Simplified Percona XtraDB Cluster SSL Configuration

April 21, 2017

Author

Kenn Takara

MySQL

Percona Software

Security

Share this Post:

In this blog post, we’ll look at a feature that recently added to Percona XtraDB Cluster 5.7.16, that makes it easier to configure Percona XtraDB Cluster SSL for all related communications. It uses mode “encrypt=4”, and configures SSL for both IST/Galera communications and SST communications using the same SSL files. “encrypt=4” is a new encryption mode added in Percona XtraDB Cluster 5.7.16 (we’ll cover it in a later blog post).

If this option is used, this will override all other Galera/SST SSL-related file options. This is to ensure that a consistent configuration is applied.

Using this option also means that the Galera/SST communications are using the same keys as client connections.

Example

This example shows how to startup a cluster using this option. We will use the default SSL files created by the bootstrap node. Basically, there are two steps:

Set pxc_encrypt_cluster_traffic=ON on all nodes

Ensure that all nodes share the same SSL files

Step 1: Configuration (on all nodes)

We enable the pxc_encrypt_cluster_traffic option in the configuration files on all nodes. The default value of this option is “OFF”, so we enable it here.

 [mysqld]<br> pxc_encrypt_cluster_traffic=ON

1	[mysqld]<br> pxc_encrypt_cluster_traffic=ON

Step 2: Startup the bootstrap node

After initializing and starting up the bootstrap node, the datadir will contain the necessary data files. Here is some SSL-related log output:

 [Note] Auto generated SSL certificates are placed in data directory.<br> [Warning] CA certificate ca.pem is self signed.<br> [Note] Auto generated RSA key files are placed in data directory.<br>

1	[Note] Auto generated SSL certificates are placed in data directory.<br> [Warning] CA certificate ca.pem is self signed.<br> [Note] Auto generated RSA key files are placed in data directory.<br>

The required files are ca.pem, server-cert.pem and server-key.pem, which are the Certificate Authority (CA) file, the server certificate and the server private key, respectively.

Step 3: Copy the SSL files to all other nodes

Galera views the cluster as a set of homogeneous nodes, so the same configuration is expected on all nodes. Therefore, we have to copy the CA file, the server’s certificate and the server’s private key. By default, MySQL names these: ca.pem, server-cert.pem, and server-key.pem, respectively.

Step 4: Startup the other nodes

This is some log output showing that the SSL certificate files have been found. The other nodes should be using the files that were created on the bootstrap node.

[Note] Found ca.pem, server-cert.pem and server-key.pem in data directory. Trying to enable SSL support using them.<br>[Note] Skipping generation of SSL certificates as certificate files are present in data directory.<br>[Warning] CA certificate ca.pem is self signed.<br>[Note] Skipping generation of RSA key pair as key files are present in data directory.

[Note] Found ca.pem, server-cert.pem and server-key.pem in data directory. Trying to enable SSL support using them.<br>[Note] Skipping generation of SSL certificates as certificate files are present in data directory.<br>[Warning] CA certificate ca.pem is self signed.<br>[Note] Skipping generation of RSA key pair as key files are present in data directory.

This is some log output (with log_error_verbosity=3), showing the SST reporting on the configuration used.

WSREP_SST: [DEBUG] pxc_encrypt_cluster_traffic is enabled, using PXC auto-ssl configuration<br>WSREP_SST: [DEBUG] with encrypt=4 ssl_ca=/my/data//ca.pem ssl_cert=/my/data//server-cert.pem ssl_key=/my/data//server-key.pem<br><br>

1	WSREP_SST: [DEBUG] pxc_encrypt_cluster_traffic is enabled, using PXC auto-ssl configuration<br>WSREP_SST: [DEBUG] with encrypt=4 ssl_ca=/my/data//ca.pem ssl_cert=/my/data//server-cert.pem ssl_key=/my/data//server-key.pem<br><br>

Customization

The “ssl-ca”, “ssl-cert”, and “ssl-key” options in the “[mysqld]” section can be used to specify the location of the SSL files. If these are not specified, then the datadir is searched (using the default names of “ca.pem”, “server-cert.pem” and “server-key.pem”).

 [mysqld]<br> pxc_encrypt_cluster_traffic=ON<br><br> ssl-ca=/path/to/ca.pem<br> ssl-cert=/path/to/server-cert.pem<br> ssl-key=/path/to/server-key.pem<br><br>

1	[mysqld]<br> pxc_encrypt_cluster_traffic=ON<br><br> ssl-ca=/path/to/ca.pem<br> ssl-cert=/path/to/server-cert.pem<br> ssl-key=/path/to/server-key.pem<br><br>

If you want to implement this yourself, the equivalent configuration file options are:

[mysqld]<br>wsrep_provider_options="socket.ssl_key=server-key.pem;socket.ssl_cert=server-cert.pem;socket.ssl_ca=ca.pem"<br><br>[sst]<br>encrypt=4<br>ssl-ca=ca.pem<br>ssl-cert=server-cert.pem<br>ssl-key=server-key.pem<br>

1	[mysqld]<br>wsrep_provider_options="socket.ssl_key=server-key.pem;socket.ssl_cert=server-cert.pem;socket.ssl_ca=ca.pem"<br><br>[sst]<br>encrypt=4<br>ssl-ca=ca.pem<br>ssl-cert=server-cert.pem<br>ssl-key=server-key.pem<br>

How it works

Determine the location of the SSL files
1. Uses the values if explicitly specified (via the “ssl-ca”, “ssl-cert” and “ssl-key” options in the “[mysqld]” section)
2. If the SSL file options are not specified, we look in the data directory for files named “ca.pem”, “server-cert.pem” and “server-key.pem” for the CA file, the server certificate, and the server key, respectively.

Modify the configuration
1. Overrides the values for socket.ssl_ca, socket.ssl_cert, and socket.ssl_key in wsrep_provider_options in the “[mysqld]” section.
2. Sets “encrypt=4” in the “[sst]” section.
3. Overrides the values for ssl-ca, ssl-cert and ssl-key in the “[sst]” section.