OBServer transmission encryption|V4.4.2| docs|Distributed Database

OBServer transmission encryption

Last Updated：2026-03-06 07:02:42 Updated

The underlying communication between components such as OBServer node, liboblog, and ob_admin depends on the libeasy library. Therefore, the supported methods for loading private keys and certificates are the same (local file mode). This means that the CA certificate, user certificate, and private key should be placed in the wallet/ directory, and they will be read and loaded from this directory when the corresponding parameter is enabled.

Enable OBServer transmission encryption

You can enable transmission encryption for an OBServer node by performing the following steps:

Log in to the sys tenant of the database as the root user.
Specify the method for loading the private key, certificate, and CA certificate.

Note

Skip this step when you configure transmission encryption for OBServer nodes in OceanBase Database Community Edition.
```
ALTER SYSTEM SET ssl_external_kms_info = '
{
"ssl_mode":"file"
}';
```
Configure SSL communication on the MySQL port.

SSL communication on the MySQL port is disabled by default. You must specify the SSL protocol version first and then enable SSL communication. The configuration takes effect immediately.
1. You can specify the SSL protocol version by configuring the sql_protocol_min_tls_version parameter. Supported versions include TLSv1, TLSv1.1, TLSv1.2, and TLSv1.3. After you specify a version, the specified version and later versions are supported. For more information, see sql_protocol_min_tls_version.
```
ALTER SYSTEM SET sql_protocol_min_tls_version = 'TLSv1.1';
```
2. You can enable SSL communication by configuring the ssl_client_authentication parameter. For more information, see ssl_client_authentication.
```
-- After the parameter is set to TRUE, SSL is enabled for MySQL communication immediately.
ALTER SYSTEM SET ssl_client_authentication = 'TRUE';
```

Configure the SSL allowlist for RPC communication. Because TCP connections between OBServer nodes are persistent, RPC SSL-encrypted communication can be enabled only after you restart the OBServer nodes.

-- An allowlist is required for RPC SSL communication.
-- Enable SSL for the entire cluster.
ALTER SYSTEM SET _ob_ssl_invited_nodes='ALL';
-- Enable SSL for OBServer nodes with the specified IP addresses.
ALTER SYSTEM SET _ob_ssl_invited_nodes='135.xxx.xx.xx, 128.xxx.xx.xx';

Configure TLS passwordless authentication

TLS passwordless authentication allows the client to skip loading the CA certificate when it does not need to verify the identity of the OBServer node. Otherwise, the client must load the CA certificate. This section describes how to configure and use TLS passwordless authentication.

Configuration steps

Configure certificates.

Ensure that the CA certificate file (ca.pem) contains certificate information for both parties. Example content:

CopyInsert
// Example content of the ca.pem file
-----BEGIN CERTIFICATE-----
// CA certificate of the OBServer node
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
// CA certificate of the client
-----END CERTIFICATE-----

Example:

Extract certificate information.

Extract the SUBJECT and ISSUER fields from the certificate and format them as file path style.

// SUBJECT
$ openssl x509 -noout -subject -in client-cert.pem | sed 's/.\{8\}//'  | sed 's/, /\//g' | sed 's/ = /=/g' | sed 's/^/\//'
/C=CN/ST=Beijing/L=Haidian District/O=OB/OU=sys/CN=client_pem
// ISSUER
$ openssl x509 -noout -issuer  -in client-cert.pem | sed 's/.\{7\}//'  | sed 's/, /\//g' | sed 's/ = /=/g' | sed 's/^/\//'
/C=CN/ST=Beijing/L=Haidian District/O=OB/OU=sys/CN=ca_pem

Create a user.

After connecting to the database, specify the certificate using the REQUIRE clause when creating a user. If no password is specified, the default password is empty.
```
CREATE USER tony REQUIRE SUBJECT '/C=CN/ST=Beijing/L=Haidian District/O=OB/OU=sys/CN=client_pem';
```

$obclient -h100.88.109.171 -P28205 -uuser1@sys  --ssl-ca=/home/user1/wallet2/ca.pem --ssl-cert=/home/user1/wallet2/client-cert.pem --ssl-key=/home/user1/wallet2/client-key.pem

The following is an example of the returned result:

Welcome to the OceanBase monitor.  Commands end with ; or \g.
Your OceanBase connection id is 3221503926
Server version: 5.7.25 OceanBase 4.2.5.1 (r1-9e815083770a3f4a7c9bffd93493d96b58aea72f) (Built Nov 11 2024 11:52:31)

Copyright (c) 2000, 2018, OceanBase and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

FAQ

Certificate authentication modes

Mutual authentication: When the client specifies --ssl-ca, both parties must verify each other's certificate.
One-way authentication: When the client does not specify --ssl-ca, only the OBServer node verifies the client certificate.

Possible causes of login failure

Login failure with empty password: TLS passwordless authentication requires a certificate. Login with an empty password returns the error ERROR 1045 (42000): Access denied for user 'tony'@'xxx.xxx.xxx.xxx' (using password: NO).
Certificate verification failure:
- When the client specifies --ssl-ca for mutual authentication, if the OBServer node's ca.pem does not contain the client's CA certificate, or the client's ca.pem does not contain the OBServer node's CA certificate, the error ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1) is returned.
- The certificate format is incorrect or the certificate has expired.

How to verify that OBServer transmission encryption is enabled

The simplest method is to capture packets on the MySQL and RPC ports to check whether encryption is enabled. Alternatively, you can use the following methods:

Log in to OBServer with OBClient or a MySQL client, and query the ssl_cert_expired_time field in the oceanbase.GV$OB_SERVERS view as the system tenant to verify whether SSL is enabled.

This field records the expiration time of the SSL certificate used by the current OBServer node when SSL is enabled. The time is in UTC, in microseconds.

obclient> select svr_ip, svr_port,zone, ssl_cert_expired_time, from_unixtime(ssl_cert_expired_time/1000000) from oceanbase.GV$OB_SERVERS;
+--------------+----------+-------+----------------------+---------------------------------------------+
| svr_ip       | svr_port | zone  | ssl_cert_expired_time | from_unixtime(ssl_key_expired_time/1000000) |
+--------------+----------+-------+----------------------+---------------------------------------------+
| 100.xx.xx.xx |    13212 | zone1 |           1871860075 | 2029-04-26 09:07:55                         |
+--------------+----------+-------+----------------------+---------------------------------------------+
1 row in set (0.00 sec)

Check whether SSL is enabled on the MySQL port

obclient> \s
--------------
obclient  Ver 1.1.8 Distrib 5.7.24, for Linux (x86_64) using  EditLine wrapper

Connection id:  3221506046
Current database: test
Current user:  root@xx.xx.xx.39
SSL:   Cipher in use is DHE-RSA-AES128-GCM-SHA256
Current pager:  less
Using outfile:  ''
Using delimiter: ;
Server version:  5.7.25 OceanBase 2.2.60 (r1-63cbd3084a3283523f09d6ba20795f77b95e046b) (Built Jun 30 2020 10:10:29)
Protocol version: 10
Connection:  xx.xx.xx.189 via TCP/IP
Server characterset: utf8mb4
Db     characterset: utf8mb4
Client characterset: utf8mb4
Conn.  characterset: utf8mb4
TCP port:  13213
Active   --------------

Check whether SSL is enabled on the RPC port

In the OBServer.log file, search for the keyword "rpc connection accept" and check whether the value of use_ssl is True or False to determine whether RPC SSL is enabled.

Note

For RPC connections, you must restart the cluster for the configuration to take effect, or disconnect existing RPC connections without restarting the cluster.