Transport encryption for OBServer|V4.6.0|OceanBase Database| docs|Distributed Database

The underlying communication between OBServer nodes, liboblog, obadmin, and other components relies on the Libeasy library. Therefore, the method for loading private keys and certificates is the same (local file mode). This involves placing the CA certificate, user certificate, and private key in the wallet folder and loading them from this directory based on the configuration settings.

How to enable transmission encryption

To enable transmission encryption for OBServer, you need to configure multiple parameters.

Log in to the sys tenant of the database as the root user.
Specify the method for obtaining the private key, certificate, and CA certificate.

Note

When you configure transmission encryption for OceanBase Database Community Edition, you can ignore this step.
```
ALTER SYSTEM SET ssl_external_kms_info = '
{
"ssl_mode":"file"
}';
```
Configure SSL communication for the MySQL port.

By default, SSL communication for the MySQL port is disabled. You need to specify the SSL protocol version before enabling SSL communication. The changes take effect immediately.
1. You can specify the SSL protocol version by using the sql_protocol_min_tls_version parameter. Currently, the supported SSL protocol versions are TLSv1, TLSv1.1, TLSv1.2, and TLSv1.3. After you specify a version, the supported protocol versions include the specified version and all higher versions. For more information about how to enable SSL connections, see sql_protocol_min_tls_version.
```
ALTER SYSTEM SET sql_protocol_min_tls_version = 'TLSv1.1';
```
2. You can enable SSL connections by using the ssl_client_authentication parameter. For more information about how to enable SSL connections, see ssl_client_authentication.
```
-- After you set this parameter to TRUE, SSL communication for MySQL is enabled.
ALTER SYSTEM SET ssl_client_authentication = 'TRUE';
```

Configure the SSL whitelist for RPC communication. Because the TCP connections between OBServer nodes are long connections, you need to restart OBServer to enable RPC SSL encryption.

-- SSL communication for RPC requires a whitelist.
-- Enable SSL communication for the entire cluster.
ALTER SYSTEM SET _ob_ssl_invited_nodes='ALL';
-- Enable SSL communication for OBServer nodes with specified IP addresses.
ALTER SYSTEM SET _ob_ssl_invited_nodes='135.xxx.xx.xx, 128.xxx.xx.xx';

Configure certificate-based authentication without password verification

Certificate-based authentication without password verification allows clients to connect to OBServer without loading the CA certificate. This section describes how to configure and use certificate-based authentication without password verification.

Procedure

Configure the certificate.

Ensure that the CA certificate file (ca.pem) contains the certificate information of both parties. The content is as follows:

CopyInsert
// Sample content of the ca.pem file
-----BEGIN CERTIFICATE-----
// The CA certificate of OBServer
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
// The CA certificate of the client
-----END CERTIFICATE-----

Example:

Extract the certificate information.

Extract the SUBJECT and ISSUER fields of the certificate and format them as file paths.

// SUBJECT
$ openssl x509 -noout -subject -in client-cert.pem | sed 's/.\{8\}//'  | sed 's/, /\//g' | sed 's/ = /=/g' | sed 's/^/\//'
/C=CN/ST=Beijing/L=Haidian District/O=OB/OU=sys/CN=client_pem
// ISSUER
$ openssl x509 -noout -issuer  -in client-cert.pem | sed 's/.\{7\}//'  | sed 's/, /\//g' | sed 's/ = /=/g' | sed 's/^/\//'
/C=CN/ST=Beijing/L=Haidian District/O=OB/OU=sys/CN=ca_pem

Create a user.

After connecting to the database, create a user and specify the certificate by using the REQUIRE field. If you do not specify a password, the default password is empty.
```
CREATE USER tony user tony require SUBJECT '/C=CN/ST=Beijing/L=Haidian District/O=OB/OU=sys/CN=client_pem';
```

$obclient -h100.88.109.171 -P28205 -uuser1@sys  --ssl-ca=/home/user1/wallet2/ca.pem --ssl-cert=/home/user1/wallet2/client-cert.pem --ssl-key=/home/user1/wallet2/client-key.pem

The returned result is as follows:

Welcome to the OceanBase monitor.  Commands end with ; or \g.
Your OceanBase connection id is 3221503926
Server version: 5.7.25 OceanBase 4.2.5.1 (r1-9e815083770a3f4a7c9bffd93493d96b58aea72f) (Built Nov 11 2024 11:52:31)

Copyright (c) 2000, 2018, OceanBase and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

Frequently asked questions

Certificate authentication methods

Two-way authentication: When you specify --ssl-ca for the client, both parties need to verify each other's certificates.
One-way authentication: When you do not specify --ssl-ca for the client, only OBServer verifies the client's certificate.

Possible reasons for login failure

Login failure with an empty password: TLS authentication without password verification requires the use of a certificate. If you log in with an empty password, an error ERROR 1045 (42000): Access denied for user 'tony'@'xxx.xxx.xxx.xxx' (using password: NO) is returned.
Certificate verification failure:
- When you specify --ssl-ca for the client to enable two-way authentication, if the ca.pem file of OBServer does not contain the client's CA certificate, or the ca.pem file of the client does not contain the CA certificate of OBServer, an error ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1) is returned.
- The certificate format is incorrect or the certificate has expired.

How to verify whether transmission encryption is enabled for OBServer

The simplest way is to capture packets on the MySQL port and RPC port to check whether encryption is enabled. You can also use the following methods:

Log in to OBServer by using OBClient or a MySQL client. Query the ssl_cert_expired_time field in the oceanbase.GV$OB_SERVERS view of the sys tenant to confirm whether transmission encryption is enabled.

This field records the expiration time of the SSL certificate used by the current OBServer when SSL is enabled. The time is in UTC and the unit is microseconds.

obclient> select svr_ip, svr_port,zone, ssl_cert_expired_time, from_unixtime(ssl_cert_expired_time/1000000) from oceanbase.GV$OB_SERVERS;
+--------------+----------+-------+----------------------+---------------------------------------------+
| svr_ip       | svr_port | zone  | ssl_cert_expired_time | from_unixtime(ssl_key_expired_time/1000000) |
+--------------+----------+-------+----------------------+---------------------------------------------+
| 100.xx.xx.xx |    13212 | zone1 |           1871860075 | 2029-04-26 09:07:55                         |
+--------------+----------+-------+----------------------+---------------------------------------------+
1 row in set (0.00 sec)

Check whether SSL is enabled for the MySQL port

Log in to OBServer by using OBClient or a MySQL client and execute \s to view the SSL field. The following is an example:

obclient> \s
--------------
obclient  Ver 1.1.8 Distrib 5.7.24, for Linux (x86_64) using  EditLine wrapper

Connection id:  3221506046
Current database: test
Current user:  root@xx.xx.xx.39
SSL:   Cipher in use is DHE-RSA-AES128-GCM-SHA256
Current pager:  less
Using outfile:  ''
Using delimiter: ;
Server version:  5.7.25 OceanBase 2.2.60 (r1-63cbd3084a3283523f09d6ba20795f77b95e046b) (Built Jun 30 2020 10:10:29)
Protocol version: 10
Connection:  xx.xx.xx.189 via TCP/IP
Server characterset: utf8mb4
Db     characterset: utf8mb4
Client characterset: utf8mb4
Conn.  characterset: utf8mb4
TCP port:  13213
Active   --------------

Check whether SSL is enabled for the RPC port

In the OBServer.log file, search for the keyword "rpc connection accept" to check whether the use_ssl field is set to True or False.

Note

For RPC connections, the changes take effect only after you restart the cluster or disconnect existing RPC connections without restarting the cluster.

How to enable transmission encryption

To enable transmission encryption for OBServer, you need to configure multiple parameters.

Log in to the sys tenant of the database as the root user.
Specify the method for obtaining the private key, certificate, and CA certificate.

Note

When you configure transmission encryption for OceanBase Database Community Edition, you can ignore this step.
```
ALTER SYSTEM SET ssl_external_kms_info = '
{
"ssl_mode":"file"
}';
```
Configure SSL communication for the MySQL port.

By default, SSL communication for the MySQL port is disabled. You need to specify the SSL protocol version before enabling SSL communication. The changes take effect immediately.
1. You can specify the SSL protocol version by using the sql_protocol_min_tls_version parameter. Currently, the supported SSL protocol versions are TLSv1, TLSv1.1, TLSv1.2, and TLSv1.3. After you specify a version, the supported protocol versions include the specified version and all higher versions. For more information about how to enable SSL connections, see sql_protocol_min_tls_version.
```
ALTER SYSTEM SET sql_protocol_min_tls_version = 'TLSv1.1';
```
2. You can enable SSL connections by using the ssl_client_authentication parameter. For more information about how to enable SSL connections, see ssl_client_authentication.
```
-- After you set this parameter to TRUE, SSL communication for MySQL is enabled.
ALTER SYSTEM SET ssl_client_authentication = 'TRUE';
```

Configure the SSL whitelist for RPC communication. Because the TCP connections between OBServer nodes are long connections, you need to restart OBServer to enable RPC SSL encryption.

-- SSL communication for RPC requires a whitelist.
-- Enable SSL communication for the entire cluster.
ALTER SYSTEM SET _ob_ssl_invited_nodes='ALL';
-- Enable SSL communication for OBServer nodes with specified IP addresses.
ALTER SYSTEM SET _ob_ssl_invited_nodes='135.xxx.xx.xx, 128.xxx.xx.xx';

Configure certificate-based authentication without password verification

Procedure

Configure the certificate.

Ensure that the CA certificate file (ca.pem) contains the certificate information of both parties. The content is as follows:

CopyInsert
// Sample content of the ca.pem file
-----BEGIN CERTIFICATE-----
// The CA certificate of OBServer
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
// The CA certificate of the client
-----END CERTIFICATE-----

Example:

Extract the certificate information.

Extract the SUBJECT and ISSUER fields of the certificate and format them as file paths.

// SUBJECT
$ openssl x509 -noout -subject -in client-cert.pem | sed 's/.\{8\}//'  | sed 's/, /\//g' | sed 's/ = /=/g' | sed 's/^/\//'
/C=CN/ST=Beijing/L=Haidian District/O=OB/OU=sys/CN=client_pem
// ISSUER
$ openssl x509 -noout -issuer  -in client-cert.pem | sed 's/.\{7\}//'  | sed 's/, /\//g' | sed 's/ = /=/g' | sed 's/^/\//'
/C=CN/ST=Beijing/L=Haidian District/O=OB/OU=sys/CN=ca_pem

Create a user.

After connecting to the database, create a user and specify the certificate by using the REQUIRE field. If you do not specify a password, the default password is empty.
```
CREATE USER tony user tony require SUBJECT '/C=CN/ST=Beijing/L=Haidian District/O=OB/OU=sys/CN=client_pem';
```

$obclient -h100.88.109.171 -P28205 -uuser1@sys  --ssl-ca=/home/user1/wallet2/ca.pem --ssl-cert=/home/user1/wallet2/client-cert.pem --ssl-key=/home/user1/wallet2/client-key.pem

The returned result is as follows:

Welcome to the OceanBase monitor.  Commands end with ; or \g.
Your OceanBase connection id is 3221503926
Server version: 5.7.25 OceanBase 4.2.5.1 (r1-9e815083770a3f4a7c9bffd93493d96b58aea72f) (Built Nov 11 2024 11:52:31)

Copyright (c) 2000, 2018, OceanBase and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

Frequently asked questions

Certificate authentication methods

Two-way authentication: When you specify --ssl-ca for the client, both parties need to verify each other's certificates.
One-way authentication: When you do not specify --ssl-ca for the client, only OBServer verifies the client's certificate.

Possible reasons for login failure

Login failure with an empty password: TLS authentication without password verification requires the use of a certificate. If you log in with an empty password, an error ERROR 1045 (42000): Access denied for user 'tony'@'xxx.xxx.xxx.xxx' (using password: NO) is returned.
Certificate verification failure:
- When you specify --ssl-ca for the client to enable two-way authentication, if the ca.pem file of OBServer does not contain the client's CA certificate, or the ca.pem file of the client does not contain the CA certificate of OBServer, an error ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1) is returned.
- The certificate format is incorrect or the certificate has expired.

How to verify whether transmission encryption is enabled for OBServer

The simplest way is to capture packets on the MySQL port and RPC port to check whether encryption is enabled. You can also use the following methods:

Log in to OBServer by using OBClient or a MySQL client. Query the ssl_cert_expired_time field in the oceanbase.GV$OB_SERVERS view of the sys tenant to confirm whether transmission encryption is enabled.

This field records the expiration time of the SSL certificate used by the current OBServer when SSL is enabled. The time is in UTC and the unit is microseconds.

obclient> select svr_ip, svr_port,zone, ssl_cert_expired_time, from_unixtime(ssl_cert_expired_time/1000000) from oceanbase.GV$OB_SERVERS;
+--------------+----------+-------+----------------------+---------------------------------------------+
| svr_ip       | svr_port | zone  | ssl_cert_expired_time | from_unixtime(ssl_key_expired_time/1000000) |
+--------------+----------+-------+----------------------+---------------------------------------------+
| 100.xx.xx.xx |    13212 | zone1 |           1871860075 | 2029-04-26 09:07:55                         |
+--------------+----------+-------+----------------------+---------------------------------------------+
1 row in set (0.00 sec)

Check whether SSL is enabled for the MySQL port

Log in to OBServer by using OBClient or a MySQL client and execute \s to view the SSL field. The following is an example:

obclient> \s
--------------
obclient  Ver 1.1.8 Distrib 5.7.24, for Linux (x86_64) using  EditLine wrapper

Connection id:  3221506046
Current database: test
Current user:  root@xx.xx.xx.39
SSL:   Cipher in use is DHE-RSA-AES128-GCM-SHA256
Current pager:  less
Using outfile:  ''
Using delimiter: ;
Server version:  5.7.25 OceanBase 2.2.60 (r1-63cbd3084a3283523f09d6ba20795f77b95e046b) (Built Jun 30 2020 10:10:29)
Protocol version: 10
Connection:  xx.xx.xx.189 via TCP/IP
Server characterset: utf8mb4
Db     characterset: utf8mb4
Client characterset: utf8mb4
Conn.  characterset: utf8mb4
TCP port:  13213
Active   --------------

Check whether SSL is enabled for the RPC port

In the OBServer.log file, search for the keyword "rpc connection accept" to check whether the use_ssl field is set to True or False.

Note

For RPC connections, the changes take effect only after you restart the cluster or disconnect existing RPC connections without restarting the cluster.

OceanBase

Customer Stories

Documentation

Transport encryption for OBServer

How to enable transmission encryption

Note

Configure certificate-based authentication without password verification

Procedure

Frequently asked questions

How to verify whether transmission encryption is enabled for OBServer

Check whether SSL is enabled for the MySQL port

Check whether SSL is enabled for the RPC port

Note

Transport encryption for OBServer

How to enable transmission encryption

Note

Configure certificate-based authentication without password verification

Procedure

Frequently asked questions

How to verify whether transmission encryption is enabled for OBServer

Check whether SSL is enabled for the MySQL port

Check whether SSL is enabled for the RPC port

Note