Data transmission encryption

MatrixOne Intelligence adopts the default encrypted transmission and supports encrypted transmission of the TLS protocol, which reduces the risk of leakage of sensitive information in the database. Encrypted transmission is a method of encrypting and decrypting information through a key, which helps to effectively protect the security of data.

Transport Layer Security (TLS) is a widely adopted security protocol, and MatrixOne Intelligence supports multiple protocol versions, including TLS 1.0, TLS 1.1, and TLS 1.2.

How to use

1. Verify that the SSL of MatrixOne Intelligence is enabled

1. Log in to MatrixOne Intelligence, select the target instance, clickConnect > Connect through third-party tools, and you can view your instance connection string on MatrixOne Intelligence in the sliding window on the right.

2. Connect to the MatrixOne Intelligence instance using the MySQL client:

   mysql -h host_ip_address -P 6001 -u <accountname>:<username>:<rolename> -p
   
   Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
   

   The above code snippet shows that you have successfully connected.

3. Use the Status command to check whether SSL is enabled.

   It is enabled successfully, the code example is as follows, you can see that the SSL status is Cipher in use is TLS_AES_128_GCM_SHA256:

   mysql> status
   --------------
   mysql Ver 8.1.0 for macos11.7 on arm64 (Homebrew)
   
   Connection id: 13560771
   Current database:
   Current user: admin@localhost
   SSL: Cipher in use is TLS_AES_128_GCM_SHA256
   Current pager: less
   Using outfile: ''
   Using delimiter: ;
   Server version: 8.0.30-MatrixOne-v2.0.3 MatrixOne
   Protocol version: 10
   Connection: freetier-01.cn-hangzhou.cluster.matrixonecloud.cn via TCP/IP
   Server characterset: utf8mb4
   Db characterset: utf8mb4
   Client characterset: utf8mb4
   Conn. characterset: utf8mb4
   TCP port: 6001
   Binary data as: Hexadecimal
   --------------
   

2. Configure MySQL client parameters

You can also specify encrypted connection behavior through the --ssl-mode parameter when connecting to MatrixOne Intelligence through the MySQL client. The code example is as follows:

mysql -h host_ip_address -P 6001 -u <accountname>:<username>:<rolename> -p --ssl-mode=PREFERRED

The value type of ssl-mode is as follows:

ssl-mode value	Meaning
DISABLED	Encrypted connection is not established using SSL/TLS, synonymous with skip-ssl.
PREFERRED	Default behavior, priority is given to attempting to establish an encrypted connection using SSL/TLS, and attempting to establish a non-SSL/TLS connection if it cannot be established.
REQUIRED	Only attempts to establish an encrypted connection using SSL/TLS, if the connection cannot be established, the connection will fail.
VERIFY_CA	Behaves the same as REQUIRED and also verifies that the CA certificate on the Server side is valid.
VERIFY_IDENTITY	Behaves the same as VERIFY_CA and also verifies that the host in the Server side CA certificate is consistent with the actual connected hostname.

Note

When the client specifies --ssl-mode=VERIFY_CA, it needs to use --ssl-ca to specify the CA certificate. When the client specifies --ssl-mode=VERIFY_IDENTITY, it needs to specify the CA certificate, and use --ssl-key to specify the client's private key and use --ssl-cert to specify the client's certificate.