Transport Layer Security (TLS) is a cryptographic protocol that provides end-to-end communications security over networks. In addition to TCP, OceanBase Database also supports the Secure Sockets Layer (SSL) and TLS protocols to implement communication encryption. Encrypted transmission reduces leakage of sensitive information in the database. Data is encrypted and decrypted using a key during encrypted transmission, which can effectively protect the security of data. Encrypted transmission can be enabled based on the SSL or TLS protocol.
The following figure shows the architecture of OceanBase Database, which consists of three parts.
The three parts communicate over the following two protocols:
MySQL protocol: The data link layer communicates with the driver layer and the database layer over the extended MySQL protocol. After communication encryption is enabled, all new MySQL connections are encrypted for communication.
OB-RPC protocol: The inherent RPC protocol of OBServer nodes is used for communication between OBServer nodes and between OBServer nodes and liboblog or ob_admin. The connections between OBServer nodes are persistent connections. Therefore, OBServer nodes still communicate with each other in non-encrypted mode after communication encryption is enabled. Communication encryption takes effect only after you restart the cluster.
Components such as OBProxy at the data link layer, OBServer, liboblog, obadmin at the database layer, all support SSL/TLS encrypted communication. They rely on OpenSSL or third-party SSL libraries at the underlying level to provide secure encrypted transmission services for businesses.
OceanBase Database allows you to specify different SSL authentication modes for different database users.
- One-way SSL authentication: The OBServer node must provide the CA certificate to the client. During the communication, the client verifies the validity of the CA certificate provided by the OBServer node.
- Mutual X.509 authentication: The OBServer node and the client must provide their CA certificate to each other and verify the validity of the certificate from each other.
- Special mutual authentication (combinations allowed)
- Authentication with a specified encryption algorithm: the mutual X.509 authentication mode with a specified encryption algorithm.
- Authentication with a specified issuer: the mutual X.509 authentication mode with a specified issuer of the client CA certificate.
- Authentication with a specified SSL subject: the mutual X.509 authentication mode with a specified subject of the client CA certificate.