[MXS-1535] Maxscale Docs for SSL Configuration Created: 2017-11-21  Updated: 2017-12-01  Resolved: 2017-11-21

Status: Closed
Project: MariaDB MaxScale
Component/s: readwritesplit
Affects Version/s: None
Fix Version/s: 2.1.11

Type: New Feature Priority: Major
Reporter: Wagner Bianchi (Inactive) Assignee: markus makela
Resolution: Fixed Votes: 0
Labels: None
Environment:

CentOS 7.2


 Description   

Folks,

I found two errors when configuring Maxscale with SSL for ReadWriteSplit. We need to add the client certificates to the defined listener and the same client certificates for each server's file you added dynamically to Maxscale 2.1.10:

[root@maxscale maxscale.cnf.d]# cat rwsplit-listener.cnf
 
[rwsplit-listener]
 
type=listener
 
protocol=MySQLClient
 
service=rwsplit-service
 
address=0.0.0.0
 
port=4006
 
authenticator=MySQLAuth
 
#authenticator=MySQL
 
ssl=required
 
ssl_cert=/etc/my.cnf.d/certs/client-cert.pem
 
ssl_key=/etc/my.cnf.d/certs/client-key.pem
 
ssl_ca_cert=/etc/my.cnf.d/certs/ca-cert.pem
 
ssl_version=TLSv12
 
ssl_cert_verify_depth=9
 
[root@maxscale maxscale.cnf.d]# cat prod_mariadb0*
 
[prod_mariadb01]
 
type=server
 
protocol=MySQLBackend
 
address=192.168.50.11
 
port=3306
 
authenticator=MySQLBackendAuth
 
ssl=required
 
ssl_cert=/etc/my.cnf.d/certs/client-cert.pem
 
ssl_key=/etc/my.cnf.d/certs/client-key.pem
 
ssl_ca_cert=/etc/my.cnf.d/certs/ca-cert.pem
 
ssl_version=TLSv12
 
ssl_cert_verify_depth=9
 
[prod_mariadb02]
 
type=server
 
protocol=MySQLBackend
 
address=192.168.50.12
 
port=3306
 
authenticator=MySQLBackendAuth
 
ssl=required
 
ssl_cert=/etc/my.cnf.d/certs/client-cert.pem
 
ssl_key=/etc/my.cnf.d/certs/client-key.pem
 
ssl_ca_cert=/etc/my.cnf.d/certs/ca-cert.pem
 
ssl_version=TLSv12
 
ssl_cert_verify_depth=9
 
[prod_mariadb03]
 
type=server
 
protocol=MySQLBackend
 
address=192.168.50.13
 
port=3306
 
authenticator=MySQLBackendAuth
 
ssl=required
 
ssl_cert=/etc/my.cnf.d/certs/client-cert.pem
 
ssl_key=/etc/my.cnf.d/certs/client-key.pem
 
ssl_ca_cert=/etc/my.cnf.d/certs/ca-cert.pem
 
ssl_version=TLSv12
 
ssl_cert_verify_depth=9

The issues I found in the docs:

Thanks a look forward to hear from you.

 Comments   
Comment by Wagner Bianchi (Inactive) [ 2017-11-21 ]

Just a sneak-peak of the Maxscale 2.1.10 + SSL working on my labs:

 
 
[root@maxscale maxscale.cnf.d]# cat ~/.my.cnf
 
[client]
 
ssl
 
ssl-ca=/etc/my.cnf.d/certs/ca-cert.pem
 
ssl-cert=/etc/my.cnf.d/certs/client-cert.pem
 
ssl-key=/etc/my.cnf.d/certs/client-key.pem
 
 
 
[root@maxscale maxscale.cnf.d]# mysql -u wb_ssl -p123456 -h 192.168.50.100 -P 4006
 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
 
Your MySQL connection id is 4206
 
Server version: 10.0.0 2.1.10-maxscale MariaDB Server
 
 
 
Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.
 
 
 
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
 
 
 
MySQL [(none)]> \s
 
--------------
 
mysql  Ver 15.1 Distrib 10.1.23-MariaDB, for Linux (x86_64) using readline 5.1
 
 
 
Connection id:		4206
 
Current database:
 
Current user:		wb_ssl@192.168.50.100
 
SSL:			Cipher in use is AES256-GCM-SHA384
 
Current pager:		stdout
 
Using outfile:		''
 
Using delimiter:	;
 
Server:			MySQL
 
Server version:		10.0.0 2.1.10-maxscale MariaDB Server
 
Protocol version:	10
 
Connection:		192.168.50.100 via TCP/IP
 
Server characterset:	latin1
 
Db     characterset:	latin1
 
Client characterset:	utf8
 
Conn.  characterset:	utf8
 
TCP port:		4006
 
Uptime:			1 hour 3 min 17 sec
 
 
 
Threads: 4  Questions: 618  Slow queries: 0  Opens: 18  Flush tables: 1  Open tables: 12  Queries per second avg: 0.162
 
--------------

Cheers,

Bianchi

Comment by markus makela [ 2017-11-21 ]

The TLS/SSL documentation for 2.1.11 was updated and the errors were corrected.

Comment by Wagner Bianchi (Inactive) [ 2017-11-21 ]

Awesome, thanks Markus!

Generated at Thu Feb 08 04:07:29 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.