The underlying communication between components such as OBServer node, liboblog, and ob_admin depends on the libeasy library. Therefore, the supported methods for loading private keys/certificates are the same (local file mode). This means that the CA certificate, user certificate, and private key should be placed in the wallet directory, and they will be read and loaded from this directory when the corresponding configuration item is enabled.
Enable OBServer transmission encryption
The method for enabling OBServer transmission encryption involves the use of multiple configuration items. To enable it, perform the following steps:
Log on to the
systenant as the root user.Specify the method for loading the CA certificate, user certificate, and private key.
alter system set ssl_external_kms_info = ' { "ssl_mode":"file" }';Enable SSL communication on the MySQL port.
By default, SSL communication is disabled on the MySQL port. It can be enabled by configuring the
ssl_client_authenticationparameter and the configuration will take effect immediately.alter system set ssl_client_authentication = 'TRUE'; When the parameter is set to `TRUE`, SSL communication in MySQL is immediately enabled.Configure an SSL allowlist for RPC communication. Since the TCP connections between OBServer nodes are persistent, SSL-encrypted RPC communication can be enabled only after the OBServer nodes are restarted.
An allowlist is required to enable SSL-encrypted RPC communication. alter system set _ob_ssl_invited_nodes='ALL'; Enable SSL for the entire cluster. alter system set _ob_ssl_invited_nodes='135.xxx.xx.xx, 128.xxx.xx.xx'; Enable SSL only for OBServer nodes with the specified IP addresses. ssl
Check whether OBServer transmission encryption is enabled
The most straightforward approach is to capture packets from the MySQL and RPC ports of the OBServer node to check whether the packets are encrypted. You can also use the following method:
Use the system tenant account to log on to an OBServer node from OBClient or a MySQL client, and query the
ssl_cert_expired_timefield in theoceanbase.GV$OB_SERVERSview, to check whether SSL is enabled.This field records the expiration time of the SSL certificate used by the current OBServer node when SSL is enabled. The time is displayed in UTC with a unit of microseconds.
obclient> select svr_ip, svr_port,zone, ssl_cert_expired_time, from_unixtime(ssl_cert_expired_time/1000000) from oceanbase.GV$OB_SERVERS; +--------------+----------+-------+----------------------+---------------------------------------------+ | svr_ip | svr_port | zone | ssl_cert_expired_time | from_unixtime(ssl_key_expired_time/1000000) | +--------------+----------+-------+----------------------+---------------------------------------------+ | 100.xx.xx.xx | 13212 | zone1 | 1871860075 | 2029-04-26 09:07:55 | +--------------+----------+-------+----------------------+---------------------------------------------+ 1 row in set (0.00 sec)
Check whether SSL is enabled on the MySQL port
Log on to an OBServer node from OBClient or a MySQL client and run the \s command to query the SSL field.
obclient> \s
--------------
obclient Ver 1.1.8 Distrib 5.7.24, for Linux (x86_64) using EditLine wrapper
Connection id: 3221506046
Current database: test
Current user: root@xx.xx.xx.39
SSL: Cipher in use is DHE-RSA-AES128-GCM-SHA256
Current pager: less
Using outfile: ''
Using delimiter: ;
Server version: 5.7.25 OceanBase 2.2.60 (r1-63cbd3084a3283523f09d6ba20795f77b95e046b) (Built Jun 30 2020 10:10:29)
Protocol version: 10
Connection: xx.xx.xx.189 via TCP/IP
Server characterset: utf8mb4
Db characterset: utf8mb4
Client characterset: utf8mb4
Conn. characterset: utf8mb4
TCP port: 13213
Active --------------
Check whether SSL is enabled on the RPC port
In the OBServer.log file, search for the keyword "rpc connection accept" and check the value of use_ssl. If the value is True, SSL is enabled for RPC communication. Otherwise, SSL is disabled.
Note:
You must restart the cluster or disconnect the existing RPC connection for SSL to take effect.