1.4. Setting up TLS encryption on a MariaDB server

Procedure

1. Store the CA and server certificates in the /etc/pki/tls/certs/ directory:

   # mv <path>/server.example.com.crt.pem /etc/pki/tls/certs/
   # mv <path>/ca.crt.pem /etc/pki/tls/certs/

2. Set permissions on the CA and server certificate that enable the MariaDB server to read the files:

   # chmod 644 /etc/pki/tls/certs/server.example.com.crt.pem /etc/pki/tls/certs/ca.crt.pem

   Because certificates are part of the communication before a secure connection is established, any client can retrieve them without authentication. Therefore, you do not need to set strict permissions on the CA and server certificate files.

3. Store the server’s private key in the /etc/pki/tls/private/ directory:

   # mv <path>/server.example.com.key.pem /etc/pki/tls/private/

4. Set secure permissions on the server’s private key:

   # chmod 640 /etc/pki/tls/private/server.example.com.key.pem
   # chgrp mysql /etc/pki/tls/private/server.example.com.key.pem

   If unauthorized users have access to the private key, connections to the MariaDB server are no longer secure.

5. Restore the SELinux context:

   #  restorecon -Rv /etc/pki/tls/

Procedure

1. Create the /etc/my.cnf.d/mariadb-server-tls.cnf file:

   1. Add the following content to configure the paths to the private key, server and CA certificate:

      [mariadb]
      ssl_key = /etc/pki/tls/private/server.example.com.key.pem
      ssl_cert = /etc/pki/tls/certs/server.example.com.crt.pem
      ssl_ca = /etc/pki/tls/certs/ca.crt.pem

   2. If you have a Certificate Revocation List (CRL), configure the MariaDB server to use it:

      ssl_crl = /etc/pki/tls/certs/example.crl.pem

   3. Optional: Reject connection attempts without encryption. To enable this feature, append:

      require_secure_transport = on

   4. Optional: Set the TLS versions the server should support. For example, to support TLS 1.2 and TLS 1.3, append:

      tls_version = TLSv1.2,TLSv1.3

      By default, the server supports TLS 1.1, TLS 1.2, and TLS 1.3.

2. Restart the mariadb service:

   # systemctl restart mariadb

1. Verify that MariaDB now has TLS encryption enabled:

   # mysql -u root -p -e "SHOW GLOBAL VARIABLES LIKE 'have_ssl';"
   +---------------+-----------------+
   | Variable_name | Value           |
   +---------------+-----------------+
   | have_ssl      | YES             |
   +---------------+-----------------+

   If the have_ssl variable is set to yes, TLS encryption is enabled.

2. If you configured the MariaDB service to only support specific TLS versions, display the tls_version variable:

   # mysql -u root -p -e "SHOW GLOBAL VARIABLES LIKE 'tls_version';"
   +---------------+-----------------+
   | Variable_name | Value           |
   +---------------+-----------------+
   | tls_version   | TLSv1.2,TLSv1.3 |
   +---------------+-----------------+

Procedure

1. Connect as an administrative user to the MariaDB server:

   # mysql -u root -p -h server.example.com

   If your administrative user has no permissions to access the server remotely, perform the command on the MariaDB server and connect to localhost.

2. Use the REQUIRE SSL clause to enforce that a user must connect by using a TLS-encrypted connection:

   MariaDB [(none)]> ALTER USER 'example'@'%' REQUIRE SSL;

Verification

1. Connect to the server as the example user by using TLS encryption:

   # mysql -u example -p -h server.example.com --ssl
   ...
   MariaDB [(none)]>

   If no error is shown and you have access to the interactive MariaDB console, the connection with TLS succeeds.

2. Attempt to connect as the example user with TLS disabled:

   # mysql -u example -p -h server.example.com --skip-ssl
   ERROR 1045 (28000): Access denied for user 'example'@'server.example.com' (using password: YES)

   The server rejected the login attempt because TLS is required for this user but disabled (--skip-ssl).