Transmission encryption of ODP|V2.2.77|OceanBase Database| docs|Distributed Database

Transmission encryption of ODP

Last Updated：2023-08-18 09:26:34 Updated

This topic describes the method of setting transmission encryption in ODP.

ODP versions

ODP V1.8.1 and later versions support the Secure Sockets Layer (SSL) feature. You can view the ODP version by using the -V option.

Run the following command in the installation path of ODP to view the ODP version:

./bin/obproxy -V
obproxy (OceanBase 1.8.1 3870.el6)
REVISION: 3870-local-8df895b0912b58dea3986320baeda7803bf57bd1
BUILD_TIME: Nov  2 2020 21:53:06
BUILD_FLAGS: -g -O2 -D_OB_VERSION=1000 -D_NO_EXCEPTION -D__STDC_LIMIT_MACROS -D__STDC_CONSTANT_MACROS -DNDEBUG -D__USE_LARGEFILE64 -D_FILE_OFFSET_BITS=64 -D_LARGE_FILE -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -Wall -Werror -Wextra -Wunused-parameter -Wformat -Wconversion -Wno-deprecated -Wno-invalid-offsetof -finline-functions -fno-strict-aliasing -mtune=core2 -Wno-psabi -Wno-sign-compare -DGCC_52 -DUSE_POSIX_FALLOCATE -DSUPPORT_SSE4_2 -DHAVE_SCHED_GETCPU -DHAVE_REALTIME_COARSE -DOB_HAVE_EVENTFD -DHAVE_FALLOCATE -DHAVE_MINIDUMP

Set keys and certificates

You can set keys and certificates by using files.

The setting takes effect only on new connections and does not require device restart.

Log on to ODP with the root@proxysys account and set the certificates, a public key, and a private key by using files.

obclient> UPDATE proxyconfig.security_config SET CONFIG_VAL= '{"sourceType" : "FILE", "CA" : "certs/ca.pem", "publicKey" : "certs/server-cert.pem", "privateKey" : "certs/server-key.pem"}' WHERE APP_NAME = 'obproxy' and VERSION = '1';

The sourceType field must be set to FILE. CA specifies the storage directory of the CA certificate, publicKey specifies the storage directory of the public key certificate, and privateKey specifies the storage directory of the public key certificate.

Execute the SELECT statement to check whether the certificates, public key, and private key of ODP are set.

obclient> SELECT CONFIG_VAL FROM proxyconfig.security_config WHERE APP_NAME = 'obproxy';
+---------------+
| CONFIG_VAL    |
+---------------+
| SSL INFO FILE |
+---------------+
1 row in set (0.00 sec)

Configure SSL connections to clients

The enable_client_ssl parameter specifies whether to establish SSL connections between ODP and clients. The default value is false, indicating that no SSL connection is established to the clients.

If you change the value of the enable_client_ssl parameter to true, ODP can establish SSL connections to the clients.

The setting takes effect only on new connections and does not require device restart.

To implement SSL connections between ODP and clients, you must ensure that the clients support the SSL feature. For example, you must check whether the official client programs of MySQL support the SSL feature.

After you log on to ODP from a client, you can run the '\s' command to check the value of the SSL field. This field indicates whether an SSL connection is established between ODP and the client.

If the returned value of the SSL field is not Not in use, an SSL connection is established between ODP and the client.
If the returned value of the SSL field is Not in use, no SSL connection is established between ODP and the client.

obclient> \s
--------------
obclient  Ver 1.1.8 Distrib 5.7.24, for Linux (x86_64) using  EditLine wrapper

Connection id:    3221506046
Current database: test
Current user:   root@xx.xx.xx.xx
SSL:      Cipher in use is DHE-RSA-AES128-GCM-SHA256
Current pager:    less
Using outfile:    ''
Using delimiter:  ;
Server version:   5.7.25 OceanBase 2.2.60 (r1-63cbd3084a3283523f09d6ba20795f77b95e046b) (Built Jun 30 2020 10:10:29)
Protocol version: 10
Connection:   xx.xx.xx.xx via TCP/IP
Server characterset:  utf8mb4
Db     characterset:  utf8mb4
Client characterset:  utf8mb4
Conn.  characterset:  utf8mb4
TCP port:   13213
Active      --------------

Configure SSL connections to OBServers

The enable_server_ssl parameter specifies whether to establish SSL connections between ODP and OBServers. The default value is false, indicating that no SSL connection is established to the OBServers.

If you change the value of enable_server_ssl to true, ODP can establish SSL connections to the OBServers.

The setting takes effect only on new connections and does not require device restart.