Data Transmission Encryption

This document will introduce MatrixOne’s support for data transmission encryption and how to enable encrypted transmission.

Overview

MatrixOne uses non-encrypted transmission by default and supports encrypted transmission based on TLS protocol. Encrypted transmission can reduce the risk of leakage of sensitive information in the database. Encrypted transmission is the process of encrypting and decrypting information using keys, which can effectively protect data security.

Transport Layer Security (TLS) is a widely adopted security protocol. The protocol versions supported by MatrixOne include TLS 1.0, TLS 1.1, and TLS 1.2.

  • Do not enable TLS encrypted transmission (default): Use the username and password to connect to MatrixOne directly.
  • Use encrypted transmission: It is necessary to enable encrypted transmission support on the MatrixOne server and specify the use of encrypted transmission on the client side. You can follow the instructions in this article to enable TLS secure connections.

How to Use

Main steps of TLS secure connection configuration:

  1. First, enable TLS in MatrixOne.

  2. Then, configure the MySQL client security connection parameters.

After completing the configuration of these two main steps, a TLS secure connection can be established.

Step 1: Enable MatrixOne’s TLS support

  1. Generate certificate and key: MatrixOne does not yet support loading a private key protected by a password, so a private key file without a password must be provided. Certificates and keys can be issued and generated using OpenSSL. It is recommended to use the tool mysql_ssl_rsa_setup that comes with MySQL to generate quickly:

    1. #Check your local MySQL client installation directory
    2. ps -ef|grep mysql
    3. #Go to the installation directory of your local MySQL client
    4. cd /usr/local/mysql/bin
    5. #Generate certificate and key
    6. ./mysql_ssl_rsa_setup --datadir=<yourpath>
    7. #Check your generated pem file
    8. ls <yourpath>
    9. ├── ca-key.pem
    10. ├── ca.pem
    11. ├── client-cert.pem
    12. ├── client-key.pem
    13. ├── private_key.pem
    14. ├── public_key.pem
    15. ├── server-cert.pem
    16. └── server-key.pem

    Note: <yourpath> in the above code is the local directory path where you need to store the generated certificate and key files.

  2. Enter the cn.toml configuration file in your local MatrixOne file directory path matrixone/etc/launch-tae-CN-tae-TN/:

    You can also use the vim command to open the cn. toml file directly in the terminal

    1. vim $matrixone/etc/launch-tae-CN-tae-TN/cn.toml

    Copy and paste the code below into the configuration file:

    1. [cn.frontend]
    2. #default is false. With true. Server will support tls
    3. enableTls = true
    4. #default is ''. Path of file that contains X509 certificate in PEM format for client
    5. tlsCertFile = "<yourpath>/server-cert.pem"
    6. #default is ''. Path of file that contains X509 key in PEM format for client
    7. tlsKeyFile = "<yourpath>/server-key.pem"
    8. #default is ''. Path of file that contains list of trusted SSL CAs for client
    9. tlsCaFile = "<yourpath>/ca.pem"

    Note: <yourpath> in the above code is the local directory path where you need to store the generated certificate and key files

    In the above code, the configuration parameters are explained as follows:

    ParametersDescription
    enableTlsBool, enable TLS support on the MatrixOne server.
    tlsCertFileSpecify the SSL certificate file path
    tlsKeyFileSpecify the private key corresponding to the certificate file
    tlsCaFileOptional, specify the trusted CA certificate file path

    Note: If you use Docker to install and launch MatrixOne, before modifying the configuration file, you need to mount the configuration file first and then modify it. For more information, see Mount directory to Docker container.

  3. Verify that MatrixOne’s SSL is enabled.

    ① Use the MySQL client to connect to MatrixOne:

    1. mysql -h 127.0.0.1 -P 6001 -uroot -p111
    2. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

    ② Use the Status command to check whether SSL is enabled.

    Successfully enabled, the code example is as follows; you can see that the SSL status is Cipher in use is TLS_AES_128_GCM_SHA256:

    1. mysql> status
    2. mysql Ver 8.0.28 for macos11 on arm64 (MySQL Community Server - GPL)
    3. Connection id: 1001
    4. Current database:
    5. Current user: root@0.0.0.0
    6. SSL: Cipher in use is TLS_AES_128_GCM_SHA256
    7. Current pager: stdout
    8. Using outfile: ''
    9. Using delimiter: ;
    10. Server version: 8.0.30-MatrixOne-v1.1.0 MatrixOne
    11. Protocol version: 10
    12. Connection: 127.0.0.1 via TCP/IP
    13. Server characterset: utf8mb4
    14. DB characterset: utf8mb4
    15. Client characterset: utf8mb4
    16. Conn. characterset: utf8mb4
    17. TCP port: 6001
    18. Binary data as: Hexadecimal
    19. --------------

    If it is not enabled successfully, the returned result is as follows; you can see that the SSL status is Not in use; you need to recheck whether the local directory path (namely ) of the certificate and key file you configured in the above steps is correct:

    1. mysql> status;
    2. /usr/local/mysql/bin/mysql Ver 8.0.30 for macos12 on arm64 (MySQL Community Server - GPL)
    3. Connection id: 1009
    4. Current database: test
    5. Current user: root@0.0.0.0
    6. SSL: Not in use
    7. Current pager: stdout
    8. Using outfile: ''
    9. Using delimiter: ;
    10. Server version: 8.0.30-MatrixOne-v1.1.0 MatrixOne
    11. Protocol version: 10
    12. Connection: 127.0.0.1 via TCP/IP
    13. Server characterset: utf8mb4
    14. Db characterset: utf8mb4
    15. Client characterset: utf8mb4
    16. Conn. characterset: utf8mb4
    17. TCP port: 6001
    18. Binary data as: Hexadecimal
    19. --------------

After completing the above steps, MatrixOne’s TLS is enabled.

Step 2: Configure the parameters of MySQL client

When a MySQL client connects to Matrix One Server, the encrypted connection behavior needs to be specified by the --ssl-mode parameter, such as:

  1. mysql -h 127.0.0.1 -P 6001 -uroot -p111 --ssl-mode=PREFFERED

Info

The login account in the above code snippet is the initial account; please change the initial password after logging in to MatrixOne; see Password Management.

The value types of ssl mode are as follows:

ssl-mode valueDescription
DISABLEDEstablish an encrypted connection without SSL/TLS, synonymous with skip-ssl.
PREFFEREDThe default behavior is first to establish an encrypted connection using SSL/TLS; if it cannot be established, it will try to establish a non-SSL/TLS connection.
REQUIREDOnly SSL/TLS will be attempted to establish an encrypted connection, and if the connection cannot be established, the connection will fail.
VERIFY_CAAs with the REQUIRED behavior, and also verifies that the CA certificate on the Server side is valid.
VERIFY_IDENTITYIt acts like VERIFY_CA and verifies that the host in the server-side CA certificate is the same as the hostname for the actual connection.

Note

When the client specifies --ssl-mode=VERIFY_CA, it needs to use --ssl-ca to specify the CA certificate; If --ssl-mode=VERIFY_IDENTITY is specified on the client, you need to specify the CA certificate. You need to use --ssl-key to specify the client private key and --ssl-cert to specify the client certificate.