2.4. Setting up TLS encryption on a MariaDB server
By default, MariaDB uses unencrypted connections. For secure connections, enable TLS support on the MariaDB server and configure your clients to establish encrypted connections.
2.4.1. Placing the CA certificate, server certificate, and private key on the MariaDB server
Before you can enable TLS encryption in the MariaDB server, store the certificate authority (CA) certificate, the server certificate, and the private key on the MariaDB server.
Conditions préalables
The following files in Privacy Enhanced Mail (PEM) format have been copied to the server:
-
The private key of the server:
server.example.com.key.pem
-
The server certificate:
server.example.com.crt.pem
-
The Certificate Authority (CA) certificate:
ca.crt.pem
For details about creating a private key and certificate signing request (CSR), as well as about requesting a certificate from a CA, see your CA’s documentation.
-
The private key of the server:
Procédure
Store the CA and server certificates in the
/etc/pki/tls/certs/
directory:# mv <path>/server.example.com.crt.pem /etc/pki/tls/certs/ # mv <path>/ca.crt.pem /etc/pki/tls/certs/
Set permissions on the CA and server certificate that enable the MariaDB server to read the files:
# chmod 644 /etc/pki/tls/certs/server.example.com.crt.pem /etc/pki/tls/certs/ca.crt.pem
Because certificates are part of the communication before a secure connection is established, any client can retrieve them without authentication. Therefore, you do not need to set strict permissions on the CA and server certificate files.
Store the server’s private key in the
/etc/pki/tls/private/
directory:# mv <path>/server.example.com.key.pem /etc/pki/tls/private/
Set secure permissions on the server’s private key:
# chmod 640 /etc/pki/tls/private/server.example.com.key.pem # chgrp mysql /etc/pki/tls/private/server.example.com.key.pem
If unauthorized users have access to the private key, connections to the MariaDB server are no longer secure.
Rétablir le contexte SELinux :
# restorecon -Rv /etc/pki/tls/
2.4.2. Configuring TLS on a MariaDB server
To improve security, enable TLS support on the MariaDB server. As a result, clients can transmit data with the server using TLS encryption.
Conditions préalables
- You installed the MariaDB server.
-
The
mariadb
service is running. The following files in Privacy Enhanced Mail (PEM) format exist on the server and are readable by the
mysql
user:-
The private key of the server:
/etc/pki/tls/private/server.example.com.key.pem
-
The server certificate:
/etc/pki/tls/certs/server.example.com.crt.pem
-
The Certificate Authority (CA) certificate
/etc/pki/tls/certs/ca.crt.pem
-
The private key of the server:
- The subject distinguished name (DN) or the subject alternative name (SAN) field in the server certificate matches the server’s host name.
Procédure
Create the
/etc/my.cnf.d/mariadb-server-tls.cnf
file:Add the following content to configure the paths to the private key, server and CA certificate:
[mariadb] ssl_key = /etc/pki/tls/private/server.example.com.key.pem ssl_cert = /etc/pki/tls/certs/server.example.com.crt.pem ssl_ca = /etc/pki/tls/certs/ca.crt.pem
If you have a Certificate Revocation List (CRL), configure the MariaDB server to use it:
ssl_crl = /etc/pki/tls/certs/example.crl.pem
Optional: Reject connection attempts without encryption. To enable this feature, append:
require_secure_transport = on
Optional: Set the TLS versions the server should support. For example, to support TLS 1.2 and TLS 1.3, append:
tls_version = TLSv1.2,TLSv1.3
By default, the server supports TLS 1.1, TLS 1.2, and TLS 1.3.
Restart the
mariadb
service:# systemctl restart mariadb
Vérification
To simplify troubleshooting, perform the following steps on the MariaDB server before you configure the local client to use TLS encryption:
Verify that MariaDB now has TLS encryption enabled:
# mysql -u root -p -e "SHOW GLOBAL VARIABLES LIKE 'have_ssl';" +---------------+-----------------+ | Variable_name | Value | +---------------+-----------------+ | have_ssl | YES | +---------------+-----------------+
If the
have_ssl
variable is set toyes
, TLS encryption is enabled.If you configured the MariaDB service to only support specific TLS versions, display the
tls_version
variable:# mysql -u root -p -e "SHOW GLOBAL VARIABLES LIKE 'tls_version';" +---------------+-----------------+ | Variable_name | Value | +---------------+-----------------+ | tls_version | TLSv1.2,TLSv1.3 | +---------------+-----------------+
Ressources supplémentaires
2.4.3. Requiring TLS encrypted connections for specific user accounts
Users that have access to sensitive data should always use a TLS-encrypted connection to avoid sending data unencrypted over the network.
If you cannot configure on the server that a secure transport is required for all connections (require_secure_transport = on
), configure individual user accounts to require TLS encryption.
Conditions préalables
- The MariaDB server has TLS support enabled.
- The user you configure to require secure transport exists.
Procédure
Connect as an administrative user to the MariaDB server:
# mysql -u root -p -h server.example.com
If your administrative user has no permissions to access the server remotely, perform the command on the MariaDB server and connect to
localhost
.Use the
REQUIRE SSL
clause to enforce that a user must connect using a TLS-encrypted connection:MariaDB [(none)]> **ALTER USER __'example__'@__'%'__ REQUIRE SSL;**
Vérification
Connect to the server as the
example
user using TLS encryption:# mysql -u example -p -h server.example.com --ssl ... MariaDB [(none)]>
If no error is shown and you have access to the interactive MariaDB console, the connection with TLS succeeds.
Attempt to connect as the
example
user with TLS disabled:# mysql -u example -p -h server.example.com --skip-ssl ERROR 1045 (28000): Access denied for user 'example'@'server.example.com' (using password: YES)
The server rejected the login attempt, because TLS is required for this user, but disabled (
--skip-ssl
).
Ressources supplémentaires