Home » Categories » Getting Started » Tweaks & Configuration

configure jump server to use SSL for MySQL

Article ID: 206 | Rating: Unrated | Last Updated: Mon, Mar 2, 2020 at 1:45 AM

How to configure ezeelogin jump server to use SSL for MySQL database connections on centos ?

Mysql-SSL setup on Centos 7,mysql server 5.5 version

1. Check the Current SSL/TLS Status

   Log into a MySQL session 

root@gateway:~# mysql -u root -p -h 127.0.0.1

  Show the state of the SSL/TLS variables by typing:

mysql> SHOW VARIABLES LIKE '%ssl%';

Output
+---------------+----------+
| Variable_name | Value    |
+---------------+----------+
| have_openssl  | DISABLED |
| have_ssl      | DISABLED |
| ssl_ca        |          |
| ssl_capath    |          |
| ssl_cert      |          |
| ssl_cipher    |          |
| ssl_crl       |          |
| ssl_crlpath   |          |
| ssl_key       |          |
+---------------+----------+
9 rows in set (0.01 sec)

 

  The have_openssl and have_ssl variables are both marked as DISABLED. This means that SSL functionality has been compiled into the server, but that it is not yet enabled.

 

2. Generate SSL/TLS Certificates and Keys

  Create clean environment

root@gateway:~# mkdir /etc/certs && cd /etc/certs

  Create CA certificate

root@gateway:~#openssl genrsa 2048 > ca-key.pem


root@gateway:~#openssl req -new -x509 -nodes -days 3600 \
-key ca-key.pem -out ca.pem


 Create server certificate, remove passphrase, and sign it

root@gateway:~#openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout server-key.pem -out server-req.pem


root@gateway:~#openssl rsa -in server-key.pem -out server-key.pem


root@gateway:~#openssl x509 -req -in server-req.pem -days 3600 \
-CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

Create client certificate, remove passphrase, and sign it

root@gateway:~#openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout client-key.pem -out client-req.pem

root@gateway:~#openssl rsa -in client-key.pem -out client-key.pem

root@gateway:~#openssl x509 -req -in client-req.pem -days 3600 \
-CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem


After generating the certificates, verify them: 

root@gateway:~#  openssl verify -CAfile ca.pem server-cert.pem client-cert.pem

output

server-cert.pem: OK
client-cert.pem: Ok

 

Enable SSL for MySQL

We have to edit the MySQL configuration file  '/etc/my.cnf'

In the '[mysqld]' section, paste the configuration below.

 

root@gateway:~# vi /etc/my.cnf

 

ssl-ca=/etc/certs/ca.pem

ssl-cert=/etc/certs/server-cert.pem

ssl-key=/etc/certs/server-key.pem

 

Restart the MySQL service

root@gateway:~# systemctl restart mysql

 

After restarting, open up a new MySQL session using the same command as before.

root@gateway:~# mysql -u root -p -h 127.0.0.1

 

Check state of the SSL/TLS variables by typing:

 

mysql> SHOW VARIABLES LIKE '%ssl%';

Output
+---------------+----------------+
| Variable_name | Value          |
+---------------+----------------+
| have_openssl  | YES            |
| have_ssl      | YES            |
| ssl_ca        | Ca.pem         |
| ssl_capath    |                |
| ssl_cert      | server-cert.pem|
| ssl_cipher    |                |
| ssl_crl       |                |
| ssl_crlpath   |                |
| ssl_key       | server-key.pem |
+---------------+----------------+
9 rows in set (0.01 sec)

 

 

The have_openssl and have_ssl variables read "YES" instead of "DISABLED" this time.

 

Check the connection details by the following command :

 

[root@localhost ~]# mysql -u ezlogin_database_username -p -h hostname or ip --ssl-ca=/etc/certs/ca.pem --ssl-cert=/etc/certs/client-cert.pem --ssl-key=/etc/certs/client-key.pem 

 

example :

 

 

[root@localhost ~]# mysql -u ezlogin_xxxx -p -h 10.11.1.11 --ssl-ca=/etc/certs/ca.pem --ssl-cert=/etc/certs/client-cert.pem --ssl-key=/etc/certs/client-key.pem 

 

 

 

 

mysql> \s

--------------- 

. . .

SSL: Cipher in use is DHE-RSA-AES256-SHA

. . .

Connection: 127.0.0.1 via TCP/IP

. . .

---------------- 

SSL cipher is displayed, indicating that SSL is being used to secure our connection.

 

3. Configure ezeelogin jump server to use SSL for Mysql 5.5

 

Add mysql_ssl_key,mysql_ssl_cert,mysql_ssl_ca to /usr/local/etc/ezlogin/ez.conf

 

Edit the  /usr/local/etc/ezlogin/ez.conf file add the following

 

root@gateway:~# vi /usr/local/etc/ezlogin/ez.conf

#Add the following 

system_folder /var/www/ezlogin/
force_https no
uri_path /ezlogin/
db_host 10.10.1.11
db_port 3306
db_name ezlogin_qzms
db_user ezlogin_edcjwz
db_pass dsH)$s5xAE[QgFms
db_prefix aqvo_
cookie_encryption_key ASvs8^pnu^^X9
cookie_name lcrrfs
cookie_path /ezlogin/
www_folder /var/www/html/ezlogin/
admin_user admin
mysql_encrypt yes
mysql_ssl_key /etc/certs/client-key.pem
mysql_ssl_cert /etc/certs/client-cert.pem
mysql_ssl_ca /etc/certs/ca.pem
mysql_ssl_capath /etc/certs/
mysql_ssl_cipher DHE-RSA-AES256-SHA
mysql_ssl_verify no

 

Make sure that you have changed db_port to 3306 & db_host to IP Address of your host

 

 4. Change the bind-address & allow the ezeelogin jump server user to access the database.

 

 Edit the  /etc/mysql/mysql.conf.d/mysqld.cnf & change bind-address 

 

root@gateway:~# vi /etc/mysql/mysql.conf.d/mysqld.cnf

 

Change bind-address to host ip(server ip)

bind-address x.x.x.x (Host ip)

 

  Restart the MySQL service

root@gateway:~# systemctl restart mariadb

  you can find out ezeelogin jump server dbname and ezeelogin mysql username from the ez.conf file

 

root@gateway:~# cat /usr/local/etc/ezlogin/ez.conf


system_folder /var/www/ezlogin/
force_https no
uri_path /ezlogin/
db_host 10.10.1.11
db_port 3306
db_name ezlogin_qzms
db_user ezlogin_edcjwz
db_pass dsH)$s5xAE[QgFms
db_prefix aqvo_
cookie_encryption_key ASvs8^pnu^^X9
cookie_name lcrrfs
cookie_path /ezlogin/
www_folder /var/www/html/ezlogin/
admin_user admin
mysql_encrypt yes
mysql_ssl_key /etc/certs/client-key.pem
mysql_ssl_cert /etc/certs/client-cert.pem
mysql_ssl_ca /etc/certs/ca.pem
mysql_ssl_capath /etc/certs/
mysql_ssl_cipher DHE-RSA-AES256-SHA
mysql_ssl_verify no

 
Login to mysql 

root@gateway:~# mysql -u root -p 

[Enter password]

mysql> grant all on ezlogin_databasename.* to 'mysql_username'@'%' identified by 'password';

example : mysql > grant all on ezlogin_xxx.* to 'ezlogin_xxxx'@'%' identified by 'dsH)$s5xAE[QgFmfsfgg';

mysql > flush privileges;

mysql > exit 

 Check if you can login to mysql using ezeelogin databases

 

root@gateway:~# mysql -u ezeelogin_databasename_username -h 10.11.1.11 -p

Enter Password:

mysql >

mysql > exit

 

If you have any difficulties please contact support 

 

 

 
Posted - Mon, Apr 30, 2018 at 4:11 AM. This article has been viewed 2550 times.
Filed Under: Tweaks & Configuration
0 (0)
Article Rating (No Votes)
Rate this article
    Attached Files
    There are no attachments for this article.
    Related Articles RSS Feed
    How can i disable MySQL strict mode ?
    Viewed 1769 times since Tue, Feb 12, 2019
    How to reset cluster keys in ezeelogin Master-slave Configuration ?
    Viewed 791 times since Fri, Jun 8, 2018
    Enable or Disable or force ssl for the web interface
    Viewed 2419 times since Thu, Jun 15, 2017
    How to find a server by its hostname, ip address, very quickly in ezsh shell
    Viewed 1405 times since Tue, Mar 27, 2018
    How can i reset password / security code ?
    Viewed 2424 times since Wed, Oct 18, 2017
    cron for changing root passwords on servers periodically
    Viewed 2621 times since Thu, Jun 15, 2017
    Will Ezeelogin work behind a firewall or NAT or behind a Proxy?
    Viewed 4282 times since Sat, Jul 8, 2017
    How do i configure Ezeelogin to authenticate using Open_Ldap(Pam-Ldap) in ubuntu?
    Viewed 2756 times since Fri, Feb 23, 2018
    Configure Nginx webserver on Jump server / Bastion host
    Viewed 6669 times since Fri, Nov 3, 2017
    How to pass environment variable through jump server?
    Viewed 941 times since Tue, Jul 17, 2018