mysql+ssl配置

mysql建立ssl安全连接的配置

1、环境、IP、安装包：
centOS 5.4

虚拟机了两台服务器

mysql-5.1.48.tar.gz
openssl-0.9.8b.tar.gz

server:192.168.189.134

client:192.168.189.133

windows_client:192.168.6.82（本地电脑IP）

2、安装openssl
mkdir /test/setup
cd /test/setup
tar zxvf openssl-0.9.8b.tar.gz
cd openssl-0.9.8b
./config
make && make install

3、安装mysql
cd /test/setup
tar zxvf mysql-5.1.48.tar.gz
cd mysql-5.1.48
./configure --prefix=/usr/local/mysql --with-ssl --with-vio
make && make install

useradd mysql
cd /usr/local/mysql
bin/mysql_install_db --user=mysql
chown -R mysql:mysql .
chown -R mysql /usr/local/mysql
chgrp -R mysql .
cp share/mysql/mysql.server /etc/init.d/mysqld
chmod 755 /etc/init.d/mysqld
chkconfig --add mysqld
chkconfig --level 35 mysqld on

ln -s /usr/local/mysql/bin/mysqld_safe /usr/bin/mysqld_safe
ln -s /usr/local/mysql/share/mysql/mysql.server /usr/bin/mysqld
ln -s /usr/local/mysql/bin/mysql /usr/bin/mysql
ln -s /usr/local/mysql/bin/mysqldump /usr/bin/mysqldump
ln -s /usr/local/mysql/bin/mysqladmin /usr/bin/mysqladmin
ln -s /usr/local/mysql/lib/mysql /usr/lib/mysql
ln -s /usr/local/mysql/include/mysql /usr/include/mysql
echo "/usr/local/mysql/lib/mysql" >> /etc/ld.so.conf
ldconfig

cp /usr/local/mysql/share/mysql/https://www.wendangku.net/doc/af16540594.html,f /etc/https://www.wendangku.net/doc/af16540594.html,f

问题：可能碰到的问题./configure 后会报错
/bin/rm: cannot remove `libtoolt': No such file or directory
答案链接：https://www.wendangku.net/doc/af16540594.html,/1086044/448630

4、开启mysql中ssl功能

登录Mysql查看
mysql> show variables like '%ssl%';
+---------------+----------+
| Variable_name | Value |
+---------------+----------+
| have_openssl | DISABLED |
| have_ssl | DISABLED |
| ssl_ca | |
| ssl_capath | |
| ssl_cert | |
| ssl_cipher | |
| ssl_key | |
+---------------+----------+

如果mysql输出如上所述，那么继续操作开启ssl；如果不是，重新编译安装mysql，注意生成makefile时填写参数正确。
退出mysql，编辑/etc/https://www.wendangku.net/doc/af16540594.html,f
在[mysqld]和[mysqldump]之间，加入下列配置信息：

ssl

保存后重新启动mysql，再次登录mysql
mysql -uroot -p
mysql> show variables like '%ssl%';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | |
| ssl_capath | |
| ssl_cert | |
| ssl_cipher | |
| ssl_key | |
+---------------+-------+
输出结果显示YES，现在ssl被完美启动起来了。


5、通过openssl生成证书的配置：

在server服务器上生成ssl秘钥

mkdir -p /etc/mysql/newcerts
cd /etc/mysql/newcerts
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem
openssl req -newke

y rsa:2048 -days 1000 -nodes -keyout server-key.pem > server-req.pem
openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem > client-req.pem
openssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem

查看一下都生成了什么文件
[root@puppet newcerts]# ll /etc/mysql/newcerts
total 64
-rw-r--r-- 1 root root 1541 Mar 8 16:36 ca-cert.pem
-rw-r--r-- 1 root root 1675 Mar 8 16:33 ca-key.pem
-rw-r--r-- 1 root root 1224 Mar 8 16:40 client-cert.pem
-rw-r--r-- 1 root root 1679 Mar 8 16:40 client-key.pem
-rw-r--r-- 1 root root 1082 Mar 8 16:40 client-req.pem
-rw-r--r-- 1 root root 1224 Mar 8 16:39 server-cert.pem
-rw-r--r-- 1 root root 1675 Mar 8 16:38 server-key.pem
-rw-r--r-- 1 root root 1082 Mar 8 16:38 server-req.pem

好了，秘钥生成了，下面需要做的是把ca-cert.pem、client-cert.pem、and client-key.pem拷贝到client服务器上，首先我们在client服务器上创建同样的文件夹。
mkdir -p /etc/mysql/newcerts

现在在主服务器上把秘钥文件拷贝到client服务器上
scp /etc/mysql/newcerts/ca-cert.pem /etc/mysql/newcerts/client-cert.pem /etc/mysql/newcerts/client-key.pem root@192.168.189.133:/etc/mysql/newcerts

继续修改主服务器上的https://www.wendangku.net/doc/af16540594.html,f
在原先上面添加ssl的地方添加证书路径
ssl-ca=/etc/mysql/newcerts/ca-cert.pem
ssl-cert=/etc/mysql/newcerts/server-cert.pem
ssl-key=/etc/mysql/newcerts/server-key.pem

重启主服务器的Mysql
进入数据库为client的IP端赋权select权限：
GRANT SELECT ON *.* TO 'test1'@'client_IP' IDENTIFIED BY '111111' REQUIRE SSL;

配置clinet端的https://www.wendangku.net/doc/af16540594.html,f
[mysql]下面添加证书路径
ssl-ca=/etc/mysql/newcerts/ca-cert.pem
ssl-cert=/etc/mysql/newcerts/client-cert.pem
ssl-key=/etc/mysql/client-key.pem
配置完成后，调用mysql程序运行\s或SHOW STATUS LIKE 'SSL%'命令，如果看到SSL:的信息行就说明是加密连接了。如果把SSL相关的配置写进选项文件，则默认是加密连接的。也可用mysql程序的--skip-ssl选项取消加密连接。如果用命令行方式启用加密连接可以这样写：

mysql --ssl-ca=ca-cert.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem

若是对于windows系统的client的话
把服务器上的证书拷贝到Mysql所在的目录下SSL_key，建立SSL_key目录
my.ini中port=3306下面添加
ssl-ca="C:\wamp\mysql\SSL_key\ca-cert.pem"
ssl-cert="C:\wamp\mysql\SSL_key\client-cert.pem"
ssl-key="C:\wamp\mysql\SSL_key\client-key.pem"
重启生效
也在服务端上为windows赋权
GRANT SELECT ON *.* TO 'test1'@'windows_client_IP' IDENTIFIED BY '111111' REQUIRE SSL;

由于是虚拟机的环境，本地这个windowsIP为192.168.189.1 而不是为实际的IP192.168.7.82赋权

6、在client端测试是否可以用证书登录server端的数

据否
mysql -h192.168.189.134 -utest1 -p
输入密码登录成功

为了证明证书是否起作用
你配置文件中把证书的路径给去掉或则注释掉
再进行登录看是否登录
结果是没有证书登录不上


配置完毕



修改待续~~~~