Support

Support for business applications

Kaspersky Security Center 15 Linux

Deployment best practices

Hardening Guide

Scenario: Authenticating MySQL Server

Kaspersky Security Center
Нет результатов
Нет результатов
Online Help
FAQ Download Buy Renew Forum Contact support Recovery tools Product videos

Scenario: Authenticating MySQL Server

July 1, 2024

ID 261227

Get as PDF

We recommend that you use a TLS certificate to authenticate the MySQL server. You can use a certificate from a trusted certification authority (CA) or a self-signed certificate.

Administration Server supports both one-way and two-way SSL authentication for MySQL.

Enable one-way SSL authentication

Follow these steps to configure one-way SSL authentication for MySQL:

  1. Generate a self-signed TLS certificate for the MySQL server

    Run the following command:

    openssl genrsa 1024 > ca-key.pem

    openssl req -new -x509 -nodes -days 365 -key ca-key.pem -config myssl.cnf > ca-cert.pem

    openssl req -newkey rsa:1024 -days 365 -nodes -keyout server-key.pem -config myssl.cnf > server-req.pem

    openssl x09 -req -in server-req.pem -days 365 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem

  2. Create a server flag file

    Use the klscflag utility to create the KLSRV_MYSQL_OPT_SSL_CA server flag and specify the path to the certificate as its value. The klscflag utility is located in the directory where the Administration Server is installed. The default installation path is /opt/kaspersky/ksc64/sbin.

    klscflag -fset -pv klserver -n KLSRV_MYSQL_OPT_SSL_CA -v <path to ca-cert.pem> -t d

  3. Configure the database

    Specify the certificates in the my.cnf file. Open the my.cnf file in a text editor and add the following lines into the [mysqld] section:

    [mysqld]

    ssl-ca=".../mysqlcerts/ca-cert.pem"

    ssl-cert=".../mysqlcerts/server-cert.pem"

    ssl-key=".../mysqlcerts/server-key.pem"

Enable two-way SSL authentication

Follow these steps to configure two-way SSL authentication for MySQL:

  1. Create server flag files

    Use the klscflag utility to create the server flags and specify the path to the certificate files as their values:

    klscflag -fset -pv klserver -n KLSRV_MYSQL_OPT_SSL_CA -v <path to ca-cert.pem> -t d

    klscflag -fset -pv klserver -n KLSRV_MYSQL_OPT_SSL_CERT -v <path to server-cert.pem> -t d

    klscflag -fset -pv klserver -n KLSRV_MYSQL_OPT_SSL_KEY -v <path to server-key.pem> -t d

    The klscflag utility is located in the directory where the Administration Server is installed. The default installation path is /opt/kaspersky/ksc64/sbin.

  2. (Optional) Specify the passphrase

    If the server-key.pem requires a passphrase, create a KLSRV_MARIADB_OPT_TLS_PASPHRASE flag and specify the passphrase as its value:

    klscflag -fset -pv klserver -n KLSRV_MARIADB_OPT_TLS_PASPHRASE -v <passphrase> -t d

  3. Configure the database

    Specify the certificates in the my.cnf file. Open the my.cnf file in a text editor and add the following lines into the [mysqld] section:

    [mysqld]

    ssl-ca=".../mysqlcerts/ca-cert.pem"

    ssl-cert=".../mysqlcerts/server-cert.pem"

    ssl-key=".../mysqlcerts/server-key.pem"

Kaspersky Endpoint Security for Linux: High protection without performance compromising
Detects and blocks advanced threats. Buy as part of Endpoint Security for Business Advanced.
Kaspersky Premium Support (MSA): High‑priority incident processing
Telephone and web ticket support. Fast response, monitoring and health check. Submit a request and activate the contract (MSA).
Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.