This topic describes the method of setting transmission encryption in OceanBase Database Proxies (ODPs).
Version information
ODP V1.8.1 and later versions support the Secure Sockets Layer (SSL) feature. You can view the ODP version by using the -V option.
Run the following command in the installation path of an ODP to view the ODP version. For example:
./bin/obproxy -V
obproxy (OceanBase 1.8.1 3870.el6)
REVISION: 3870-local-8df895b0912b58dea3986320baeda7803bf57bd1
BUILD_TIME: Nov 2 2020 21:53:06
BUILD_FLAGS: -g -O2 -D_OB_VERSION=1000 -D_NO_EXCEPTION -D__STDC_LIMIT_MACROS -D__STDC_CONSTANT_MACROS -DNDEBUG -D__USE_LARGEFILE64 -D_FILE_OFFSET_BITS=64 -D_LARGE_FILE -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -Wall -Werror -Wextra -Wunused-parameter -Wformat -Wconversion -Wno-deprecated -Wno-invalid-offsetof -finline-functions -fno-strict-aliasing -mtune=core2 -Wno-psabi -Wno-sign-compare -DGCC_52 -DUSE_POSIX_FALLOCATE -DSUPPORT_SSE4_2 -DHAVE_SCHED_GETCPU -DHAVE_REALTIME_COARSE -DOB_HAVE_EVENTFD -DHAVE_FALLOCATE -DHAVE_MINIDUMP
Set keys and certificates
You can set keys and certificates by using files.
The setting applies only to new connections and takes effect immediately without a restart.
Log on to an ODP with the root@proxysys account and set the certificates, a public key, and a private key by using files. For example:
obclient> UPDATE proxyconfig.security_config SET CONFIG_VAL= '{"sourceType" : "FILE", "CA" : "certs/ca.pem", "publicKey" : "certs/server-cert.pem", "privateKey" : "certs/server-key.pem"}' WHERE APP_NAME = 'obproxy' and VERSION = '1';
The sourceType field must be set to FILE. CA specifies the storage directory of the CA certificate, publicKey specifies the storage directory of the public key certificate, and privateKey specifies the storage directory of the public key certificate.
Execute the SELECT statement to check whether the certificates, public key, and private key of the ODP are set. For example:
obclient> SELECT CONFIG_VAL FROM proxyconfig.security_config WHERE APP_NAME = 'obproxy';
+---------------+
| CONFIG_VAL |
+---------------+
| SSL INFO FILE |
+---------------+
1 row in set (0.00 sec)
Configure SSL connections to clients
The enable_client_ssl parameter specifies whether to establish SSL connections between the ODP and clients. The default value is false, indicating that no SSL connection is established to the clients.
If you change the value of the enable_client_ssl parameter to true, the ODP can establish SSL connections to the clients.
The setting applies only to new connections and takes effect immediately without a restart.
To implement SSL connections between the ODP and clients, you must ensure that the clients support the SSL feature. For example, you must check whether the official client programs of MySQL support the SSL feature.
After you log on to the ODP from a client, you can run the \s command to check the value of the SSL field. This field indicates whether an SSL connection is established between the ODP and the client.
If the returned value of the SSL field is not
Not in use, an SSL connection is established between the ODP and the clientIf the returned value of the SSL field is
Not in use, no SSL connection is established between the ODP and the client.
For example:
obclient> \s
--------------
obclient Ver 1.1.8 Distrib 5.7.24, for Linux (x86_64) using EditLine wrapper
Connection id: 3221506046
Current database: test
Current user: root@xx.xx.xx.xx
SSL: Cipher in use is DHE-RSA-AES128-GCM-SHA256
Current pager: less
Using outfile: ''
Using delimiter: ;
Server version: 5.7.25 OceanBase 2.2.60 (r1-63cbd3084a3283523f09d6ba20795f77b95e046b) (Built Jun 30 2020 10:10:29)
Protocol version: 10
Connection: xx.xx.xx.xx via TCP/IP
Server characterset: utf8mb4
Db characterset: utf8mb4
Client characterset: utf8mb4
Conn. characterset: utf8mb4
TCP port: 13213
Active --------------
Configure SSL connections to OBServer nodes
The enable_server_ssl parameter specifies whether to establish SSL connections between the ODP and OBServer nodes. The default value is false, indicating that no SSL connection is established to the OBServer nodes.
If you change the value of enable_server_ssl to true, the ODP can establish SSL connections to the OBServer nodes.
The setting applies only to new connections and takes effect immediately without a restart.