Transmission encryption of OBServer nodes|V3.2.4|OceanBase Database| docs|Distributed Database

Transmission encryption of OBServer nodes

Last Updated：2023-10-24 09:23:03 Updated

This topic describes how to set transmission encryption of OBServer nodes.

Create a CA certificate

Log on to the OBServer node or client that supports OpenSSL commands and perform the following steps:

Create a directory to store the certificate file.

Note

The Common Name (CN) of the certificate file must be unique.
```
$ mkdir ~/tls
$ chmod 700 ~/tls
$ cd ~/tls
```

Generate an RSA private key.

$ openssl genrsa 2048 > cakey.pem
Generating RSA private key, 2048 bit long modulus
....................................................................+++
..............+++
e is 65537 (0x10001)

Generate a CA certificate.

$ openssl req -new -x509 -nodes -days 3600 -key cakey.pem -out ca.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ZJ
Locality Name (eg, city) [Default City]:HZ
Organization Name (eg, company) [Default Company Ltd]:OceanBase
Organizational Unit Name (eg, section) []:PD
Common Name (eg, your name or your server's hostname) []:ob
Email Address []:

Generate a server certificate

Log on to the OBServer node that supports OpenSSL commands and perform the following steps:

Generate a private key for the OBServer node.

$ openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem
Generating a 2048 bit RSA private key
............................+++
................................+++
writing new private key to 'server-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ZJ
Locality Name (eg, city) [Default City]:HZ
Organization Name (eg, company) [Default Company Ltd]:OceanBase
Organizational Unit Name (eg, section) []:PD
Common Name (eg, your name or your server's hostname) []:observer
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:************
An optional company name []:

Generate a server certificate.

openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey cakey.pem -set_serial 01 -out server-cert.pem

Generate a client certificate

Log on to the client that supports OpenSSL commands and perform the following steps:

Generate a private key for the client.

$ openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem
Generating a 2048 bit RSA private key
........................................+++
...........................................+++
writing new private key to 'client-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ZJ
Locality Name (eg, city) [Default City]:HZ
Organization Name (eg, company) [Default Company Ltd]:OceanBase
Organizational Unit Name (eg, section) []:PD
Common Name (eg, your name or your server's hostname) []:obclient
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:************
An optional company name []:

Generate the certificate for the client.

$ openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey cakey.pem -set_serial 01 -out client-cert.pem
Signature ok
subject=/C=CN/ST=ZJ/L=HZ/O=OceanBase/OU=PD/CN=obclient
Getting CA Private Key

Verify the certificate file

Log on to the OBServer node or client that supports OpenSSL commands and perform the following steps:

$ openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
server-cert.pem: OK
client-cert.pem: OK

Enable SSL on the OBServer node

Log on to the OBServer node or client that supports OpenSSL commands and perform the following steps:

Create a sub-directory wallet/ in the installation directory of OceanBase Database on the OBServer node. The default directory is /home/admin/oceanbase/wallet/.
```
$ mkdir /home/admin/oceanbase/wallet/
```

Copy the three server-related files ca.pem, server-key.pem, and server-cert.pem to the wallet/ directory.

$ cp ca.pem server-key.pem server-cert.pem /home/admin/oceanbase/wallet/
$ chmod 700 /home/admin/oceanbase/wallet/*.pem
$ ls -l /home/admin/oceanbase/wallet/
total 12
-rwx------ 1 admin admin 1269 Oct 27 20:05 ca.pem
-rwx------ 1 admin admin 1151 Oct 27 20:05 server-cert.pem
-rwx------ 1 admin admin 1675 Oct 27 20:05 server-key.pem

Configure SSL parameters on the client

Log on to the OBServer node or client that supports OpenSSL commands and perform the following steps:

Set ssl_client_authentication to TRUE to enable SSL/TLS.

obclient> ALTER SYSTEM SET ssl_client_authentication=TRUE;
obclient> SHOW PARAMETERS LIKE 'ssl_client_authentication';

After you modify the parameters, restart your OceanBase database.

Create a database user that uses SSL to connect to the database

Log on to the OBServer node or client that supports OpenSSL commands and perform the following steps:

To make the encryption feature easier to use, OceanBase Database allows you to specify different SSL authentication modes for different database users. The procedure is as follows:

One-way SSL authentication

In this authentication mode, the OBServer node must provide the CA certificate, but the client does not need to. During the communication, the client verifies the validity of the CA certificate provided by the OBServer node.

For example:
```
obclient> CREATE USER **user1** IDENTIFIED BY ****** REQUIRE SSL;
```
Mutual X.509 authentication

In this authentication mode, the OBServer node and the client must provide their CA certificate to each other and verify the validity of the certificate from each other.

For example:
```
obclient> CREATE USER **user2** IDENTIFIED BY ****** REQUIRE X509;
```
Special mutual authentication (combinations allowed)
- Authentication with a specified encryption algorithm: the mutual X.509 authentication mode with a specified encryption algorithm.
- Authentication with a specified issuer: the mutual X.509 authentication mode with a specified issuer of the client CA certificate.
- Authentication with a specified SSL subject: the mutual X.509 authentication mode with a specified subject of the client CA certificate.
Specify the encryption algorithm as DHE-RSA-AES128-GCM-SHA256 and specify an SSL subject. For example:
```
obclient> CREATE USER **user3** IDENTIFIED BY ******
REQUIRE CIPHER 'DHE-RSA-AES128-GCM-SHA256'
SUBJECT '/C=CN/ST=ZJ/L=HZ/O=OceanBase/OU=PD/CN=obclient';
```

Grant database access permissions to a user

Log on to the OBServer node or client that supports OpenSSL commands and perform the following steps:

Grant database access permissions to a user and verify the properties of the user.

Grant database access permissions to the user.

obclient> GRANT all privileges on *.* to **user1**;
obclient> GRANT all privileges on *.* to **user2**;
obclient> GRANT all privileges on *.* to **user3**;

Verify the properties of the user.

MySQL tenant

obclient> SELECT user_name,
ssl_type,ssl_cipher,
x509_issuer,
x509_subject,
length(ssl_cipher),
length(x509_issuer),
length(x509_subject)
FROM oceanbase.__all_user
WHERE user_name LIKE 'SSLTEST%';

Oracle tenant

obclient> SELECT user_name,
ssl_type,ssl_cipher,
x509_issuer,
x509_subject,
length(ssl_cipher),
length(x509_issuer),
length(x509_subject)
FROM SYS.ALL_VIRTUAL_USER_AGENT
WHERE user_name LIKE 'SSLTEST%';

Configure and connect the client

Log on to the OBServer node or client that supports OpenSSL commands and perform the following steps: Copy the client certificate files ca.pem, client-cert.pem, and client-key.pem to the directory that the client can access. The procedure is as follows:

Specify to use the mutual X.509 authentication mode.

$ obclient -h <observer-ip> -P2881 -u **user2**@mytenant -p****** --ssl-ca=/path/to/ca.pem --ssl-cert=/p
ath/to/client-cert.pem --ssl-key=/path/to/client-key.pem

Specify the encryption algorithm as DHE-RSA-AES128-GCM-SHA256.

$ obclient -h <observer-ip> -P2881 -u **user3**@mytenant -p****** --ssl-ca=/path/to/ca.pem --ssl-cert=/pat
h/to/client-cert.pem --ssl-key=/path/to/client-key.pem --ssl-cipher=DHE-RSA-AES128-GCM-SHA256

Note

You do not need to specify the certificate for users created by using the require ssl and require none options.