thank you for the help.
I was hoping that someone could shed some light on how mysql uses SSL. I am currently up and running with master/slave replication, however, I'd like to make sure that the traffic is secured through SSL. The instructions that I am using are here:
http://dev.mysql.com/doc/refman/5.0/en/replication-solutions-ssl.html
The question that I have is does the master or the slave store and use the .key?
When I configure the slave, I use the CHANGE MASTER TO command and specify the CA, PATH, CERT, and KEY. Are these the files that are housed on my master server?
I'm also told to specify in my.cnf the [client] CA, CERT, and KEY. Again, are these the files on the master?
I guess I'm just not understanding the workflow. It would seem that the slave would contact the master, the master would require ssl, then the slave would request the public key from the master to establish the secure connection.
can anyone help me with this? Thanks again!
As it shows in 6.3.6.3. Using SSL Connections, client/s should have it's/their own ca, cert, and key.
Similar options are used on the client side, although in this case, --ssl-cert and --ssl-key identify the client public and private key. Note that the Certificate Authority certificate, if specified, must be the same as used by the server.
Related
We are running a cluster "Single master and multiple nodes" (in https://docs.okd.io/latest/install/index.html#multi-masters-using-native-ha-colocated). Let's call our servers oomaster1, oonode1 and oonode2.
I would like to add other masters one day and I think the first step would be to add a VIP oomaster, now pointing only to oomaster1, and then rename the cluster (currently oomaster1) to oomaster.
What would be the best way to proceed ? I mean I can just stop all okd related services and replace oomaster1 (and its address) with oomaster (and its address) in every file in /etc/origin and /etc/etcd and then restart services. But I suppose it is more complex...
Thanks in advance for advices
I think you should replace the existing cluster(master and nodes) with new cluster which is configured as new hostname, because the master and nodes are deployed the various certificates based on master hostname for encrypted communication and authentication. And I have no idea whether or not the existing master hostname can change.
I've set up a Percona Xtradb Cluster with 5 nodes on a network that also has a ProxySQL server. I have ProxySQL working, I can log in to the admin interface on port 6032 and administer it and I can also log in through port 6033, connecting to the cluster.
The problem (at least as I see it) is that I am only able to get through the proxy to the cluster (port 6033) by duplicating the user/pass for the cluster at the proxysql level.
I would have thought that there would be some way to have the credentials simply pass through the proxy to the cluster or at least some other way to not have to store the user/pass in two points for these connections.
Is this all exactly by design and I'm just hoping for something that doesn't exist because of good reasons like security/practices or is there some way to improve this setup to not have to tell ProxySQL about every database user I ever need to access the cluster databases?
in short - yes. it's simply the way ProxySQL handles queries.
Also,if security is one of your concerns you may think of password hashing on ProxySQL side.
Here's the official doc: Password management on how to configure.
From the Wiki:
Because ProxySQL performs routing based on traffic, when a client
connects it cannot yet identify a destination HG, therefore ProxySQL
needs to authenticate the client. For this reason, it needs to have
some information related to the password of the user: enough
information to allow the authentication.
I'm working on setting up MYSQL to Aurora replication between two RDS instance. when I enable the replication, my slave instance is failing to connect to master. By default, the security group(default) of both instances are same since it's a replica.
I was told to allow the IP address of the slave instance to the inbound rules of the master.Since the security group is same, it doesn't make sense to me. Please correct me if I'm wrong or provide your thoughts.
Note: I'm following this documentation
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Aurora.Overview.Replication.MySQLReplication.html
Since the security group is same, it doesn't make sense to me.
Being in the same security group does not mean the two machines can talk to each other. It only means the two machines follow the same set of rules.
To allow a machine in a security group to connect to another machine in the same security group still requires a rule in the security group to allow the access.
When I use DNS server + redis/mysql master/slave as a HA deployment,I found there are two problems:
When redis/mysql master fails, I promote slave to be new master (sentinel for redis and mha for mysql),the domain name change maybe lag due to the existence of DNS cache, but we can less the DNS ttl or turn off the nscd service.
Long-live connections maybe keep connecting to the old master (if the connection is not re-connected),this cause problems.
My thought:
After changing the domain name to the new master ip address, we need to kill all existing connections (clients will be re-connect and connect to the new master) or power off the orignal master.
Is there any better ways?
If the two nodes are in the same datacenter, you could user VIP (Virtual IP) , and then move the VIP to master using corosync, its almost "instantaneous" failover.
If the nodes are in two different datacenters, I think you can use ProxySQL, I havn't tested ProxySQL yet though.
I'm trying to setup replication for my database which is powered by mysql 5.6.
The master uses RDS and the slave is built on EC2 instance, so the MASTER_HOST has a pretty long hostname (62 characters).
When I use change master to command to specify MASTER_HOST and start slave, show slave status gives me an connection error, which looks like the hostname is overflowed and part of the hostname string (which is 61 characters) has been saved (to master.info also).
I have tried another hostname, which is shorter, and succeeded.
I have checked the document but nothing about MASTER_HOST hostname length limitation has been mentioned.
Is this a bug? Or have I done anything wrong?
Thanks in advance.
There is a limit of 60 characters for master host on MySQL side. But luckily you can create another Canonical Name (CNAME) that references to the original RDS URL. RFC 1034 mentioned that CNAME chain shouldn't break things.
So you get the chain: your (sub)domain CNAME -> RDS CNAME -> RDS IP.
Make sure you have nscd, pdnsd or alternative local DNS cache service is running to avoid too many frequent DNS lookups.