mysql基于ssl加密认证的主从复制:
Master:
IP地址:172.16.77.77
MySQL版本:5.5.28
操作系统:RHEL5.8

Slave:
IP地址:172.16.12.7
MySQL版本:5.5.28
操作系统:RHEL5.8

基于ssl加密的mysql主从复制概述:
 若要基于ssl加密进行复制传输,则就需要进行证书的签署和认证,这里在主服务器上进行自签署证书,分别为主服务器的mysql和从服务器的mysql颁发证书。

一、准备证书,私钥
1、配置Master为CA服务器

  1. #vim /etc/pki/tls/openssl.cnf
  2. dir = ../../CA修改为
  3. dir = /etc/pki/CA
  4. #(umask 077;openssl genrsa 2048 > private/cakey.pem)
  5. #openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
  6. #mkdir certs crl newcerts
  7. #touch index.txt
  8. #echo 01 > serial

2、为Master上的Mysql准备私钥以及颁发证书

  1. #mkdir /usr/local/mysql/ssl
  2. #cd ssl/
  3. #(umask 077;openssl genrsa 1024 > sql.key)
  4. #openssl req -new -key mysql.key -out sql.csr
  5. #openssl ca -in mysql.csr -out sql.crt
  6. #cp /etc/pki/CA/cacert.pem /usr/local/mysql/ssl/
  7. #chown -R mysql.mysql ssl/

3、为Slave上的Mysql准备私钥以及申请证书
 

  1. #mkdir /usr/local/mysql/ssl
  2. #cd ssl/
  3. #(umask 077;openssl genrsa 1024 > sql.key)
  4. #openssl req -new -key mysql.key -out sql.csr
  5. #scp ./mysql.csr 172.16.77.77:/tmp

4、在Master上为Slave签发证书

  1. #cd /tmp
  2. #openssl ca -in sql.csr -out sql.crt
  3. #scp sql.crt 172.16.12.7:/usr/local/mysql/ssl
  4. #cd /etc/pki/CA
  5. #scp cacert.pem 172.16.12.7:/usr/local/mysql/ssl

二、设置主从服务
在172.16.77.77服务器上
编辑/etc/my.cnf

  1. #vim /etc/my.cnf
  2. 将serier_id修改为1
  3. server_id=1 #修改server_id=1
  4. log_bin=mysql-bin #开启二进制日志
  5. sync_binlog=1 #任何一个事务提交之后就立即写入到磁盘中的二进制文件
  6. innodb_flush_logs_at_trx_commit=1 #任何一个事物提交之后就立即写入到磁盘中的日志文件

保存退出,启动mysql

  1. #service mysqld start

在172.16.12.7服务器上
编辑/etc/my.cnf

  1. #vim /etc/my.cnf
  2. server_id=7 #修改server_id=7
  3. #log-bin #注释掉log-bin,从服务器不需要二进制日志,因此将其关闭
  4. relay-log=mysql-relay #定义中继日志名,开启从服务器中继日志
  5. relay-log-index=mysql-relay.index #定义中继日志索引名,开启从服务器中继索引
  6. read_only=1 #设定从服务器只能进行读操作,不能进行写操作

保存退出,启动mysql

  1. #service mysqld start

三、开启Mysql的ssl功能
在Master上:
登录Mysql查看

  1. mysql> show global variables like '%ssl%';
  2. +---------------+----------+
  3. | Variable_name | Value |
  4. +---------------+----------+
  5. | have_openssl | DISABLED |
  6. | have_ssl | DISABLED |
  7. | ssl_ca | |
  8. | ssl_capath | |
  9. | ssl_cert | |
  10. | ssl_cipher | |
  11. | ssl_key | |
  12. +---------------+----------+
  13. 输出为DISABLED表示ssl还未开启,
  14. 编辑/etc/my.cnf
  15. 在[mysqld]和[mysqldump]之间,加入以下内容:
  16. ssl #表示开启mysql的ssl功能
  18. 保存后重新启动mysql,再次登录mysql
  19. mysql> show global variables like '%ssl%';
  20. +---------------+-------+
  21. | Variable_name | Value |
  22. +---------------+-------+
  23. | have_openssl | YES |
  24. | have_ssl | YES |
  25. | ssl_ca | |
  26. | ssl_capath | |
  27. | ssl_cert | |
  28. | ssl_cipher | |
  29. | ssl_key | |
  30. +---------------+-------+
  31. 输出为YES表示ssl已经开启。

在Slave上:执行同样的操作

  1. mysql> show global variables like '%ssl%';
  2. +---------------+----------+
  3. | Variable_name | Value |
  4. +---------------+----------+
  5. | have_openssl | DISABLED |
  6. | have_ssl | DISABLED |
  7. | ssl_ca | |
  8. | ssl_capath | |
  9. | ssl_cert | |
  10. | ssl_cipher | |
  11. | ssl_key | |
  12. +---------------+----------+
  13. 输出为DISABLED表示ssl还未开启,
  14. 编辑/etc/my.cnf
  15. 在[mysqld]和[mysqldump]之间,加入一行ssl:
  16. ssl
  18. 保存后重新启动mysql,再次登录mysql
  19. mysql> show global variables like '%ssl%';
  20. +---------------+-------+
  21. | Variable_name | Value |
  22. +---------------+-------+
  23. | have_openssl | YES |
  24. | have_ssl | YES |
  25. | ssl_ca | |
  26. | ssl_capath | |
  27. | ssl_cert | |
  28. | ssl_cipher | |
  29. | ssl_key | |
  30. +---------------+-------+
  31. ##输出为YES表示ssl已经开启

四、配置主从服务的ssl功能
在Master上:
编辑配置文件:

  1. vim /etc/my.cnf
  2. 在之前添加的ssl下面添加以下内容:
  3. ssl-ca=/usr/local/mysql/ssl/cacert.pem
  4. ssl-cert=/usr/local/mysql/ssl/sql.crt
  5. ssl-key=/usr/local/mysql/ssl/sql.key
  6. 这里一定要对应到所存放证书和私钥的绝对路径
  7. 保存退出,重新启动Mysql
  8. mysql> show global variables like '%ssl%';
  9. +---------------+---------------------------------+
  10. | Variable_name | Value |
  11. +---------------+---------------------------------+
  12. | have_openssl | YES |
  13. | have_ssl | YES |
  14. | ssl_ca | /usr/local/mysql/ssl/cacert.pem |
  15. | ssl_capath | |
  16. | ssl_cert | /usr/local/mysql/ssl/sql.crt |
  17. | ssl_cipher | |
  18. | ssl_key | /usr/local/mysql/ssl/sql.key |
  19. +---------------+---------------------------------+

在Slave上:
编辑配置文件:

  1. #vim /etc/my.cnf
  2. 在之前添加的ssl下面添加以下内容:
  3. ssl-ca=/usr/local/mysql/ssl/cacert.pem
  4. ssl-cert=/usr/local/mysql/ssl/sql.crt
  5. ssl-key=/usr/local/mysql/ssl/sql.key
  7. 这里一定要对应到您所存放证书和私钥的绝对路径
  8. 保存退出,重新启动Mysql
  9. mysql> show global variables like '%ssl%';
  10. +---------------+---------------------------------+
  11. | Variable_name | Value |
  12. +---------------+---------------------------------+
  13. | have_openssl | YES |
  14. | have_ssl | YES |
  15. | ssl_ca | /usr/local/mysql/ssl/cacert.pem |
  16. | ssl_capath | |
  17. | ssl_cert | /usr/local/mysql/ssl/sql.crt |
  18. | ssl_cipher | |
  19. | ssl_key | /usr/local/mysql/ssl/sql.key |
  20. +---------------+---------------------------------+
  22. 在Slave上:
  23. mysql> change master to
  24. -> master_host='172.16.77.77',
  25. -> master_user='weiyang',
  26. -> master_password='weiyang',
  27. -> master_log_file='mysql-bin.000020',
  28. -> master_log_pos=107,
  29. -> master_ssl=1,
  30. -> master_ssl_ca='/usr/local/mysql/ssl/cacert.pem',
  31. -> master_ssl_cert='/usr/local/mysql/ssl/sql.crt',
  32. -> master_ssl_key='/usr/local/mysql/ssl/sql.key';
  33. Query OK, 0 rows affected (0.17 sec)
  35. mysql> show slave status\G;
  36. *************************** 1. row ***************************
  37. Slave_IO_State:
  38. Master_Host: 172.16.77.77
  39. Master_User: weiyang
  40. Master_Port: 3306
  41. Connect_Retry: 60
  42. Master_Log_File: mysql-bin.000020
  43. Read_Master_Log_Pos: 608
  44. Relay_Log_File: relay-bin.000001
  45. Relay_Log_Pos: 4
  46. Relay_Master_Log_File: mysql-bin.000020
  47. Slave_IO_Running: Yes
  48. Slave_SQL_Running: Yes
  49. Replicate_Do_DB:
  50. Replicate_Ignore_DB:
  51. Replicate_Do_Table:
  52. Replicate_Ignore_Table:
  53. Replicate_Wild_Do_Table:
  54. Replicate_Wild_Ignore_Table:
  55. Last_Errno: 0
  56. Last_Error:
  57. Skip_Counter: 0
  58. Exec_Master_Log_Pos: 608
  59. Relay_Log_Space: 107
  60. Until_Condition: None
  61. Until_Log_File:
  62. Until_Log_Pos: 0
  63. Master_SSL_Allowed: Yes
  64. Master_SSL_CA_File: /usr/local/mysql/ssl/cacert.pem
  65. Master_SSL_CA_Path: /usr/local/mysql/ssl
  66. Master_SSL_Cert: /usr/local/mysql/ssl/sql.crt
  67. Master_SSL_Cipher:
  68. Master_SSL_Key: /usr/local/mysql/ssl/sql.key
  69. Seconds_Behind_Master: NULL
  70. Master_SSL_Verify_Server_Cert: No
  71. Last_IO_Errno: 0
  72. Last_IO_Error:
  73. Last_SQL_Errno: 0
  74. Last_SQL_Error:
  75. Replicate_Ignore_Server_Ids:
  76. Master_Server_Id: 1
  78. mysql> start slave;
  79. Query OK, 0 rows affected (0.00 sec)

输出信息为
Slave_IO_Running: Yes
Slave_SQL_Running: Yes
Master_SSL_Allowed: Yes
说明,基于ssl的配置已经成功