一 目標 針對MYSQL進行SSL加固,針對小於5.7的版本
二 生成密鑰公鑰文件
mkdir -p /home/work/mysql/ssl
1 openssl genrsa 2048 > ca-key.pem
2 openssl req -sha1 -new -x509 -nodes -days 3650 -key ca-key.pem > ca.pem
3 openssl req -sha1 -newkey rsa:2048 -days 3650 -nodes -keyout server-key.pem > server-req.pem
4 openssl rsa -in server-key.pem -out server-key.pem
5 openssl x509 -sha1 -req -in server-req.pem -days 3650 -CA ca.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
6 openssl req -sha1 -newkey rsa:2048 -days 3650 -nodes -keyout client-key.pem > client-req.pem
7 openssl rsa -in client-key.pem -out client-key.pem
8 openssl x509 -sha1 -req -in client-req.pem -days 3650 -CA ca.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem
三 文件權限
chown -R mysql:mysql /home/work/mysql/ssl
四 mysql配置文件添加並重啟服務
[client]
ssl-cert = /home/work/mysql/ssl/client-cert.pem
ssl-key = /home/work/mysql/ssl/client-key.pem
[mysqld]
ssl-ca=/home/work/mysql/ssl/ca.pem
ssl-cert=/home/work/mysql/ssl/server-cert.pem
ssl-key=/home/work/mysql/ssl/server-key.pem
五 重新查看變量SSL
mysql> show variables like '%ssl%';
+---------------+--------------------------------------+
| Variable_name | Value |
+---------------+--------------------------------------+
| have_openssl | YES |
| have_ssl | YES
六 創建標准用戶
grant all on test.* to test@'%' identified by 'wang1122' require ssl; 需要ssl 屬性
七 登錄測試
mysql -utest -pwang1122 --ssl-ca=/home/work/mysql/ssl/ca.pem --ssl-cert=/home/work/mysql/ssl/client-cert.pem --ssl-key=/home/work/mysql/ssl/client-key.pem --socket=/home/work/mysql/tmp/mysql.sock
八 JAV7jiuA使用
1 導出keystore供java連接使用
keytool -importcert -file ca-cert.pem -keystore truststore --storepass Abc123
2 設置java環境變量編輯/etc/profile 增加一行
export JAVA_OPTS=" -Djavax.net.ssl.trustStore=/home/mysqlcert/truststore -Djavax.net.ssl.trustStorePassword=Abc123"
執行下source /etc/profile使其生效
3 配置jdbc連接url
jdbc.url=jdbc:mysql://127.0.0.1:3306/mydb?verifyServerCertificate=true&useSSL=true&requireSSL=true
九 總結
1 中途開啟了SSL,之前創建的用戶還是可以不經過SSL進行訪問的
2 開啟SSL會有性能損耗