for your convenience. We do not provide support for configuring ssl on your MySQL server.''' | '''The following instructions are provided for your convenience. We do not provide support for configuring ssl on your MySQL server.''' | ||
| Line 8: | Line 9: | ||
===Install OpenSSL=== | ===Install OpenSSL=== | ||
| − | To know if your server already has OpenSSL installed execute "openssl" from | + | To know if your server already has OpenSSL installed execute "openssl" from SSH or from a command prompt. If you see "OpenSSL>" it is already installed. |
==== CentOS 5/6, Fedora 15, Redhat 5 ==== | ==== CentOS 5/6, Fedora 15, Redhat 5 ==== | ||
<source lang="bash">yum install openssl</source> | <source lang="bash">yum install openssl</source> | ||
| Line 20: | Line 21: | ||
'''Important:''' Execute the commands line by line. Execute them all at once will not create all certificate files. | '''Important:''' Execute the commands line by line. Execute them all at once will not create all certificate files. | ||
| − | After executing the following commands these files should exist in C:\Certificates or / | + | After executing the following commands these files should exist in C:\Certificates or /var/local/ssl/certs. |
* ca-cert.pem | * ca-cert.pem | ||
* ca-key.pem | * ca-key.pem | ||
| Line 28: | Line 29: | ||
====Linux==== | ====Linux==== | ||
| − | <source lang="bash"> | + | <source lang="bash">mkdir -p /var/local/ssl/certs |
| − | + | cd /var/local/ssl/certs | |
| − | cd | ||
openssl genrsa 2048 > ca-key.pem | openssl genrsa 2048 > ca-key.pem | ||
openssl req -new -x509 -nodes -days 9000 -key ca-key.pem > ca-cert.pem | openssl req -new -x509 -nodes -days 9000 -key ca-key.pem > ca-cert.pem | ||
| Line 36: | Line 36: | ||
openssl rsa -in server-key.pem -out server-key.pem | openssl rsa -in server-key.pem -out server-key.pem | ||
openssl x509 -req -in server-req.pem -days 9000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem</source> | openssl x509 -req -in server-req.pem -days 9000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem</source> | ||
| + | |||
====Windows==== | ====Windows==== | ||
| − | Open a command prompt as administrator. | + | Open a command prompt as administrator. If you installed the 64bit version of OpenSSL change C:\OpenSSL-Win32 to C:\OpenSSL-Win64. |
<source lang="bash">cd \ | <source lang="bash">cd \ | ||
mkdir Certificates | mkdir Certificates | ||
cd Certificates | cd Certificates | ||
| − | C:\OpenSSL\bin\openssl genrsa 2048 > ca-key.pem | + | C:\OpenSSL-Win32\bin\openssl genrsa 2048 > ca-key.pem |
| − | C:\OpenSSL\bin\openssl req -new -x509 -nodes -days 9000 -key ca-key.pem > ca-cert.pem | + | C:\OpenSSL-Win32\bin\openssl req -new -x509 -nodes -days 9000 -key ca-key.pem > ca-cert.pem |
| − | C:\OpenSSL\bin\openssl req -newkey rsa:2048 -days 9000 -nodes -keyout server-key.pem > server-req.pem | + | C:\OpenSSL-Win32\bin\openssl req -newkey rsa:2048 -days 9000 -nodes -keyout server-key.pem > server-req.pem |
| − | C:\OpenSSL\bin\openssl rsa -in server-key.pem -out server-key.pem | + | C:\OpenSSL-Win32\bin\openssl rsa -in server-key.pem -out server-key.pem |
| − | C:\OpenSSL\bin\openssl x509 -req -in server-req.pem -days 9000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem</source> | + | C:\OpenSSL-Win32\bin\openssl x509 -req -in server-req.pem -days 9000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem</source> |
| + | |||
| + | ===Update the MySQL Configuration and Restart=== | ||
| + | |||
| + | ====Linux==== | ||
| + | Edit /etc/my.cnf. | ||
| + | |||
| + | Find this line: | ||
| + | [mysqld] | ||
| + | |||
| + | Under that line add these lines: | ||
| + | ssl-ca=/var/local/ssl/certs/ca-cert.pem | ||
| + | ssl-cert=/var/local/ssl/certs/server-cert.pem | ||
| + | ssl-key=/var/local/ssl/certs/server-key.pem | ||
| + | |||
| + | Then restart the MySQL service. | ||
| + | |||
| + | ====Windows==== | ||
| + | Edit the my.ini in your MySQL installation folder. For example C:\Program Files\MySQL\MySQL Server 5.5\my.ini. | ||
| + | |||
| + | Find this line: | ||
| + | [mysqld] | ||
| + | |||
| + | Under that line add these lines: | ||
| + | ssl-ca=C:/Certificates/ca-cert.pem | ||
| + | ssl-cert=C:/Certificates/server-cert.pem | ||
| + | ssl-key=C:/Certificates/server-key.pem | ||
| + | |||
| + | Then restart the MySQL service. | ||
| + | |||
| + | ===Check if MySQL is Ready for Secure Connections=== | ||
| + | Log in to your database as root and execute this command: | ||
| + | show variables like '%ssl%'; | ||
| + | |||
| + | The values of have_openssl and have_ssl should be YES: | ||
| + | +---------------+---------------------------------------+ | ||
| + | | Variable_name | Value | | ||
| + | +---------------+---------------------------------------+ | ||
| + | | have_openssl | YES | | ||
| + | | have_ssl | YES | | ||
| + | | ssl_ca | ca-cert.pem | | ||
| + | | ssl_capath | | | ||
| + | | ssl_cert | server-cert.pem | | ||
| + | | ssl_cipher | | | ||
| + | | ssl_key | server-key.pem | | ||
| + | +---------------+---------------------------------------+ | ||
| + | |||
| + | ===Test your Secure Connection=== | ||
| + | Execute this command from SSH or a command prompt. On Windows you might have to enter the full path to mysql.exe. Replace ROOT_PASSWORD with the MySQL server's root password. | ||
| + | mysql -uroot -p'''ROOT_PASSWORD''' --ssl-key= | ||
| + | |||
| + | After a successful connection execute this command: | ||
| + | status | ||
| + | Check the value next to "SSL:". If it says "Cipher in use is DHE-RSA-AESXXX-SHA" the connection is secure. | ||
| + | |||
| + | ==Configure TCAdmin== | ||
| + | To configure TCAdmin for secure connections simply add "Protocol=SSL;" to the connection's additional parameters. This must be done in the master's database connection and in Server Management > Remote DB Connections. Remote servers must be reconfigured with a new ConfigUtility.config. For example: | ||
| + | Additional Parameters: Pooling=false;Compress=true;Connection Lifetime=900;'''Protocol=SSL;''' | ||
| + | |||
| + | ===Confirm that the Connection is Secure=== | ||
| + | After configuring and restarting the monitor check the Monitor's console.log (Logs\Monitor\console.log). The value of "Database Engine" should have "(Secure)" next to it. | ||
| + | TCAdmin - The Game Hosting Control Panel | ||
| + | ... | ||
| + | ... | ||
| + | ... | ||
| + | Database Engine : MySQL '''(Secure)''' | ||
Latest revision as of 00:45, 30 May 2015
Contents
Overview
Currently this feature is only supported on Windows master and remote servers. MySQL supports secure (encrypted) connections between MySQL clients and the server using the Secure Sockets Layer (SSL) protocol. This article explains how to configure your MySQL server and TCAdmin.
Configure the MySQL Server
The following instructions are provided for your convenience. We do not provide support for configuring ssl on your MySQL server.
For detailed instructions read the MySQL reference manual: http://dev.mysql.com/doc/refman/5.0/en/creating-ssl-certs.html
Install OpenSSL
To know if your server already has OpenSSL installed execute "openssl" from SSH or from a command prompt. If you see "OpenSSL>" it is already installed.
CentOS 5/6, Fedora 15, Redhat 5
yum install openssl
Debian 6, Ubuntu 10/11/12
apt-get install openssl
Windows
OpenSSL for Windows can be downloaded from http://slproweb.com/products/Win32OpenSSL.html
Create the Server Certificates
Important: Execute the commands line by line. Execute them all at once will not create all certificate files.
After executing the following commands these files should exist in C:\Certificates or /var/local/ssl/certs.
- ca-cert.pem
- ca-key.pem
- server-cert.pem
- server-key.pem
- server-req.pem
Linux
mkdir -p /var/local/ssl/certs cd /var/local/ssl/certs openssl genrsa 2048 > ca-key.pem openssl req -new -x509 -nodes -days 9000 -key ca-key.pem > ca-cert.pem openssl req -newkey rsa:2048 -days 9000 -nodes -keyout server-key.pem > server-req.pem openssl rsa -in server-key.pem -out server-key.pem openssl x509 -req -in server-req.pem -days 9000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
Windows
Open a command prompt as administrator. If you installed the 64bit version of OpenSSL change C:\OpenSSL-Win32 to C:\OpenSSL-Win64.
cd \ mkdir Certificates cd Certificates C:\OpenSSL-Win32\bin\openssl genrsa 2048 > ca-key.pem C:\OpenSSL-Win32\bin\openssl req -new -x509 -nodes -days 9000 -key ca-key.pem > ca-cert.pem C:\OpenSSL-Win32\bin\openssl req -newkey rsa:2048 -days 9000 -nodes -keyout server-key.pem > server-req.pem C:\OpenSSL-Win32\bin\openssl rsa -in server-key.pem -out server-key.pem C:\OpenSSL-Win32\bin\openssl x509 -req -in server-req.pem -days 9000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
Update the MySQL Configuration and Restart
Linux
Edit /etc/my.cnf.
Find this line:
[mysqld]
Under that line add these lines:
ssl-ca=/var/local/ssl/certs/ca-cert.pem ssl-cert=/var/local/ssl/certs/server-cert.pem ssl-key=/var/local/ssl/certs/server-key.pem
Then restart the MySQL service.
Windows
Edit the my.ini in your MySQL installation folder. For example C:\Program Files\MySQL\MySQL Server 5.5\my.ini.
Find this line:
[mysqld]
Under that line add these lines:
ssl-ca=C:/Certificates/ca-cert.pem ssl-cert=C:/Certificates/server-cert.pem ssl-key=C:/Certificates/server-key.pem
Then restart the MySQL service.
Check if MySQL is Ready for Secure Connections
Log in to your database as root and execute this command:
show variables like '%ssl%';
The values of have_openssl and have_ssl should be YES:
+---------------+---------------------------------------+ | Variable_name | Value | +---------------+---------------------------------------+ | have_openssl | YES | | have_ssl | YES | | ssl_ca | ca-cert.pem | | ssl_capath | | | ssl_cert | server-cert.pem | | ssl_cipher | | | ssl_key | server-key.pem | +---------------+---------------------------------------+
Test your Secure Connection
Execute this command from SSH or a command prompt. On Windows you might have to enter the full path to mysql.exe. Replace ROOT_PASSWORD with the MySQL server's root password.
mysql -uroot -pROOT_PASSWORD --ssl-key=
After a successful connection execute this command:
status
Check the value next to "SSL:". If it says "Cipher in use is DHE-RSA-AESXXX-SHA" the connection is secure.
Configure TCAdmin
To configure TCAdmin for secure connections simply add "Protocol=SSL;" to the connection's additional parameters. This must be done in the master's database connection and in Server Management > Remote DB Connections. Remote servers must be reconfigured with a new ConfigUtility.config. For example:
Additional Parameters: Pooling=false;Compress=true;Connection Lifetime=900;Protocol=SSL;
Confirm that the Connection is Secure
After configuring and restarting the monitor check the Monitor's console.log (Logs\Monitor\console.log). The value of "Database Engine" should have "(Secure)" next to it.
TCAdmin - The Game Hosting Control Panel ... ... ... Database Engine : MySQL (Secure)