1. Oracle GoldenGate Microservices Documentation
  2. Extract
  3. Using Oracle GoldenGate with MySQL Group Replication
  4. SSL Configuration on Group Replication Cluster
  5. Create Server Certificates

Create Server Certificates

Before you begin configuring the router and database nodes, you'll need to create SSL server certificates. For connecting database nodes and router using SSL, you must have the right SSL keys and certificates for secure communication. All certificates must be recognized by a common Certification Authority (CA). If the keys and certificates were auto-generated during database/router installation (or if they are self-signed) then the connection might fail. Only certificates that are authorized by a CA are allowed to proceed further.

If the authorized server key and certificates are already available, then ensure that the certificates have the correct permissions and have been placed in the correct path for the router/database node.

For steps to generate SSL certificates for server, see:

Creating SSL Certificates and Keys Using OpenSSL

Tasks for Configuring SSL Certificates

  1. Generate a separate certificate and key for each database node.

  2. Use the same ca.pem which is common to all database nodes and routers.

  3. In the server-certificate for the database nodes, specify the common name without the domain name. See the common name in the Table 6-1 in Overview of Database Cluster SSL Configuration for Group Replication for reference.

  4. Ensure that the server certificate name and key file name match the corresponding database node and router values.

  5. To verify the CN values in each generated server certificate, invoke openSSL using the following commands :
    openssl x509 -text -in ca.pem
openssl x509 -text -in server-cert.pem
openssl x509 -text -in client-cert.pem

    The issuer CN must be the same for all. The subject CN must contain only hostname without domain name.

  6. After generating the certificates, verify them against the CA file.

  7. Copy the generated certificate and key file to the MySQL data directory for each database node and router. Ensure that you provide read permission to all users and retain write permission to file owner only.

  8. Copy the common ca.pem to every node and router and provide read permissions to all users.