[MXS-2344] Support MASTER_SSL in mariadbmon for encrypting replication traffic Created: 2019-02-20 Updated: 2023-12-11 Resolved: 2019-04-15 |
|
| Status: | Closed |
| Project: | MariaDB MaxScale |
| Component/s: | mariadbmon |
| Affects Version/s: | 2.3.4 |
| Fix Version/s: | 2.3.6 |
| Type: | New Feature | Priority: | Major |
| Reporter: | Richard Lane | Assignee: | Esa Korhonen |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Environment: |
VM and container linux 7.6-centos |
||
| Issue Links: |
|
||||||||
| Sprint: | MXS-SPRINT-79, MXS-SPRINT-80 | ||||||||
| Description |
|
Need MaxScale to support encryption of replication traffic between database nodes of the local cluster being monitored as well as between the local master and the master of a remote data center. We have been able to provide most of the SSL configuration (certificates, keys, etc) by configuring a /etc/my.cnf.d/client.cnf file on each local node. This way I believe MaxScale needs only support the MASTER_SSL=1 option on the CHANGE MASTER TO command during failover. Nokia has a mandatory security requirement that states that all replication traffic must be encrypted. |
| Comments |
| Comment by Esa Korhonen [ 2019-04-15 ] |
|
This is going to 2.3.6 now. Set "replication_master_ssl=1" in MariaDB Monitor configuration, and it will add "MASTER_SSL=1" to the CHANGE MASTER TO commands. As noted in the description, this should only be enabled if ssl is otherwise configured on the backend servers. Users should also force ssl on the replication user by running a command like "ALTER USER repl@'%' REQUIRE SSL;". This way the user cannot even connect unless encryption is on. See https://mariadb.com/kb/en/library/securing-connections-for-client-and-server/ for more information. |