configure jump server to use SSL for MySQL
How to configure Ezeelogin jump server to use SSL for MySQL database connections on centos?
Mysql-SSL setup on Centos 7,Mysql server 5.5 version
1. Check the Current SSL/TLS Status
Log into a MySQL session
Show the state of the SSL/TLS variables by typing:
The have_openssl and have_ssl variables are both marked as DISABLED. This means that SSL functionality has been compiled into the server, but that it is not yet enabled.
2. Generate SSL/TLS Certificates and Keys
Create a clean environment
root@gateway:~# mkdir /etc/certs && cd /etc/certs
Create the CA certificate
root@gateway:~#openssl genrsa 2048 > ca-key.pem
root@gateway:~#openssl req -new -x509 -nodes -days 3600 \
-key ca-key.pem -out ca.pem
Create the server certificate, remove passphrase, and sign it
root@gateway:~#openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout server-key.pem -out server-req.pem
root@gateway:~#openssl rsa -in server-key.pem -out server-key.pem
root@gateway:~#openssl x509 -req -in server-req.pem -days 3600 \
-CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
Create the client certificate, remove passphrase, and sign it
root@gateway:~#openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout client-key.pem -out client-req.pem
root@gateway:~#openssl rsa -in client-key.pem -out client-key.pem
root@gateway:~#openssl x509 -req -in client-req.pem -days 3600 \
-CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
After generating the certificates, verify them:
root@gateway:~# openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
output
server-cert.pem: OK
client-cert.pem: Ok
Enable SSL for MySQL
We have to edit the MySQL configuration file '/etc/my.cnf'
In the '[mysqld]' section, paste the configuration below.
root@gateway:~# vi /etc/my.cnf
ssl-ca=/etc/certs/ca.pem
ssl-cert=/etc/certs/server-cert.pem
ssl-key=/etc/certs/server-key.pem
Restart the MySQL service
After restarting, open up a new MySQL session using the same command as before.
Check state of the SSL/TLS variables by typing:
The have_openssl and have_ssl variables read "YES" instead of "DISABLED" this time.
Check the connection details by the following command :
[root@localhost ~]# mysql -u ezlogin_database_username -p -h hostname or ip --ssl-ca=/etc/certs/ca.pem --ssl-cert=/etc/certs/client-cert.pem --ssl-key=/etc/certs/client-key.pem
example :
[root@localhost ~]# mysql -u ezlogin_xxxx -p -h 10.11.1.11 --ssl-ca=/etc/certs/ca.pem --ssl-cert=/etc/certs/client-cert.pem --ssl-key=/etc/certs/client-key.pem
In Case the certificate verification has been failed, refer SSL certificate failed with MYSQL SSL
SSL cipher is displayed, indicating that SSL is being used to secure our connection.
3. Configure ezeelogin jump server to use SSL for Mysql 5.5
Add mysql_ssl_key,mysql_ssl_cert,mysql_ssl_ca to /usr/local/etc/ezlogin/ez.conf
Edit the /usr/local/etc/ezlogin/ez.conf file add the following
Make sure that you have changed db_port to 3306 & db_host to IP Address of your host
4. Change the bind address & allow the Ezeelogin jump server user to access the database.
Edit the /etc/mysql/mysql.conf.d/mysqld.cnf & change bind-address
Restart the MySQL service
you can find out Ezeelogin jump server dbname and Ezeelogin Mysql username from the ez.conf file
Check if you can log in to MySQL using Ezeelogin databases
If you have any difficulties please contact support
