configure jump server to use SSL for MySQL
How to configure Ezeelogin jump server to use SSL for MySQL database connections on centos?
Mysql-SSL setup on Centos 7,Mysql server 5.5 version
1. Check the Current SSL/TLS Status
Log into a MySQL session
Show the state of the SSL/TLS variables by typing:
The have_openssl and have_ssl variables are both marked as DISABLED. This means that SSL functionality has been compiled into the server, but that it is not yet enabled.
2. Generate SSL/TLS Certificates and Keys
Create a clean environment
[email protected]:~# mkdir /etc/certs && cd /etc/certs
Create the CA certificate
[email protected]:~#openssl genrsa 2048 > ca-key.pem
[email protected]:~#openssl req -new -x509 -nodes -days 3600 \
-key ca-key.pem -out ca.pem
Create the server certificate, remove passphrase, and sign it
[email protected]:~#openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout server-key.pem -out server-req.pem
[email protected]:~#openssl rsa -in server-key.pem -out server-key.pem
[email protected]:~#openssl x509 -req -in server-req.pem -days 3600 \
-CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
Create the client certificate, remove passphrase, and sign it
[email protected]:~#openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout client-key.pem -out client-req.pem
roo[email protected]:~#openssl rsa -in client-key.pem -out client-key.pem
[email protected]:~#openssl x509 -req -in client-req.pem -days 3600 \
-CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
After generating the certificates, verify them:
[email protected]:~# openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
output
server-cert.pem: OK
client-cert.pem: Ok
Enable SSL for MySQL
We have to edit the MySQL configuration file '/etc/my.cnf'
In the '[mysqld]' section, paste the configuration below.
[email protected]:~# vi /etc/my.cnf
ssl-ca=/etc/certs/ca.pem
ssl-cert=/etc/certs/server-cert.pem
ssl-key=/etc/certs/server-key.pem
Restart the MySQL service
After restarting, open up a new MySQL session using the same command as before.
Check state of the SSL/TLS variables by typing:
The have_openssl and have_ssl variables read "YES" instead of "DISABLED" this time.
Check the connection details by the following command :
[[email protected] ~]# mysql -u ezlogin_database_username -p -h hostname or ip --ssl-ca=/etc/certs/ca.pem --ssl-cert=/etc/certs/client-cert.pem --ssl-key=/etc/certs/client-key.pem
example :
[[email protected] ~]# mysql -u ezlogin_xxxx -p -h 10.11.1.11 --ssl-ca=/etc/certs/ca.pem --ssl-cert=/etc/certs/client-cert.pem --ssl-key=/etc/certs/client-key.pem
SSL cipher is displayed, indicating that SSL is being used to secure our connection.
3. Configure ezeelogin jump server to use SSL for Mysql 5.5
Add mysql_ssl_key,mysql_ssl_cert,mysql_ssl_ca to /usr/local/etc/ezlogin/ez.conf
Edit the /usr/local/etc/ezlogin/ez.conf file add the following
Make sure that you have changed db_port to 3306 & db_host to IP Address of your host
4. Change the bind address & allow the Ezeelogin jump server user to access the database.
Edit the /etc/mysql/mysql.conf.d/mysqld.cnf & change bind-address
Restart the MySQL service
you can find out Ezeelogin jump server dbname and Ezeelogin Mysql username from the ez.conf file
Check if you can log in to MySQL using Ezeelogin databases
If you have any difficulties please contact support
