How to configure MatrixOne SSL connection
This document describes how to configure your MatrixOne server to use SSL for database connections. After you secure your MatrixOne connections, malicious users cannot intercept your traffic.
Configure MatrixOne SSL connections
Create the directory to store the SSL keys
To create the directory that will contain the SSL keys, perform the following steps:
Log into your server via SSH. Check if you have the
mysql_ssl_rsa_setuptool in place. Usually if you have installed MySQL, the
mysql_ssl_rsa_setupbinary will also be installed.
If you try to execute this command
mysql_ssl_rsa_setupand you see this following message, it means you have installed it. If not, please install MySQL first, and this
mysql_ssl_rsa_setupwill be installed along. You can also check the path of
mysql_ssl_rsa_setupbinary file with
[pcusername@VM-0-12-centos matrixone]$ mysql_ssl_rsa_setup 2022-10-19 10:57:30 [ERROR] Failed to access directory pointed by --datadir. Please make sure that directory exists and is accessible by mysql_ssl_rsa_setup. Supplied value : /var/lib/mysql [pcusername@VM-0-12-centos matrixone]$ whereis mysql_ssl_rsa_setup mysql_ssl_rsa_setup: /usr/bin/mysql_ssl_rsa_setup /usr/share/man/man1/mysql_ssl_rsa_setup.1.gz
Create an SSL key storage directory that MatrixOne can access. For example, run the
mkdir /home/user/mo_keyscommand to create a
Create the SSL keys
To create the SSL keys, perform the following steps:
Run the following commands to create the Certificate Authority (CA) keys:
You'll see in this folder a list of
Insert the following lines in the
[cn.frontend]section of the
etc/launch-tae-CN-tae-DN/cn.tomlfile in MatrixOne folder:
[cn.frontend] enableTls = true tlsCertFile = "/home/user/mo_keys/server-cert.pem" tlsKeyFile = "/home/user/mo_keys/server-key.pem" tlsCaFile = "/home/user/mo_keys/ca.pem"
[cn.frontend]section doesn't exist in the MatrixOne system setting file, you can just create one with the above settings.
Test the SSL configuration
To test the SSL configuration, perform the following steps:
Launch MatrixOne service. Please refer to Deploy standalone MatrixOne.
Connect to MatrixOne service by MySQL client:
mysql -h IP_ADDRESS -P 6001 -udump -p111
After you connect, run the
statuscommand. The output will resemble the following example:
mysql> status -------------- mysql Ver 8.0.28 for Linux on x86_64 (MySQL Community Server - GPL) Connection id: 1001 Current database: Current user: email@example.com SSL: Cipher in use is TLS_AES_128_GCM_SHA256 Current pager: stdout Using outfile: '' Using delimiter: ; Server version: 8.0.30-MatrixOne-v0.7.0 MatrixOne Protocol version: 10 Connection: 127.0.0.1 via TCP/IP Client characterset: utf8mb4 Server characterset: utf8mb4 TCP port: 6002 Binary data as: Hexadecimal --------------