GreatSQL 配置 SSL 访问:单机与 MGR 集群指南

GreatSQL社区2025-10-26 23:34

GreatSQL 配置 SSL 访问:单机与 MGR 集群指南

背景说明

为确保数据库中传输数据的安全性与完整性,防止敏感信息在通信过程中被窃听或篡改,建议为GreatSQL服务启用SSL加密连接。此举尤其适用于不安全的网络环境(如公有网络),或需满足行业数据安全合规性要求的场景。以下文档将详述配置GreatSQL服务器端强制SSL连接,并为客户端颁发证书的具体操作步骤。

单机开启SSL

通过命令,初始化密钥文件,其中datadir与数据库数据目录保持一致

sh 复制代码 
/greatsql/gdb/svr/greatsql/bin/mysql_ssl_rsa_setup --datadir=/greatsql/gdb/dbdata/3313/data
chown greatsql.greatsql /greatsql/gdb/dbdata/3313/data/*pem

会产生如下新的文件

sh 复制代码 
$ ll /greatsql/gdb/dbdata/3313/data/*pem
-rw------- 1 greatsql greatsql 1679 Sep 15 11:34 /greatsql/gdb/dbdata/3313/data/ca-key.pem
-rw-r--r-- 1 greatsql greatsql 1115 Sep 15 11:34 /greatsql/gdb/dbdata/3313/data/ca.pem
-rw-r--r-- 1 greatsql greatsql 1115 Sep 15 11:34 /greatsql/gdb/dbdata/3313/data/client-cert.pem
-rw------- 1 greatsql greatsql 1679 Sep 15 11:34 /greatsql/gdb/dbdata/3313/data/client-key.pem
-rw------- 1 greatsql greatsql 1676 Sep 15 11:32 /greatsql/gdb/dbdata/3313/data/private_key.pem
-rw-r--r-- 1 greatsql greatsql  452 Sep 15 11:32 /greatsql/gdb/dbdata/3313/data/public_key.pem
-rw-r--r-- 1 greatsql greatsql 1115 Sep 15 11:34 /greatsql/gdb/dbdata/3313/data/server-cert.pem
-rw------- 1 greatsql greatsql 1679 Sep 15 11:34 /greatsql/gdb/dbdata/3313/data/server-key.pem

在配置文件中,添加全局加密通信要求参数

sql 复制代码 
require_secure_transport=ON

此时通过非socket访问数据库均要求SSL通信

SQL 复制代码 
$ /greatsql/gdb/svr/greatsql/bin/mysql -ubing -p'abc123' -h172.17.134.55 -P3313 --ssl-mode=disable
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 3159 (HY000): Connections using insecure transport are prohibited while --require_secure_transport=ON.

$ /greatsql/gdb/svr/greatsql/bin/mysql -ubing -p'abc123' -h172.17.134.55 -P3313
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 13
Server version: 8.0.32-27 GreatSQL, Release 27, Revision aa66a385910

Copyright (c) 2021-2025 GreatDB Software Co., Ltd
Copyright (c) 2009-2025 Percona LLC and/or its affiliates
Copyright (c) 2000, 2025, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

greatsql> \s
--------------
/greatsql/gdb/svr/greatsql/bin/mysql  Ver 8.0.32-27 for Linux on x86_64 (GreatSQL, Release 27, Revision aa66a385910)

Connection id:                13
Current database:        
Current user:                bing@172.17.134.55
SSL:                        Cipher in use is ECDHE-RSA-AES128-GCM-SHA256
Current pager:                stdout
Using outfile:                ''
Using delimiter:        ;
Server version:                8.0.32-27 GreatSQL, Release 27, Revision aa66a385910
Protocol version:        10
Connection:                172.17.134.55 via TCP/IP
Server characterset:        utf8mb4
Db     characterset:        utf8mb4
Client characterset:        utf8mb4
Conn.  characterset:        utf8mb4
TCP port:                3313
Binary data as:                Hexadecimal
Uptime:                        6 min 1 sec

Threads: 3  Questions: 19  Slow queries: 0  Opens: 150  Flush tables: 3  Open tables: 69  Queries per second avg: 0.052
--------------

如果要求必须使用正确的SSL证书文件才能登录,则需要设置数据库账号权限为X509

SQL 复制代码 
ALTER USER bing require x509;

无证书登录则报错

SQL 复制代码 
$ /greatsql/gdb/svr/greatsql/bin/mysql -ubing -p'abc123' -h172.17.134.55 -P3313 
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'bing'@'172.17.134.55' (using password: YES)

有证书登录则正常

SQL 复制代码 
$ /greatsql/gdb/svr/greatsql/bin/mysql -ubing -p'abc123' -h172.17.134.55 -P3313 --ssl-ca=/greatsql/gdb/dbdata/3313/data/ca.pem --ssl-cert=/greatsql/gdb/dbdata/3313/data/client-cert.pem --ssl-key=/greatsql/gdb/dbdata/3313/data/client-key.pem
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 12
Server version: 8.0.32-27 GreatSQL, Release 27, Revision aa66a385910

Copyright (c) 2021-2025 GreatDB Software Co., Ltd
Copyright (c) 2009-2025 Percona LLC and/or its affiliates
Copyright (c) 2000, 2025, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

greatsql> \s
--------------
/greatsql/gdb/svr/greatsql/bin/mysql  Ver 8.0.32-27 for Linux on x86_64 (GreatSQL, Release 27, Revision aa66a385910)

Connection id:                12
Current database:        
Current user:                bing@172.17.134.55
SSL:                        Cipher in use is ECDHE-RSA-AES128-GCM-SHA256
Current pager:                stdout
Using outfile:                ''
Using delimiter:        ;
Server version:                8.0.32-27 GreatSQL, Release 27, Revision aa66a385910
Protocol version:        10
Connection:                172.17.134.55 via TCP/IP
Server characterset:        utf8mb4
Db     characterset:        utf8mb4
Client characterset:        utf8mb4
Conn.  characterset:        utf8mb4
TCP port:                3313
Binary data as:                Hexadecimal
Uptime:                        5 min 17 sec

Threads: 3  Questions: 13  Slow queries: 0  Opens: 150  Flush tables: 3  Open tables: 69  Queries per second avg: 0.041
--------------

MGR 开启SSL

数据库参数中添加配置

sql 复制代码 
loose-group_replication_ssl_mode = REQUIRED
loose-group_replication_recovery_use_ssl = 1

证书生成

任意一种方式配置均能成功启用SSL

MGR组内只能通过同一个ca.pem生成其他证书,否则连接会失败

方法一(每个实例单独SSL文件,安全性高)

通过脚本,生成每个节点的SSL相关证书,输入IP地址的证书,只能在对应服务器上使用

gen_ca_server_client_cert.sh

Java 复制代码 
[root@gdb01-001 /data/tmp]$  sh gen_ca_server_client_cert.sh 192.168.0.4
 未检测到CA文件,正在生成统一CA...
Generating RSA private key, 4096 bit long modulus (2 primes)
.............................................................................++++
................++++
e is 65537 (0x010001)
 已生成统一CA: ca.pem, ca-key.pem
 正在生成 Server 证书...
Generating RSA private key, 2048 bit long modulus (2 primes)
.......+++++
......+++++
e is 65537 (0x010001)
Signature ok
subject=CN = 192.168.0.4
Getting CA Private Key
192.168.0.4-server-cert.pem: OK
 Server证书生成完成:
  - 私钥: 192.168.0.4-server-key.pem
  - 证书: 192.168.0.4-server-cert.pem
 正在生成 Client 证书...
Generating RSA private key, 2048 bit long modulus (2 primes)
......................................................................................+++++
...........................................................................................................................+++++
e is 65537 (0x010001)
Signature ok
subject=CN = 192.168.0.4-client
Getting CA Private Key
192.168.0.4-client-cert.pem: OK
 Client证书生成完成:
  - 私钥: 192.168.0.4-client-key.pem
  - 证书: 192.168.0.4-client-cert.pem
统一 CA: ca.pem / ca-key.pem
Server证书: 192.168.0.4-server-cert.pem / 192.168.0.4-server-key.pem
Client证书: 192.168.0.4-client-cert.pem / 192.168.0.4-client-key.pem
完整流程完成 
[root@gdb01-001 /data/tmp]#  
[root@gdb01-001 /data/tmp]$  sh gen_ca_server_client_cert.sh 192.168.0.5
 检测到已有CA: ca.pem, ca-key.pem,直接使用
 正在生成 Server 证书...
Generating RSA private key, 2048 bit long modulus (2 primes)
...........................................................................................................................................+++++
..................................+++++
e is 65537 (0x010001)
Signature ok
subject=CN = 192.168.0.5
Getting CA Private Key
192.168.0.5-server-cert.pem: OK
 Server证书生成完成:
  - 私钥: 192.168.0.5-server-key.pem
  - 证书: 192.168.0.5-server-cert.pem
 正在生成 Client 证书...
Generating RSA private key, 2048 bit long modulus (2 primes)
..............................................................................+++++
........+++++
e is 65537 (0x010001)
Signature ok
subject=CN = 192.168.0.5-client
Getting CA Private Key
192.168.0.5-client-cert.pem: OK
 Client证书生成完成:
  - 私钥: 192.168.0.5-client-key.pem
  - 证书: 192.168.0.5-client-cert.pem
统一 CA: ca.pem / ca-key.pem
Server证书: 192.168.0.5-server-cert.pem / 192.168.0.5-server-key.pem
Client证书: 192.168.0.5-client-cert.pem / 192.168.0.5-client-key.pem
完整流程完成 
[root@gdb01-001 /data/tmp]#
[root@gdb01-001 /data/tmp]$  sh gen_ca_server_client_cert.sh 192.168.0.3
 检测到已有CA: ca.pem, ca-key.pem,直接使用
 正在生成 Server 证书...
Generating RSA private key, 2048 bit long modulus (2 primes)
.....................+++++
.........+++++
e is 65537 (0x010001)
Signature ok
subject=CN = 192.168.0.3
Getting CA Private Key
192.168.0.3-server-cert.pem: OK
 Server证书生成完成:
  - 私钥: 192.168.0.3-server-key.pem
  - 证书: 192.168.0.3-server-cert.pem
 正在生成 Client 证书...
Generating RSA private key, 2048 bit long modulus (2 primes)
.......+++++
...........+++++
e is 65537 (0x010001)
Signature ok
subject=CN = 192.168.0.3-client
Getting CA Private Key
192.168.0.3-client-cert.pem: OK
 Client证书生成完成:
  - 私钥: 192.168.0.3-client-key.pem
  - 证书: 192.168.0.3-client-cert.pem
统一 CA: ca.pem / ca-key.pem
Server证书: 192.168.0.3-server-cert.pem / 192.168.0.3-server-key.pem
Client证书: 192.168.0.3-client-cert.pem / 192.168.0.3-client-key.pem
完整流程完成 
[root@gdb01-001 /data/tmp]#

将6个文件scp到证书目录,注意调整属主

SSL文件分发

Bash 复制代码 
scp ca-key.pem ca.pem 192.168.0.5-client-key.pem 192.168.0.5-client-cert.pem 192.168.0.5-server-cert.pem 192.168.0.5-server-key.pem 192.168.0.5:/greatsql/gdb/dbdata/3313/ssl_files
scp ca-key.pem ca.pem 192.168.0.4-client-key.pem 192.168.0.4-client-cert.pem 192.168.0.4-server-cert.pem 192.168.0.4-server-key.pem 192.168.0.4:/greatsql/gdb/dbdata/3313/ssl_files
scp ca-key.pem ca.pem 192.168.0.3-client-key.pem 192.168.0.3-client-cert.pem 192.168.0.3-server-cert.pem 192.168.0.3-server-key.pem 192.168.0.3:/greatsql/gdb/dbdata/3313/ssl_files

重命名SSL文件名rename '192.168.0.5-' '' *

Plain 复制代码 
[root@gdb01-003 /greatsql/gdb/dbdata/3313/ssl_files]$  ll
total 24K
-rw-r--r-- 1 greatsql greatsql 1.4K Sep 13 20:48 192.168.0.5-client-cert.pem
-rw-r--r-- 1 greatsql greatsql 1.7K Sep 13 20:48 192.168.0.5-client-key.pem
-rw-r--r-- 1 greatsql greatsql 1.4K Sep 13 20:48 192.168.0.5-server-cert.pem
-rw-r--r-- 1 greatsql greatsql 1.7K Sep 13 20:48 192.168.0.5-server-key.pem
-rw-r--r-- 1 greatsql greatsql 3.2K Sep 13 20:48 ca-key.pem
-rw-r--r-- 1 greatsql greatsql 1.8K Sep 13 20:48 ca.pem
[root@gdb01-003 /greatsql/gdb/dbdata/3313/ssl_files]#  rename '192.168.0.5-' '' *
[root@gdb01-003 /greatsql/gdb/dbdata/3313/ssl_files]#  ll
total 24K
-rw-r--r-- 1 greatsql greatsql 3.2K Sep 13 20:48 ca-key.pem
-rw-r--r-- 1 greatsql greatsql 1.8K Sep 13 20:48 ca.pem
-rw-r--r-- 1 greatsql greatsql 1.4K Sep 13 20:48 client-cert.pem
-rw-r--r-- 1 greatsql greatsql 1.7K Sep 13 20:48 client-key.pem
-rw-r--r-- 1 greatsql greatsql 1.4K Sep 13 20:48 server-cert.pem
-rw-r--r-- 1 greatsql greatsql 1.7K Sep 13 20:48 server-key.pem

并且要在每个实例的配置文件中,添加如下配置

Plain 复制代码 
ssl-ca=/greatsql/gdb/dbdata/3313/ssl_files/ca.pem
ssl-cert=/greatsql/gdb/dbdata/3313/ssl_files/server-cert.pem
ssl-key=/greatsql/gdb/dbdata/3313/ssl_files/server-key.pem

验证证书有效期

Plain 复制代码 
openssl x509 -in server-cert.pem -noout -dates
方法二(所有实例SSL文件相同,使用方便)

在第一个节点直接通过下面的命令初始化好证书

Plain 复制代码 
/greatsql/gdb/svr/greatsql/bin/mysql_ssl_rsa_setup --datadir=/greatsql/gdb/dbdata/3313/data
chown greatsql.greatsql /greatsql/gdb/dbdata/3313/data/*pem

在其他节点,直接通过clone复制数据,然后通过scp复制证书,虽然这样会导致所有节点证书均一致,但是不影响使用

SQL 复制代码 
greatsql> SET GLOBAL clone_valid_donor_list='192.168.0.4:3313';
Query OK, 0 rows affected (0.00 sec)

greatsql> CLONE INSTANCE FROM greatsql@192.168.0.4:3313 IDENTIFIED BY '!QAZ2wsx';
scp ca-key.pem ca.pem client-key.pem client-cert.pem server-cert.pem server-key.pem 192.168.0.3:/greatsql/gdb/dbdata/3313/ssl_files

查询MGR中SSL生效状态

SQL 复制代码 
SELECT * FROM performance_schema.replication_group_members;

查看SSL生效

SQL 复制代码 
greatsql> SHOW VARIABLES LIKE 'group_replication_ssl_mode';
+----------------------------+----------+
| Variable_name              | Value    |
+----------------------------+----------+
| group_replication_ssl_mode | REQUIRED |
+----------------------------+----------+
1 row in set (0.00 sec)

greatsql> SHOW VARIABLES LIKE 'group_replication_recovery_use_ssl';
+------------------------------------+-------+
| Variable_name                      | Value |
+------------------------------------+-------+
| group_replication_recovery_use_ssl | ON    |
+------------------------------------+-------+
1 row in set (0.00 sec)
相关推荐
虎冯河4 小时前
图像,视频Lora模型训练的Timestep Type时间步类型
aigc·comfyui·模型训练·1024程序员节
helloworddm4 小时前
Orleans Grain Directory 系统综合分析文档
c#·1024程序员节
摸鱼的老谭4 小时前
Java学习之旅第三季-17:Lambda表达式
java·lambda表达式·1024程序员节
冰山上的柯莱4 小时前
需求上线部署流程
1024程序员节·上线流程
文火冰糖的硅基工坊4 小时前
[人工智能-大模型-66]:模型层技术 - 两种编程范式:数学函数式编程与逻辑推理式编程,构建起截然不同的智能系统。
人工智能·神经网络·算法·1024程序员节
小安运维日记4 小时前
RHCA - DO374 | Day03:通过自动化控制器运行剧本
linux·运维·数据库·自动化·ansible·1024程序员节
know__ledge5 小时前
Pytest+requests进行接口自动化测试9.0(redis + excal文件的使用)
1024程序员节
蜗牛沐雨5 小时前
详解c++中的文件流
c++·1024程序员节
左&耳5 小时前
完整的 React + Umi 状态体系全景图
react.js·1024程序员节
热门推荐
01BongoCat - 跨平台键盘猫动画工具02GitHub 镜像站点03UV安装并设置国内源04Linux下V2Ray安装配置指南05jdk21下载、安装(Windows、Linux、macOS)06GitLab 零基础入门指南:从安装到项目管理全流程07NVIDIA显卡驱动、CUDA、cuDNN 和 TensorRT 版本匹配指南08KGG转MP3工具|非KGM文件|解密音频09安娜的档案(Anna’s Archive) 镜像网站/国内最新可访问入口(持续更新)10Labelme从安装到标注:零基础完整指南