Scenario: Authenticating MySQL Server
We recommend that you use a TLS certificate to authenticate the MySQL server. You can use a certificate from a trusted certification authority (CA) or a self-signed certificate.
Administration Server supports both one-way and two-way SSL authentication for MySQL.
Enable one-way SSL authentication
Follow these steps to configure one-way SSL authentication for MySQL:
- Generate a self-signed TLS certificate for the MySQL server
Run the following command:
openssl genrsa 1024 > ca-key.pem
openssl req -new -x509 -nodes -days 365 -key ca-key.pem -config myssl.cnf > ca-cert.pem
openssl req -newkey rsa:1024 -days 365 -nodes -keyout server-key.pem -config myssl.cnf > server-req.pem
openssl x09 -req -in server-req.pem -days 365 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
- Create a server flag file
Use the klscflag utility to create the KLSRV_MYSQL_OPT_SSL_CA server flag and specify the path to the certificate as its value. The klscflag utility is located in the directory where the Administration Server is installed. The default installation path is /opt/kaspersky/ksc64/sbin.
klscflag -fset -pv klserver -n KLSRV_MYSQL_OPT_SSL_CA -v <
path to
ca-cert.pem>-t d
- Configure the database
Specify the certificates in the my.cnf file. Open the my.cnf file in a text editor and add the following lines into the [mysqld] section:
[mysqld]
ssl-ca=".../mysqlcerts/ca-cert.pem"
ssl-cert=".../mysqlcerts/server-cert.pem"
ssl-key=".../mysqlcerts/server-key.pem"
Enable two-way SSL authentication
Follow these steps to configure two-way SSL authentication for MySQL:
- Create server flag files
Use the klscflag utility to create the server flags and specify the path to the certificate files as their values:
klscflag -fset -pv klserver -n KLSRV_MYSQL_OPT_SSL_CA -v <
path to
ca-cert.pem> -t d
klscflag -fset -pv klserver -n KLSRV_MYSQL_OPT_SSL_CERT -v <
path to
server-cert.pem> -t d
klscflag -fset -pv klserver -n KLSRV_MYSQL_OPT_SSL_KEY -v <
path to
server-key.pem> -t d
The klscflag utility is located in the directory where the Administration Server is installed. The default installation path is /opt/kaspersky/ksc64/sbin.
- (Optional) Specify the passphrase
If the server-key.pem requires a passphrase, create a KLSRV_MARIADB_OPT_TLS_PASPHRASE flag and specify the passphrase as its value:
klscflag -fset -pv klserver -n KLSRV_MARIADB_OPT_TLS_PASPHRASE -v <
passphrase
> -t d
- Configure the database
Specify the certificates in the my.cnf file. Open the my.cnf file in a text editor and add the following lines into the [mysqld] section:
[mysqld]
ssl-ca=".../mysqlcerts/ca-cert.pem"
ssl-cert=".../mysqlcerts/server-cert.pem"
ssl-key=".../mysqlcerts/server-key.pem"