ODP transmission encryption

This topic describes the method for setting up OceanBase Database Proxy (ODP) transmission encryption.

Version information

Starting from V1.8.1, ODP supports the Secure Sockets Layer (SSL) feature. You can use the -V parameter to view the version information of ODP.

To view the version information of ODP, run the following command in the installation path of ODP. Here is an example:

./bin/obproxy -V
obproxy (OceanBase 1.8.1 3870.el6)
REVISION: 3870-local-8df895b0912b58dea3986320baeda7803bf57bd1
BUILD_TIME: Nov  2 2020 21:53:06
BUILD_FLAGS: -g -O2 -D_OB_VERSION=1000 -D_NO_EXCEPTION -D__STDC_LIMIT_MACROS -D__STDC_CONSTANT_MACROS -DNDEBUG -D__USE_LARGEFILE64 -D_FILE_OFFSET_BITS=64 -D_LARGE_FILE -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -Wall -Werror -Wextra -Wunused-parameter -Wformat -Wconversion -Wno-deprecated -Wno-invalid-offsetof -finline-functions -fno-strict-aliasing -mtune=core2 -Wno-psabi -Wno-sign-compare -DGCC_52 -DUSE_POSIX_FALLOCATE -DSUPPORT_SSE4_2 -DHAVE_SCHED_GETCPU -DHAVE_REALTIME_COARSE -DOB_HAVE_EVENTFD -DHAVE_FALLOCATE -DHAVE_MINIDUMP

Set up keys and certificates

Currently, only file setup is supported.

The configuration only applies to new connections and does not affect existing ones. The configuration takes effect immediately without the need for a restart.

After logging on to the ODP with the root@proxysys account, set up certificates, public keys, and private keys through files. Here is an example:

obclient> UPDATE proxyconfig.security_config SET CONFIG_VAL= '{"sourceType" : "FILE", "CA" : "certs/ca.pem", "publicKey" : "certs/server-cert.pem", "privateKey" : "certs/server-key.pem"}' WHERE APP_NAME = 'obproxy' and VERSION = '1';

where

• sourceType must be set to FILE.
• CA specifies the storage path of the CA certificate.
• publicKey specifies the storage path of the public key certificate.
• privateKey specifies the storage path of the private key certificate.

Execute the SELECT statement to check whether the ODP certificates, public key, and private key are set. Here is an example:

obclient> SELECT CONFIG_VAL FROM proxyconfig.security_config WHERE APP_NAME = 'obproxy';
+---------------+
| CONFIG_VAL    |
+---------------+
| SSL INFO FILE |
+---------------+
1 row in set (0.00 sec)

Configure the SSL connection between ODP and the client

The enable_client_ssl parameter specifies whether to enable the SSL connection between ODP and the client. The default value is false, indicating that the SSL connection is not enabled. If the enable_client_ssl parameter is set to true, it means that the SSL connection between ODP and the client is enabled.

The configuration only applies to new connections and does not affect existing ones. The configuration takes effect immediately without the need for a restart.

To establish the SSL connection between ODP and the client, you must ensure that the client supports the SSL feature. For example, you must check that the official MySQL client program (mysql) supports the SSL feature.

After logging on to ODP from a client, you can run the '\s' command to check the value of the SSL parameter. This parameter indicates whether the SSL connection is established between ODP and the client.

• If the value of the SSL parameter is not Not in use, the SSL connection is established between ODP and the client.

• If the value of the SSL parameter is Not in use, the SSL connection is not established between ODP and the client.

Here is an example:

obclient> \s
--------------
obclient  Ver 1.1.8 Distrib 5.7.24, for Linux (x86_64) using  EditLine wrapper

Connection id:    3221506046
Current database: test
Current user:   root@xx.xx.xx.xx
SSL:      Cipher in use is DHE-RSA-AES128-GCM-SHA256
Current pager:    less
Using outfile:    ''
Using delimiter:  ;
Server version:   5.7.25 OceanBase 2.2.60 (r1-63cbd3084a3283523f09d6ba20795f77b95e046b) (Built Jun 30 2020 10:10:29)
Protocol version: 10
Connection:   xx.xx.xx.xx via TCP/IP
Server characterset:  utf8mb4
Db     characterset:  utf8mb4
Client characterset:  utf8mb4
Conn.  characterset:  utf8mb4
TCP port:   13213
Active      --------------

Configure the SSL connection between ODP and the OBServer node

The enable_server_ssl parameter specifies whether to enable the SSL connection between ODP and the OBServer node. The default value is false, indicating that the SSL connection is not enabled. If the enable_server_ssl parameter is set to true, it means that the SSL connection between ODP and the OBServer node is enabled.

The configuration only applies to new connections and does not affect existing ones. The configuration takes effect immediately without the need for a restart.