GreatSQL 配置 SSL 访问:单机与 MGR 集群指南
GreatSQL 配置 SSL 访问:单机与 MGR 集群指南
背景说明
为确保数据库中传输数据的安全性与完整性,防止敏感信息在通信过程中被窃听或篡改,建议为GreatSQL服务启用SSL加密连接。此举尤其适用于不安全的网络环境(如公有网络),或需满足行业数据安全合规性要求的场景。以下文档将详述配置GreatSQL服务器端强制SSL连接,并为客户端颁发证书的具体操作步骤。
单机开启SSL
通过命令,初始化密钥文件,其中datadir与数据库数据目录保持一致
/greatsql/gdb/svr/greatsql/bin/mysql_ssl_rsa_setup --datadir=/greatsql/gdb/dbdata/3313/data
chown greatsql.greatsql /greatsql/gdb/dbdata/3313/data/*pem
会产生如下新的文件
$ ll /greatsql/gdb/dbdata/3313/data/*pem
-rw------- 1 greatsql greatsql 1679 Sep 15 11:34 /greatsql/gdb/dbdata/3313/data/ca-key.pem
-rw-r--r-- 1 greatsql greatsql 1115 Sep 15 11:34 /greatsql/gdb/dbdata/3313/data/ca.pem
-rw-r--r-- 1 greatsql greatsql 1115 Sep 15 11:34 /greatsql/gdb/dbdata/3313/data/client-cert.pem
-rw------- 1 greatsql greatsql 1679 Sep 15 11:34 /greatsql/gdb/dbdata/3313/data/client-key.pem
-rw------- 1 greatsql greatsql 1676 Sep 15 11:32 /greatsql/gdb/dbdata/3313/data/private_key.pem
-rw-r--r-- 1 greatsql greatsql 452 Sep 15 11:32 /greatsql/gdb/dbdata/3313/data/public_key.pem
-rw-r--r-- 1 greatsql greatsql 1115 Sep 15 11:34 /greatsql/gdb/dbdata/3313/data/server-cert.pem
-rw------- 1 greatsql greatsql 1679 Sep 15 11:34 /greatsql/gdb/dbdata/3313/data/server-key.pem
在配置文件中,添加全局加密通信要求参数
require_secure_transport=ON
此时通过非socket访问数据库均要求SSL通信
$ /greatsql/gdb/svr/greatsql/bin/mysql -ubing -p'abc123' -h172.17.134.55 -P3313 --ssl-mode=disable
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 3159 (HY000): Connections using insecure transport are prohibited while --require_secure_transport=ON.$ /greatsql/gdb/svr/greatsql/bin/mysql -ubing -p'abc123' -h172.17.134.55 -P3313
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 13
Server version: 8.0.32-27 GreatSQL, Release 27, Revision aa66a385910Copyright (c) 2021-2025 GreatDB Software Co., Ltd
Copyright (c) 2009-2025 Percona LLC and/or its affiliates
Copyright (c) 2000, 2025, Oracle and/or its affiliates.Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.greatsql> \s
--------------
/greatsql/gdb/svr/greatsql/bin/mysql Ver 8.0.32-27 for Linux on x86_64 (GreatSQL, Release 27, Revision aa66a385910)Connection id: 13
Current database:
Current user: bing@172.17.134.55
SSL: Cipher in use is ECDHE-RSA-AES128-GCM-SHA256
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 8.0.32-27 GreatSQL, Release 27, Revision aa66a385910
Protocol version: 10
Connection: 172.17.134.55 via TCP/IP
Server characterset: utf8mb4
Db characterset: utf8mb4
Client characterset: utf8mb4
Conn. characterset: utf8mb4
TCP port: 3313
Binary data as: Hexadecimal
Uptime: 6 min 1 secThreads: 3 Questions: 19 Slow queries: 0 Opens: 150 Flush tables: 3 Open tables: 69 Queries per second avg: 0.052
--------------
如果要求必须使用正确的SSL证书文件才能登录,则需要设置数据库账号权限为X509
ALTER USER bing require x509;
无证书登录则报错
$ /greatsql/gdb/svr/greatsql/bin/mysql -ubing -p'abc123' -h172.17.134.55 -P3313
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'bing'@'172.17.134.55' (using password: YES)
有证书登录则正常
$ /greatsql/gdb/svr/greatsql/bin/mysql -ubing -p'abc123' -h172.17.134.55 -P3313 --ssl-ca=/greatsql/gdb/dbdata/3313/data/ca.pem --ssl-cert=/greatsql/gdb/dbdata/3313/data/client-cert.pem --ssl-key=/greatsql/gdb/dbdata/3313/data/client-key.pem
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 12
Server version: 8.0.32-27 GreatSQL, Release 27, Revision aa66a385910Copyright (c) 2021-2025 GreatDB Software Co., Ltd
Copyright (c) 2009-2025 Percona LLC and/or its affiliates
Copyright (c) 2000, 2025, Oracle and/or its affiliates.Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.greatsql> \s
--------------
/greatsql/gdb/svr/greatsql/bin/mysql Ver 8.0.32-27 for Linux on x86_64 (GreatSQL, Release 27, Revision aa66a385910)Connection id: 12
Current database:
Current user: bing@172.17.134.55
SSL: Cipher in use is ECDHE-RSA-AES128-GCM-SHA256
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 8.0.32-27 GreatSQL, Release 27, Revision aa66a385910
Protocol version: 10
Connection: 172.17.134.55 via TCP/IP
Server characterset: utf8mb4
Db characterset: utf8mb4
Client characterset: utf8mb4
Conn. characterset: utf8mb4
TCP port: 3313
Binary data as: Hexadecimal
Uptime: 5 min 17 secThreads: 3 Questions: 13 Slow queries: 0 Opens: 150 Flush tables: 3 Open tables: 69 Queries per second avg: 0.041
--------------
MGR 开启SSL
数据库参数中添加配置
loose-group_replication_ssl_mode = REQUIRED
loose-group_replication_recovery_use_ssl = 1
证书生成
任意一种方式配置均能成功启用SSL
MGR组内只能通过同一个ca.pem生成其他证书,否则连接会失败
方法一(每个实例单独SSL文件,安全性高)
通过脚本,生成每个节点的SSL相关证书,输入IP地址的证书,只能在对应服务器上使用
gen_ca_server_client_cert.sh
[root@gdb01-001 /data/tmp]$ sh gen_ca_server_client_cert.sh 192.168.0.4未检测到CA文件,正在生成统一CA...
Generating RSA private key, 4096 bit long modulus (2 primes)
.............................................................................++++
................++++
e is 65537 (0x010001)已生成统一CA: ca.pem, ca-key.pem正在生成 Server 证书...
Generating RSA private key, 2048 bit long modulus (2 primes)
.......+++++
......+++++
e is 65537 (0x010001)
Signature ok
subject=CN = 192.168.0.4
Getting CA Private Key
192.168.0.4-server-cert.pem: OKServer证书生成完成:- 私钥: 192.168.0.4-server-key.pem- 证书: 192.168.0.4-server-cert.pem正在生成 Client 证书...
Generating RSA private key, 2048 bit long modulus (2 primes)
......................................................................................+++++
...........................................................................................................................+++++
e is 65537 (0x010001)
Signature ok
subject=CN = 192.168.0.4-client
Getting CA Private Key
192.168.0.4-client-cert.pem: OKClient证书生成完成:- 私钥: 192.168.0.4-client-key.pem- 证书: 192.168.0.4-client-cert.pem
统一 CA: ca.pem / ca-key.pem
Server证书: 192.168.0.4-server-cert.pem / 192.168.0.4-server-key.pem
Client证书: 192.168.0.4-client-cert.pem / 192.168.0.4-client-key.pem
完整流程完成
[root@gdb01-001 /data/tmp]#
[root@gdb01-001 /data/tmp]$ sh gen_ca_server_client_cert.sh 192.168.0.5检测到已有CA: ca.pem, ca-key.pem,直接使用正在生成 Server 证书...
Generating RSA private key, 2048 bit long modulus (2 primes)
...........................................................................................................................................+++++
..................................+++++
e is 65537 (0x010001)
Signature ok
subject=CN = 192.168.0.5
Getting CA Private Key
192.168.0.5-server-cert.pem: OKServer证书生成完成:- 私钥: 192.168.0.5-server-key.pem- 证书: 192.168.0.5-server-cert.pem正在生成 Client 证书...
Generating RSA private key, 2048 bit long modulus (2 primes)
..............................................................................+++++
........+++++
e is 65537 (0x010001)
Signature ok
subject=CN = 192.168.0.5-client
Getting CA Private Key
192.168.0.5-client-cert.pem: OKClient证书生成完成:- 私钥: 192.168.0.5-client-key.pem- 证书: 192.168.0.5-client-cert.pem
统一 CA: ca.pem / ca-key.pem
Server证书: 192.168.0.5-server-cert.pem / 192.168.0.5-server-key.pem
Client证书: 192.168.0.5-client-cert.pem / 192.168.0.5-client-key.pem
完整流程完成
[root@gdb01-001 /data/tmp]#
[root@gdb01-001 /data/tmp]$ sh gen_ca_server_client_cert.sh 192.168.0.3检测到已有CA: ca.pem, ca-key.pem,直接使用正在生成 Server 证书...
Generating RSA private key, 2048 bit long modulus (2 primes)
.....................+++++
.........+++++
e is 65537 (0x010001)
Signature ok
subject=CN = 192.168.0.3
Getting CA Private Key
192.168.0.3-server-cert.pem: OKServer证书生成完成:- 私钥: 192.168.0.3-server-key.pem- 证书: 192.168.0.3-server-cert.pem正在生成 Client 证书...
Generating RSA private key, 2048 bit long modulus (2 primes)
.......+++++
...........+++++
e is 65537 (0x010001)
Signature ok
subject=CN = 192.168.0.3-client
Getting CA Private Key
192.168.0.3-client-cert.pem: OKClient证书生成完成:- 私钥: 192.168.0.3-client-key.pem- 证书: 192.168.0.3-client-cert.pem
统一 CA: ca.pem / ca-key.pem
Server证书: 192.168.0.3-server-cert.pem / 192.168.0.3-server-key.pem
Client证书: 192.168.0.3-client-cert.pem / 192.168.0.3-client-key.pem
完整流程完成
[root@gdb01-001 /data/tmp]#
将6个文件scp到证书目录,注意调整属主
SSL文件分发
scp ca-key.pem ca.pem 192.168.0.5-client-key.pem 192.168.0.5-client-cert.pem 192.168.0.5-server-cert.pem 192.168.0.5-server-key.pem 192.168.0.5:/greatsql/gdb/dbdata/3313/ssl_files
scp ca-key.pem ca.pem 192.168.0.4-client-key.pem 192.168.0.4-client-cert.pem 192.168.0.4-server-cert.pem 192.168.0.4-server-key.pem 192.168.0.4:/greatsql/gdb/dbdata/3313/ssl_files
scp ca-key.pem ca.pem 192.168.0.3-client-key.pem 192.168.0.3-client-cert.pem 192.168.0.3-server-cert.pem 192.168.0.3-server-key.pem 192.168.0.3:/greatsql/gdb/dbdata/3313/ssl_files
重命名SSL文件名rename '192.168.0.5-' '' *
[root@gdb01-003 /greatsql/gdb/dbdata/3313/ssl_files]$ ll
total 24K
-rw-r--r-- 1 greatsql greatsql 1.4K Sep 13 20:48 192.168.0.5-client-cert.pem
-rw-r--r-- 1 greatsql greatsql 1.7K Sep 13 20:48 192.168.0.5-client-key.pem
-rw-r--r-- 1 greatsql greatsql 1.4K Sep 13 20:48 192.168.0.5-server-cert.pem
-rw-r--r-- 1 greatsql greatsql 1.7K Sep 13 20:48 192.168.0.5-server-key.pem
-rw-r--r-- 1 greatsql greatsql 3.2K Sep 13 20:48 ca-key.pem
-rw-r--r-- 1 greatsql greatsql 1.8K Sep 13 20:48 ca.pem
[root@gdb01-003 /greatsql/gdb/dbdata/3313/ssl_files]# rename '192.168.0.5-' '' *
[root@gdb01-003 /greatsql/gdb/dbdata/3313/ssl_files]# ll
total 24K
-rw-r--r-- 1 greatsql greatsql 3.2K Sep 13 20:48 ca-key.pem
-rw-r--r-- 1 greatsql greatsql 1.8K Sep 13 20:48 ca.pem
-rw-r--r-- 1 greatsql greatsql 1.4K Sep 13 20:48 client-cert.pem
-rw-r--r-- 1 greatsql greatsql 1.7K Sep 13 20:48 client-key.pem
-rw-r--r-- 1 greatsql greatsql 1.4K Sep 13 20:48 server-cert.pem
-rw-r--r-- 1 greatsql greatsql 1.7K Sep 13 20:48 server-key.pem
并且要在每个实例的配置文件中,添加如下配置
ssl-ca=/greatsql/gdb/dbdata/3313/ssl_files/ca.pem
ssl-cert=/greatsql/gdb/dbdata/3313/ssl_files/server-cert.pem
ssl-key=/greatsql/gdb/dbdata/3313/ssl_files/server-key.pem
验证证书有效期
openssl x509 -in server-cert.pem -noout -dates
方法二(所有实例SSL文件相同,使用方便)
在第一个节点直接通过下面的命令初始化好证书
/greatsql/gdb/svr/greatsql/bin/mysql_ssl_rsa_setup --datadir=/greatsql/gdb/dbdata/3313/data
chown greatsql.greatsql /greatsql/gdb/dbdata/3313/data/*pem
在其他节点,直接通过clone复制数据,然后通过scp复制证书,虽然这样会导致所有节点证书均一致,但是不影响使用
greatsql> SET GLOBAL clone_valid_donor_list='192.168.0.4:3313';
Query OK, 0 rows affected (0.00 sec)greatsql> CLONE INSTANCE FROM greatsql@192.168.0.4:3313 IDENTIFIED BY '!QAZ2wsx';
scp ca-key.pem ca.pem client-key.pem client-cert.pem server-cert.pem server-key.pem 192.168.0.3:/greatsql/gdb/dbdata/3313/ssl_files
查询MGR中SSL生效状态
SELECT * FROM performance_schema.replication_group_members;
查看SSL生效
greatsql> SHOW VARIABLES LIKE 'group_replication_ssl_mode';
+----------------------------+----------+
| Variable_name | Value |
+----------------------------+----------+
| group_replication_ssl_mode | REQUIRED |
+----------------------------+----------+
1 row in set (0.00 sec)greatsql> SHOW VARIABLES LIKE 'group_replication_recovery_use_ssl';
+------------------------------------+-------+
| Variable_name | Value |
+------------------------------------+-------+
| group_replication_recovery_use_ssl | ON |
+------------------------------------+-------+
1 row in set (0.00 sec)