tachtler:mariadb_centos_7
Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen RevisionVorhergehende ÜberarbeitungNächste Überarbeitung | Vorhergehende Überarbeitung | ||
tachtler:mariadb_centos_7 [2018/04/27 05:41] – [SSL: Eigene CA erstellen] klaus | tachtler:mariadb_centos_7 [2018/04/27 06:38] (aktuell) – [SSL: Client-Zertifikat erstellen] klaus | ||
---|---|---|---|
Zeile 1033: | Zeile 1033: | ||
Die Konfiguration beinhaltet | Die Konfiguration beinhaltet | ||
- Erstellen einer **eignen CA** - **'' | - Erstellen einer **eignen CA** - **'' | ||
- | - Erstellen eines **'' | + | - Erstellen eines **'' |
- Erstellen eines **'' | - Erstellen eines **'' | ||
Zeile 1197: | Zeile 1197: | ||
Organization Name (eg, company) [Default Company Ltd]:Klaus Tachtler | Organization Name (eg, company) [Default Company Ltd]:Klaus Tachtler | ||
Organizational Unit Name (eg, section) []:. | Organizational Unit Name (eg, section) []:. | ||
- | Common Name (eg, your name or your server' | + | Common Name (eg, your name or your server' |
Email Address []: | Email Address []: | ||
Zeile 1232: | Zeile 1232: | ||
**__3. Schritt__**: | **__3. Schritt__**: | ||
< | < | ||
- | # openssl x509 -req -in / | + | # openssl x509 -req -in / |
Signature ok | Signature ok | ||
subject=/ | subject=/ | ||
Zeile 1260: | Zeile 1260: | ||
< | < | ||
# openssl x509 -noout -text -in / | # openssl x509 -noout -text -in / | ||
+ | Certificate: | ||
+ | Data: | ||
+ | Version: 1 (0x0) | ||
+ | Serial Number: 1 (0x1) | ||
+ | Signature Algorithm: sha256WithRSAEncryption | ||
+ | Issuer: C=DE, ST=Bayern (Bavaria), L=Muenchen (Munich), O=Klaus Tachtler, CN=MariaDB | ||
+ | CA/ | ||
+ | Validity | ||
+ | Not Before: Apr 27 04:26:53 2018 GMT | ||
+ | Not After : Apr 23 04:26:53 2028 GMT | ||
+ | Subject: C=DE, ST=Bayern (Bavaria), L=Muenchen (Munich), O=Klaus Tachtler, | ||
+ | CN=db.idmz.tachtler.net/ | ||
+ | Subject Public Key Info: | ||
+ | Public Key Algorithm: rsaEncryption | ||
+ | Public-Key: (2048 bit) | ||
+ | Modulus: | ||
+ | 00: | ||
+ | 48: | ||
+ | 59: | ||
+ | c9: | ||
+ | 65: | ||
+ | 19: | ||
+ | 7d: | ||
+ | 20: | ||
+ | f6: | ||
+ | 13: | ||
+ | 39: | ||
+ | 8c: | ||
+ | 8f: | ||
+ | d2: | ||
+ | 66: | ||
+ | 8c: | ||
+ | ed: | ||
+ | 88:2a | ||
+ | Exponent: 65537 (0x10001) | ||
+ | Signature Algorithm: sha256WithRSAEncryption | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
</ | </ | ||
+ | |||
+ | ==== SSL: Client-Zertifikat erstellen ==== | ||
+ | |||
+ | Nachfolgende Befehle erstellen ein **'' | ||
+ | |||
+ | :!: **HINWEIS** - **Dies kann in Client wie z.B.** | ||
+ | * **[[tachtler: | ||
+ | * **[[tachtler: | ||
+ | **eingebunden werden**. | ||
+ | |||
+ | **__1. Schritt__**: | ||
+ | * ''/ | ||
+ | * ''/ | ||
+ | mit nachfolgendem Befehl erstellt werden: | ||
+ | < | ||
+ | # openssl req -newkey rsa:2048 -days 3649 -nodes -keyout / | ||
+ | Generating a 2048 bit RSA private key | ||
+ | ............................................................................................................. | ||
+ | ...........................................+++ | ||
+ | ......+++ | ||
+ | writing new private key to '/ | ||
+ | ----- | ||
+ | You are about to be asked to enter information that will be incorporated | ||
+ | into your certificate request. | ||
+ | What you are about to enter is what is called a Distinguished Name or a DN. | ||
+ | There are quite a few fields but you can leave some blank | ||
+ | For some fields there will be a default value, | ||
+ | If you enter ' | ||
+ | ----- | ||
+ | Country Name (2 letter code) [XX]:DE | ||
+ | State or Province Name (full name) []:Bayern (Bavaria) | ||
+ | Locality Name (eg, city) [Default City]: | ||
+ | Organization Name (eg, company) [Default Company Ltd]:Klaus Tachtler | ||
+ | Organizational Unit Name (eg, section) []:. | ||
+ | Common Name (eg, your name or your server' | ||
+ | Email Address []: | ||
+ | |||
+ | Please enter the following ' | ||
+ | to be sent with your certificate request | ||
+ | A challenge password []: | ||
+ | An optional company name []:. | ||
+ | </ | ||
+ | |||
+ | Mit nachfolgendem Befehl kann nun überprüft werden, ob der **MariaDB Client Schlüssel** und der **MariaDB Client Zertifikatsantrag** erstellt wurden: | ||
+ | < | ||
+ | # ls -la / | ||
+ | / | ||
+ | total 16 | ||
+ | drwxr-xr-x 2 root root 118 Apr 27 05:48 . | ||
+ | drwxr-xr-x 4 root root 32 Apr 27 04:44 .. | ||
+ | -rw-r--r-- 1 root root 1460 Apr 27 04:54 mariadb-ca-crt.pem | ||
+ | -rw-r--r-- 1 root root 1078 Apr 27 05:48 mariadb-client-csr.pem | ||
+ | -rw-r--r-- 1 root root 1338 Apr 27 05:43 mariadb-server-crt.pem | ||
+ | -rw-r--r-- 1 root root 1078 Apr 27 05:42 mariadb-server-csr.pem | ||
+ | |||
+ | / | ||
+ | total 12 | ||
+ | drwxr-xr-x 2 root root 89 Apr 27 05:48 . | ||
+ | drwxr-xr-x 4 root root 32 Apr 27 04:44 .. | ||
+ | -rw-r--r-- 1 root root 1675 Apr 27 04:52 mariadb-ca-key.pem | ||
+ | -rw-r--r-- 1 root root 1704 Apr 27 05:48 mariadb-client-key.pem | ||
+ | -rw-r--r-- 1 root root 1679 Apr 27 05:42 mariadb-server-key.pem | ||
+ | </ | ||
+ | |||
+ | **__2. Schritt__**: | ||
+ | < | ||
+ | # openssl rsa -in / | ||
+ | writing RSA key | ||
+ | </ | ||
+ | |||
+ | **__3. Schritt__**: | ||
+ | < | ||
+ | # # openssl x509 -req -in / | ||
+ | Signature ok | ||
+ | subject=/ | ||
+ | Getting CA Private Key | ||
+ | </ | ||
+ | |||
+ | Mit nachfolgendem Befehl kann überprüft werden, ob das **MariaDB Server Zertifikat** erstellt wurde: | ||
+ | < | ||
+ | # ls -la / | ||
+ | / | ||
+ | total 20 | ||
+ | drwxr-xr-x 2 root root 147 Apr 27 05:50 . | ||
+ | drwxr-xr-x 4 root root 32 Apr 27 04:44 .. | ||
+ | -rw-r--r-- 1 root root 1460 Apr 27 04:54 mariadb-ca-crt.pem | ||
+ | -rw-r--r-- 1 root root 1338 Apr 27 05:50 mariadb-client-crt.pem | ||
+ | -rw-r--r-- 1 root root 1078 Apr 27 05:48 mariadb-client-csr.pem | ||
+ | -rw-r--r-- 1 root root 1338 Apr 27 05:43 mariadb-server-crt.pem | ||
+ | -rw-r--r-- 1 root root 1078 Apr 27 05:42 mariadb-server-csr.pem | ||
+ | |||
+ | / | ||
+ | total 12 | ||
+ | drwxr-xr-x 2 root root 89 Apr 27 05:48 . | ||
+ | drwxr-xr-x 4 root root 32 Apr 27 04:44 .. | ||
+ | -rw-r--r-- 1 root root 1675 Apr 27 04:52 mariadb-ca-key.pem | ||
+ | -rw-r--r-- 1 root root 1675 Apr 27 05:49 mariadb-client-key.pem | ||
+ | -rw-r--r-- 1 root root 1679 Apr 27 05:42 mariadb-server-key.pem | ||
+ | </ | ||
+ | |||
+ | Mit nachfolgendem Befehl kann das soeben erstellt **'' | ||
+ | < | ||
+ | # openssl x509 -noout -text -in / | ||
+ | Certificate: | ||
+ | Data: | ||
+ | Version: 1 (0x0) | ||
+ | Serial Number: 1 (0x1) | ||
+ | Signature Algorithm: sha256WithRSAEncryption | ||
+ | Issuer: C=DE, ST=Bayern (Bavaria), L=Muenchen (Munich), O=Klaus Tachtler, CN=MariaDB | ||
+ | CA/ | ||
+ | Validity | ||
+ | Not Before: Apr 27 03:50:10 2018 GMT | ||
+ | Not After : Apr 23 03:50:10 2028 GMT | ||
+ | Subject: C=DE, ST=Bayern (Bavaria), L=Muenchen (Munich), O=Klaus Tachtler, CN=MariaDB | ||
+ | Client/ | ||
+ | Subject Public Key Info: | ||
+ | Public Key Algorithm: rsaEncryption | ||
+ | Public-Key: (2048 bit) | ||
+ | Modulus: | ||
+ | 01: | ||
+ | 9e: | ||
+ | 08: | ||
+ | f7: | ||
+ | 93: | ||
+ | 55: | ||
+ | d7: | ||
+ | cb: | ||
+ | 99: | ||
+ | b7: | ||
+ | bc: | ||
+ | a4: | ||
+ | fd: | ||
+ | a6: | ||
+ | 3f: | ||
+ | a8: | ||
+ | ad: | ||
+ | 7d:41 | ||
+ | Exponent: 65537 (0x10001) | ||
+ | Signature Algorithm: sha256WithRSAEncryption | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | </ | ||
+ | |||
+ | ==== /etc/my.cnf ==== | ||
+ | |||
+ | Um den [[https:// | ||
+ | * **ROOT**-Zertifikat aus der **eigenen CA** und das | ||
+ | * **'' | ||
+ | * **'' | ||
+ | in den mit einzubinden. | ||
+ | |||
+ | Die Anpassungen sind in der Konfigurationsdatei **''/ | ||
+ | < | ||
+ | # Tachtler | ||
+ | </ | ||
+ | gekennzeichnet. | ||
+ | |||
+ | Hier eine mögliche Anpassung (**komplette Konfigurationsdatei/ | ||
+ | <code ini> | ||
+ | [mysqld] | ||
+ | # Tachtler | ||
+ | # default: datadir=/ | ||
+ | datadir=/ | ||
+ | socket=/ | ||
+ | # Disabling symbolic-links is recommended to prevent assorted security risks | ||
+ | symbolic-links=0 | ||
+ | # Settings user and group are ignored when systemd is used. | ||
+ | # If you need to run mysqld under a different user or group, | ||
+ | # customize your systemd unit file for mariadb according to the | ||
+ | # instructions in http:// | ||
+ | |||
+ | # Tachtler - ssl - | ||
+ | ssl-ca=/ | ||
+ | ssl-cert=/ | ||
+ | ssl-key=/ | ||
+ | |||
+ | [mysqld_safe] | ||
+ | log-error=/ | ||
+ | pid-file=/ | ||
+ | |||
+ | # | ||
+ | # include all files from the config directory | ||
+ | # | ||
+ | !includedir / | ||
+ | |||
+ | </ | ||
+ | |||
+ | Um überprüfen zu können, ob eine **SSL**-Verschlüsselung nun im [[https:// | ||
+ | <code mysql> | ||
+ | # mysql -h 127.0.0.1 -u root -p | ||
+ | Enter password: | ||
+ | Welcome to the MariaDB monitor. | ||
+ | Your MariaDB connection id is 7 | ||
+ | Server version: 5.5.56-MariaDB MariaDB Server | ||
+ | |||
+ | Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others. | ||
+ | |||
+ | Type ' | ||
+ | |||
+ | MariaDB [(none)]> | ||
+ | </ | ||
+ | |||
+ | Anschließend zeigt nachfolgender **SQL**-Befehl die **SSL**-Verschlüsselungseinstellungen an: | ||
+ | <code mysql> | ||
+ | MariaDB [(none)]> | ||
+ | +---------------+-------------------------------------------------+ | ||
+ | | Variable_name | Value | | ||
+ | +---------------+-------------------------------------------------+ | ||
+ | | have_openssl | ||
+ | | have_ssl | ||
+ | | ssl_ca | ||
+ | | ssl_capath | ||
+ | | ssl_cert | ||
+ | | ssl_cipher | ||
+ | | ssl_key | ||
+ | +---------------+-------------------------------------------------+ | ||
+ | 7 rows in set (0.01 sec) | ||
+ | </ | ||
+ | |||
+ | Um die Verbindung zum [[https:// | ||
+ | < | ||
+ | MariaDB [(none)]> | ||
+ | Bye | ||
+ | </ | ||
+ | |||
+ | Nachfolgender Befehl baut eine **SSL**-Verschlüsselte Verbindung zum [[https:// | ||
+ | < | ||
+ | # openssl s_client -connect 127.0.0.1: | ||
+ | CONNECTED(00000003) | ||
+ | 140490808899488: | ||
+ | --- | ||
+ | no peer certificate available | ||
+ | --- | ||
+ | No client certificate CA names sent | ||
+ | --- | ||
+ | SSL handshake has read 7 bytes and written 289 bytes | ||
+ | --- | ||
+ | New, (NONE), Cipher is (NONE) | ||
+ | Secure Renegotiation IS NOT supported | ||
+ | Compression: | ||
+ | Expansion: NONE | ||
+ | No ALPN negotiated | ||
+ | SSL-Session: | ||
+ | Protocol | ||
+ | Cipher | ||
+ | Session-ID: | ||
+ | Session-ID-ctx: | ||
+ | Master-Key: | ||
+ | Key-Arg | ||
+ | Krb5 Principal: None | ||
+ | PSK identity: None | ||
+ | PSK identity hint: None | ||
+ | Start Time: 1524802147 | ||
+ | Timeout | ||
+ | Verify return code: 0 (ok) | ||
+ | --- | ||
+ | </ | ||
+ |
tachtler/mariadb_centos_7.1524800474.txt.gz · Zuletzt geändert: 2018/04/27 05:41 von klaus