MySQL 5.6 Reference Manual Including MySQL NDB Cluster 7.3-7.4 Reference Guide
To use an encrypted connection for the transfer of the binary log required during replication, both the source and the replica servers must support encrypted network connections. If either server does not support encrypted connections (because it has not been compiled or configured for them), replication through an encrypted connection is not possible.
Setting up encrypted connections for replication is similar to doing so for client/server connections. You must obtain (or create) a suitable security certificate that you can use on the source, and a similar certificate (from the same certificate authority) on each replica. You must also obtain suitable key files.
For more information on setting up a server and client for encrypted connections, see Section 6.3.1, “Configuring MySQL to Use Encrypted Connections”.
To enable encrypted connections on the source, you must create or
obtain suitable certificate and key files, and then add the
following configuration parameters to the source's configuration
within the [mysqld]
section of the source's
my.cnf
file, changing the file names as
necessary:
[mysqld] ssl_ca=cacert.pem ssl_cert=server-cert.pem ssl_key=server-key.pem
The paths to the files may be relative or absolute; we recommend that you always use complete paths for this purpose.
The configuration parameters are as follows:
ssl_ca
: The path name of the
Certificate Authority (CA) certificate file.
(--ssl-capath
is similar but specifies the
path name of a directory of CA certificate files.)
ssl_cert
: The path name of
the server public key certificate file. This certificate can
be sent to the client and authenticated against the CA
certificate that it has.
ssl_key
: The path name of the
server private key file.
On the replica, there are two ways to specify the information
required for connecting using encryption to the source. You can
either name the replica certificate and key files in the
[client]
section of the replica's
my.cnf
file, or you can explicitly specify
that information using the CHANGE MASTER
TO
statement:
To name the replica certificate and key files using an option
file, add the following lines to the
[client]
section of the replica's
my.cnf
file, changing the file names as
necessary:
[client] ssl-ca=cacert.pem ssl-cert=client-cert.pem ssl-key=client-key.pem
Restart the replica server, using the
--skip-slave-start
option to
prevent the replica from connecting to the source. Use
CHANGE MASTER TO
to specify the
source configuration, using the MASTER_SSL
option to connect using encryption:
mysql>CHANGE MASTER TO
->MASTER_HOST='source_hostname',
->MASTER_USER='replicate',
->MASTER_PASSWORD='
->password
',MASTER_SSL=1;
To specify the certificate and key names using the
CHANGE MASTER TO
statement,
append the appropriate
MASTER_SSL_
options:
xxx
mysql>CHANGE MASTER TO
->MASTER_HOST='source_hostname',
->MASTER_USER='replicate',
->MASTER_PASSWORD='
->password
',MASTER_SSL=1,
->MASTER_SSL_CA = 'ca_file_name',
->MASTER_SSL_CAPATH = 'ca_directory_name',
->MASTER_SSL_CERT = 'cert_file_name',
->MASTER_SSL_KEY = 'key_file_name';
After the source information has been updated, start the replication process:
mysql> START SLAVE;
You can use the SHOW SLAVE STATUS
statement to confirm that an encrypted connection was established
successfully.
For more information on the CHANGE MASTER
TO
statement, see Section 13.4.2.1, “CHANGE MASTER TO Statement”.
If you want to enforce the use of encrypted connections during
replication, create a user with the
REPLICATION SLAVE
privilege and use
the REQUIRE SSL
option for that user. For
example:
mysql>CREATE USER 'repl'@'%.example.com' IDENTIFIED BY '
mysql>password
';GRANT REPLICATION SLAVE ON *.*
->TO 'repl'@'%.example.com' REQUIRE SSL;
If the account already exists, you can add REQUIRE
SSL
to it with this statement:
mysql>GRANT USAGE ON *.*
->TO 'repl'@'%.example.com' REQUIRE SSL;