http://www.mysqlkorea.co.kr
ѱ۸Ŵ 5.0 , ѱ۸Ŵ 5.1 , MySQL 5.1 HA , ڸŴ
ѱ۸Ŵ 5.0  
ѱ۸Ŵ 5.1  
MYSQL 5.1 HA  
ڸŴ  
Ŵ  
ֽű
ؽ ߰ 
mysql master - s
ٴ 迡
mysql myϰ
mysql server
 
ڸŴ > Ŵ > ڸŴ
 

5.8.7.4. MySQL SSL ϱ

 

ǿ MySQL Ŭ̾Ʈ ϴ SSL Ű ϰ ִ.

MySQL Ŭ̾Ʈ Ű ϴ ɾ ¿ ̴. ̰ ϸ openssl ɾ ؼ Էؾ , ׽Ʈ ̰ Ѵٸ Ʈ ؼ Enter Ű Ѵ. ǰ ϴ , Էؾ Ѵ.

 

# Create clean environment

shell> rm -rf newcerts

shell> mkdir newcerts && cd newcerts

 

# Create CA certificate

shell> openssl genrsa 2048 > ca-key.pem

shell> openssl req -new -x509 -nodes -days 1000 \

         -key ca-key.pem > ca-cert.pem

 

# Create server certificate

shell> openssl req -newkey rsa:2048 -days 1000 \

         -nodes -keyout server-key.pem > server-req.pem

shell> openssl x509 -req -in server-req.pem -days 1000 \

         -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem

 

# Create client certificate

shell> openssl req -newkey rsa:2048 -days 1000 \

         -nodes -keyout client-key.pem > client-req.pem

shell> openssl x509 -req -in client-req.pem -days 1000 \

         -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem

 

OpenSSL ϴ MySQL SSL :

 

DIR=`pwd`/openssl

PRIV=$DIR/private

 

mkdir $DIR $PRIV $DIR/newcerts

cp /usr/share/ssl/openssl.cnf $DIR

replace ./demoCA $DIR -- $DIR/openssl.cnf

 

# Create necessary files: $database, $serial and $new_certs_dir

# directory (optional)

 

touch $DIR/index.txt

echo "01" > $DIR/serial

 

#

# Generation of Certificate Authority(CA)

#

 

openssl req -new -x509 -keyout $PRIV/cakey.pem -out $DIR/cacert.pem \

    -config $DIR/openssl.cnf

 

# Sample output:

# Using configuration from /home/monty/openssl/openssl.cnf

# Generating a 1024 bit RSA private key

# ................++++++

# .........++++++

# writing new private key to '/home/monty/openssl/private/cakey.pem'

# Enter PEM pass phrase:

# Verifying password - Enter PEM pass phrase:

# -----

# You are about to be asked to enter information that will be

# incorporated into your certificate request.

# What you are about to enter is what is called a Distinguished Name

# or a DN.

# There are quite a few fields but you can leave some blank

# For some fields there will be a default value,

# If you enter '.', the field will be left blank.

# -----

# Country Name (2 letter code) [AU]:FI

# State or Province Name (full name) [Some-State]:.

# Locality Name (eg, city) []:

# Organization Name (eg, company) [Internet Widgits Pty Ltd]:MySQL AB

# Organizational Unit Name (eg, section) []:

# Common Name (eg, YOUR name) []:MySQL admin

# Email Address []:

 

#

# Create server request and key

#

openssl req -new -keyout $DIR/server-key.pem -out \

    $DIR/server-req.pem -days 3600 -config $DIR/openssl.cnf

 

# Sample output:

# Using configuration from /home/monty/openssl/openssl.cnf

# Generating a 1024 bit RSA private key

# ..++++++

# ..........++++++

# writing new private key to '/home/monty/openssl/server-key.pem'

# Enter PEM pass phrase:

# Verifying password - Enter PEM pass phrase:

# -----

# You are about to be asked to enter information that will be

# incorporated into your certificate request.

# What you are about to enter is what is called a Distinguished Name

# or a DN.

# There are quite a few fields but you can leave some blank

# For some fields there will be a default value,

# If you enter '.', the field will be left blank.

# -----

# Country Name (2 letter code) [AU]:FI

# State or Province Name (full name) [Some-State]:.

# Locality Name (eg, city) []:

# Organization Name (eg, company) [Internet Widgits Pty Ltd]:MySQL AB

# Organizational Unit Name (eg, section) []:

# Common Name (eg, YOUR name) []:MySQL server

# Email Address []:

#

# Please enter the following 'extra' attributes

# to be sent with your certificate request

# A challenge password []:

# An optional company name []:

 

#

# Remove the passphrase from the key (optional)

#

 

openssl rsa -in $DIR/server-key.pem -out $DIR/server-key.pem

 

#

# Sign server cert

#

openssl ca  -policy policy_anything -out $DIR/server-cert.pem \

    -config $DIR/openssl.cnf -infiles $DIR/server-req.pem

 

# Sample output:

# Using configuration from /home/monty/openssl/openssl.cnf

# Enter PEM pass phrase:

# Check that the request matches the signature

# Signature ok

# The Subjects Distinguished Name is as follows

# countryName           :PRINTABLE:'FI'

# organizationName      :PRINTABLE:'MySQL AB'

# commonName            :PRINTABLE:'MySQL admin'

# Certificate is to be certified until Sep 13 14:22:46 2003 GMT

# (365 days)

# Sign the certificate? [y/n]:y

#

#

# 1 out of 1 certificate requests certified, commit? [y/n]y

# Write out database with 1 new entries

# Data Base Updated

 

#

# Create client request and key

#

openssl req -new -keyout $DIR/client-key.pem -out \

    $DIR/client-req.pem -days 3600 -config $DIR/openssl.cnf

 

# Sample output:

# Using configuration from /home/monty/openssl/openssl.cnf

# Generating a 1024 bit RSA private key

# .....................................++++++

# .............................................++++++

# writing new private key to '/home/monty/openssl/client-key.pem'

# Enter PEM pass phrase:

# Verifying password - Enter PEM pass phrase:

# -----

# You are about to be asked to enter information that will be

# incorporated into your certificate request.

# What you are about to enter is what is called a Distinguished Name

# or a DN.

# There are quite a few fields but you can leave some blank

# For some fields there will be a default value,

# If you enter '.', the field will be left blank.

# -----

# Country Name (2 letter code) [AU]:FI

# State or Province Name (full name) [Some-State]:.

# Locality Name (eg, city) []:

# Organization Name (eg, company) [Internet Widgits Pty Ltd]:MySQL AB

# Organizational Unit Name (eg, section) []:

# Common Name (eg, YOUR name) []:MySQL user

# Email Address []:

#

# Please enter the following 'extra' attributes

# to be sent with your certificate request

# A challenge password []:

# An optional company name []:

 

#

# Remove a passphrase from the key (optional)

#

openssl rsa -in $DIR/client-key.pem -out $DIR/client-key.pem

 

#

# Sign client cert

#

 

openssl ca  -policy policy_anything -out $DIR/client-cert.pem \

    -config $DIR/openssl.cnf -infiles $DIR/client-req.pem

 

# Sample output:

# Using configuration from /home/monty/openssl/openssl.cnf

# Enter PEM pass phrase:

# Check that the request matches the signature

# Signature ok

# The Subjects Distinguished Name is as follows

# countryName           :PRINTABLE:'FI'

# organizationName      :PRINTABLE:'MySQL AB'

# commonName            :PRINTABLE:'MySQL user'

# Certificate is to be certified until Sep 13 16:45:17 2003 GMT

# (365 days)

# Sign the certificate? [y/n]:y

#

#

# 1 out of 1 certificate requests certified, commit? [y/n]y

# Write out database with 1 new entries

# Data Base Updated

 

#

# Create a my.cnf file that you can use to test the certificates

#

 

cnf=""

cnf="$cnf [client]"

cnf="$cnf ssl-ca=$DIR/cacert.pem"

cnf="$cnf ssl-cert=$DIR/client-cert.pem"

cnf="$cnf ssl-key=$DIR/client-key.pem"

cnf="$cnf [mysqld]"

cnf="$cnf ssl-ca=$DIR/cacert.pem"

cnf="$cnf ssl-cert=$DIR/server-cert.pem"

cnf="$cnf ssl-key=$DIR/server-key.pem"

echo $cnf | replace " " '

' > $DIR/my.cnf

 

SSL ׽Ʈ ϱ ؼ Ʒ ϵ ϴµ, $DIR my.cnf ɼ Ǿ ִ ̸̴:

 

shell> mysqld --defaults-file=$DIR/my.cnf &

 

ɼ ؼ Ŭ̾Ʈ α׷ ȣѴ:

 

shell> mysql --defaults-file=$DIR/my.cnf

 

MySQL ҽ ִٸ, ִ my.cnf mysql-test/std_data ִ Ű ϵ ؼ ׽Ʈ ִ.

 

5.8.7.
5.8.7.1. SSL ⺻
5.8.7.2. SSL ϱ
5.8.7.3. SSL ɾ ɼ
5.8.7.4. MySQL SSL ϡ
5.8.7.5. SSH ؼ
MySQL Korea Ʈ ()̺ Ƿ 縦 մϴ.
2010-2011 ssebiz All Rights Reserved.