一 目标 针对MYSQL进行SSL加固,针对小于5.7的版本
二 生成密钥公钥文件
mkdir -p /home/work/mysql/ssl
1 openssl genrsa 2048 > ca-key.pem
2 openssl req -sha1 -new -x509 -nodes -days 3650 -key ca-key.pem > ca.pem
3 openssl req -sha1 -newkey rsa:2048 -days 3650 -nodes -keyout server-key.pem > server-req.pem
4 openssl rsa -in server-key.pem -out server-key.pem
5 openssl x509 -sha1 -req -in server-req.pem -days 3650 -CA ca.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
6 openssl req -sha1 -newkey rsa:2048 -days 3650 -nodes -keyout client-key.pem > client-req.pem
7 openssl rsa -in client-key.pem -out client-key.pem
8 openssl x509 -sha1 -req -in client-req.pem -days 3650 -CA ca.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem
三 文件权限
chown -R mysql:mysql /home/work/mysql/ssl
四 mysql配置文件添加并重启服务
[client]
ssl-cert = /home/work/mysql/ssl/client-cert.pem
ssl-key = /home/work/mysql/ssl/client-key.pem
[mysqld]
ssl-ca=/home/work/mysql/ssl/ca.pem
ssl-cert=/home/work/mysql/ssl/server-cert.pem
ssl-key=/home/work/mysql/ssl/server-key.pem
五 重新查看变量SSL
mysql> show variables like '%ssl%';
+---------------+--------------------------------------+
| Variable_name | Value |
+---------------+--------------------------------------+
| have_openssl | YES |
| have_ssl | YES
六 创建标准用户
grant all on test.* to test@'%' identified by 'wang1122' require ssl; 需要ssl 属性
七 登录测试
mysql -utest -pwang1122 --ssl-ca=/home/work/mysql/ssl/ca.pem --ssl-cert=/home/work/mysql/ssl/client-cert.pem --ssl-key=/home/work/mysql/ssl/client-key.pem --socket=/home/work/mysql/tmp/mysql.sock
八 JAV7jiuA使用
1 导出keystore供java连接使用
keytool -importcert -file ca-cert.pem -keystore truststore --storepass Abc123
2 设置java环境变量编辑/etc/profile 增加一行
export JAVA_OPTS=" -Djavax.net.ssl.trustStore=/home/mysqlcert/truststore -Djavax.net.ssl.trustStorePassword=Abc123"
执行下source /etc/profile使其生效
3 配置jdbc连接url
jdbc.url=jdbc:mysql://127.0.0.1:3306/mydb?verifyServerCertificate=true&useSSL=true&requireSSL=true
九 总结
1 中途开启了SSL,之前创建的用户还是可以不经过SSL进行访问的
2 开启SSL会有性能损耗