TLS Introduction
Overview
Transport Layer Security (TLS) is a widely adopted security protocol designed to promote privacy and data security for Internet communications.
MatrixOne uses non-encrypted connections by default and supports enabling encrypted connections based on the TLS protocol. The supported protocol versions are TLS 1.0, TLS 1.1, and TLS 1.2.
Disable TLS encrypted connection (default): Use the username and password to connect to MatrixOne directly.
Enable TLS encrypted connection: Encrypted connection support needs to be enabled on the MatrixOne server, and encrypted connection should be specified on the client side. You can follow the instructions below to enable a TLS secure connection.
This document will guide you how to enable TLS secure connection.
Main steps of TLS secure connection configuration:
First, enable TLS in MatrixOne.
Then, configure the MySQL client security connection parameters.
After completing the configuration of these two main steps, a TLS secure connection can be established, as detailed below:
Step 1: Enable MatrixOne’s TLS support
Generate certificate and key: MatrixOne does not yet support loading a private key protected by a password, so a private key file without a password must be provided. Certificates and keys can be issued and generated using OpenSSL. It is recommended to use the tool
mysql_ssl_rsa_setup
that comes with MySQL to generate quickly:#Check your local MySQL client installation directory
ps -ef|grep mysql
#Go to the installation directory of your local MySQL client
cd /usr/local/mysql/bin
#Generate certificate and key
./mysql_ssl_rsa_setup --datadir=<yourpath>
#Check your generated pem file
ls <yourpath>
├── ca-key.pem
├── ca.pem
├── client-cert.pem
├── client-key.pem
├── private_key.pem
├── public_key.pem
├── server-cert.pem
└── server-key.pem
Note:
<yourpath>
in the above code is the local directory path where you need to store the generated certificate and key files.Enter the cn.toml configuration file in your local MatrixOne file directory path matrixone/etc/launch-tae-CN-tae-DN/:
You can also use the vim command to open the cn. toml file directly in the terminal
vim $matrixone/etc/launch-tae-CN-tae-DN/cn.toml
Copy and paste the code below into the configuration file:
[cn.frontend]
#default is false. With true. Server will support tls
enableTls = true
#default is ''. Path of file that contains X509 certificate in PEM format for client
tlsCertFile = "<yourpath>/server-cert.pem"
#default is ''. Path of file that contains X509 key in PEM format for client
tlsKeyFile = "<yourpath>/server-key.pem"
#default is ''. Path of file that contains list of trusted SSL CAs for client
tlsCaFile = "<yourpath>/ca.pem"
Note:
<yourpath>
in the above code is the local directory path where you need to store the generated certificate and key filesIn the above code, the configuration parameters are explained as follows:
Parameters Description enableTls Bool, enable TLS support on the MatrixOne server. tlsCertFile Specify the SSL certificate file path tlsKeyFile Specify the private key corresponding to the certificate file tlsCaFile Optional, specify the trusted CA certificate file path Note: If you use Docker to install and launch MatrixOne, before modifying the configuration file, you need to mount the configuration file first and then modify it. For more information, see Mount directory to Docker container.
Verify that MatrixOne’s SSL is enabled.
① Use the MySQL client to connect to MatrixOne:
mysql -h 127.0.0.1 -P 6001 -udump -p111
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
② Use the
Status
command to check whether SSL is enabled.Successfully enabled, the code example is as follows; you can see that the SSL status is
Cipher in use is TLS_AES_128_GCM_SHA256
:mysql> status
mysql Ver 8.0.28 for macos11 on arm64 (MySQL Community Server - GPL)
Connection id: 1001
Current database:
Current user: dump@0.0.0.0
SSL: Cipher in use is TLS_AES_128_GCM_SHA256
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 0.6.0 MatrixOne
Protocol version: 10
Connection: 127.0.0.1 via TCP/IP
ERROR 20101 (HY000): internal error: the system variable does not exist
ERROR 2014 (HY000): Commands out of sync; you can't run this command now
Client characterset: utf8mb4
Server characterset: utf8mb4
TCP port: 6001
Binary data as: Hexadecimal
--------------
If it is not enabled successfully, the returned result is as follows; you can see that the SSL status is
Not in use
; you need to recheck whether the local directory path (namely ) of the certificate and key file you configured in the above steps is correct:mysql> status;
/usr/local/mysql/bin/mysql Ver 8.0.30 for macos12 on arm64 (MySQL Community Server - GPL)
Connection id: 1009
Current database: test
Current user: root@0.0.0.0
SSL: Not in use
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 8.0.30-MatrixOne-v0.6.0 MatrixOne
Protocol version: 10
Connection: 127.0.0.1 via TCP/IP
Server characterset: utf8mb4
Db characterset: utf8mb4
Client characterset: utf8mb4
Conn. characterset: utf8mb4
TCP port: 6001
Binary data as: Hexadecimal
--------------
After completing the above steps, MatrixOne’s TLS is enabled.
Step 2: Configure the parameters of MySQL client
When a MySQL client connects to Matrix One Server, the encrypted connection behavior needs to be specified by the --ssl-mode
parameter, such as:
mysql -h 127.0.0.1 -P 6001 -udump -p111 --ssl-mode=PREFFERED
The value types of ssl mode
are as follows:
ssl-mode value | Description |
---|---|
DISABLED | Establish an encrypted connection without SSL/TLS, synonymous with skip-ssl. |
PREFFERED | The default behavior is first to establish an encrypted connection using SSL/TLS; if it cannot be established, it will try to establish a non-SSL/TLS connection. |
REQUIRED | Only SSL/TLS will be attempted to establish an encrypted connection, and if the connection cannot be established, the connection will fail. |
VERIFY_CA | As with the REQUIRED behavior, and also verifies that the CA certificate on the Server side is valid. |
VERIFY_IDENTITY | It acts like VERIFY_CA and verifies that the host in the server-side CA certificate is the same as the hostname for the actual connection. |
Note
When the client specifies --ssl-mode=VERIFY_CA
, it needs to use --ssl-ca
to specify the CA certificate; If --ssl-mode=VERIFY_IDENTITY
is specified on the client, you need to specify the CA certificate. You need to use --ssl-key
to specify the client private key and --ssl-cert
to specify the client certificate.