This topic describes how to set transmission encryption of OBServers.
Create a CA certificate
Log on to the OBServer or client that supports OpenSSL commands and perform the following steps:
Create a directory to store the certificate file.
Note
The Common Name (CN) of the certificate file must be unique.
mkdir ~/tls chmod 700 ~/tls cd ~/tlsGenerate an RSA private key.
$ openssl genrsa 2048 > cakey.pem Generating RSA private key, 2048 bit long modulus ....................................................................+++ ..............+++ e is 65537 (0x10001)Generate a CA certificate.
$ openssl req -new -x509 -nodes -days 3600 -key cakey.pem -out ca.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:ZJ Locality Name (eg, city) [Default City]:HZ Organization Name (eg, company) [Default Company Ltd]:OceanBase Organizational Unit Name (eg, section) []:PD Common Name (eg, your name or your server's hostname) []:ob Email Address []:
Generate a server certificate
Log on to the OBServer that supports OpenSSL commands and perform the following steps:
Generate a private key for the OBServer.
$ openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem Generating a 2048 bit RSA private key ............................+++ ................................+++ writing new private key to 'server-key.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:ZJ Locality Name (eg, city) [Default City]:HZ Organization Name (eg, company) [Default Company Ltd]:OceanBase Organizational Unit Name (eg, section) []:PD Common Name (eg, your name or your server's hostname) []:observer Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:OceanBase123 An optional company name []:Generate a server certificate.
openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
Generate a client certificate
Log on to the client that supports OpenSSL commands and perform the following steps:
Generate a private key for the client.
$ openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem Generating a 2048 bit RSA private key ........................................+++ ...........................................+++ writing new private key to 'client-key.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:ZJ Locality Name (eg, city) [Default City]:HZ Organization Name (eg, company) [Default Company Ltd]:OceanBase Organizational Unit Name (eg, section) []:PD Common Name (eg, your name or your server's hostname) []:obclient Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:OceanBase123 An optional company name []:Generate the certificate for the client.
$ openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey cakey.pem -set_serial 01 -out client-cert .pem Signature ok subject=/C=CN/ST=ZJ/L=HZ/O=OceanBase/OU=PD/CN=obclient Getting CA Private Key
Verify the certificate file
Log on to the OBServer or client that supports OpenSSL commands and perform the following steps:
$ openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
server-cert.pem: OK
client-cert.pem: OK
Enable SSL on the OBServer
Log on to the OBServer or client that supports OpenSSL commands and perform the following steps:
Create a sub-directory
wallet/in the installation directory of OceanBase Database on the OBServer. The default directory is/home/admin/oceanbase/wallet/.mkdir /home/admin/oceanbase/wallet/Copy the three server-related files
ca.pem,server-key.pem, andserver-cert.pemto thewallet/directory.$ cp ca.pem server-key.pem server-cert.pem /home/admin/oceanbase/wallet/ $ chmod 700 /home/admin/oceanbase/wallet/*.pem $ ls -l /home/admin/oceanbase/wallet/ total 12 -rwx------ 1 admin admin 1269 Oct 27 20:05 ca.pem -rwx------ 1 admin admin 1151 Oct 27 20:05 server-cert.pem -rwx------ 1 admin admin 1675 Oct 27 20:05 server-key.pem
Configure SSL parameters on the client
Log on to the OBServer or client that supports OpenSSL commands and perform the following steps:
Set ssl_client_authentication to TRUE to enable SSL/TLS.
obclient> ALTER SYSTEM SET ssl_client_authentication=TRUE;
obclient> SHOW PARAMETERS LIKE 'ssl_client_authentication';
After you modify the parameters, restart your OceanBase database.
Create a database user that uses SSL to connect to the database
Log on to the OBServer or client that supports OpenSSL commands and perform the following steps:
To make the encryption feature easier to use, OceanBase Database allows you to specify different SSL authentication modes for different database users.
One-way SSL authentication
In this authentication mode, the OBServer must provide the CA certificate, but the client does not need to. During the communication, the client verifies the validity of the CA certificate provided by the OBServer.
Sample code:
obclient> CREATE USER **user1** IDENTIFIED BY ****** REQUIRE SSL;Mutual X.509 authentication
In this authentication mode, the OBServer and the client must provide their CA certificate to each other and verify the validity of the certificate from each other.
Sample code:
obclient> CREATE USER **user2** IDENTIFIED BY ****** REQUIRE X509;Special mutual authentication (combinations allowed)
Authentication with a specified encryption algorithm: the mutual X.509 authentication mode with a specified encryption algorithm.
Authentication with a specified issuer: the mutual X.509 authentication mode with a specified issuer of the client CA certificate.
Authentication with a specified SSL subject: the mutual X.509 authentication mode with a specified subject of the client CA certificate.
The following example specifies the encryption algorithm as DHE-RSA-AES128-GCM-SHA256 and specifies an SSL subject:
obclient> CREATE USER **user3** IDENTIFIED BY ****** REQUIRE CIPHER 'DHE-RSA-AES128-GCM-SHA256' SUBJECT '/C=CN/ST=ZJ/L=HZ/O=OceanBase/OU=PD/CN=obclient';
Grant database access permissions to a user
Log on to the OBServer or client that supports OpenSSL commands and perform the following steps:
Grant database access permissions to a user and verify the properties of the user.
Grant database access permissions to the user.
obclient> GRANT all privileges on *.* to **user1**; obclient> GRANT all privileges on *.* to **user2**; obclient> GRANT all privileges on *.* to **user3**;Verify the properties of the user.
MySQL tenant
obclient> SELECT user_name, ssl_type,ssl_cipher, x509_issuer, x509_subject, length(ssl_cipher), length(x509_issuer), length(x509_subject) FROM oceanbase.__all_user WHERE user_name LIKE 'SSLTEST%';Oracle tenant
obclient> SELECT user_name, ssl_type,ssl_cipher, x509_issuer, x509_subject, length(ssl_cipher), length(x509_issuer), length(x509_subject) FROM SYS.ALL_VIRTUAL_USER_AGENT WHERE user_name LIKE 'SSLTEST%';
Configure and connect the client
Log on to the OBServer or client that supports OpenSSL commands and perform the following steps: Copy the client certificate files ca.pem, client-cert.pem, and client-key.pem to the directory that the client can access. Perform the following steps:
Specify to use the mutual X.509 authentication mode.
$ obclient -h <observer-ip> -P2881 -u **user2**@mytenant -p**1** --ssl-ca=/path/to/ca.pem --ssl-cert=/p ath/to/client-cert.pem --ssl-key=/path/to/client-key.pemSpecify the encryption algorithm as DHE-RSA-AES128-GCM-SHA256.
$ obclient -h <observer-ip> -P2881 -u **user3**@mytenant -p**1** --ssl-ca=/path/to/ca.pem --ssl-cert=/pat h/to/client-cert.pem --ssl-key=/path/to/client-key.pem --ssl-cipher=DHE-RSA-AES128-GCM-SHA256
Note
You do not need to specify the certificate for users created by using the
require sslandrequire noneoptions.