tachtler:mariadb_centos_7
Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen RevisionVorhergehende ÜberarbeitungNächste Überarbeitung | Vorhergehende Überarbeitung | ||
tachtler:mariadb_centos_7 [2018/04/27 05:45] – [SSL: Server-Zertifikat erstellen] klaus | tachtler:mariadb_centos_7 [2018/04/27 06:38] (aktuell) – [SSL: Client-Zertifikat erstellen] klaus | ||
---|---|---|---|
Zeile 1033: | Zeile 1033: | ||
Die Konfiguration beinhaltet | Die Konfiguration beinhaltet | ||
- Erstellen einer **eignen CA** - **'' | - Erstellen einer **eignen CA** - **'' | ||
- | - Erstellen eines **'' | + | - Erstellen eines **'' |
- Erstellen eines **'' | - Erstellen eines **'' | ||
Zeile 1197: | Zeile 1197: | ||
Organization Name (eg, company) [Default Company Ltd]:Klaus Tachtler | Organization Name (eg, company) [Default Company Ltd]:Klaus Tachtler | ||
Organizational Unit Name (eg, section) []:. | Organizational Unit Name (eg, section) []:. | ||
- | Common Name (eg, your name or your server' | + | Common Name (eg, your name or your server' |
Email Address []: | Email Address []: | ||
Zeile 1268: | Zeile 1268: | ||
CA/ | CA/ | ||
Validity | Validity | ||
- | Not Before: Apr 27 03:43:09 2018 GMT | + | Not Before: Apr 27 04:26:53 2018 GMT |
- | Not After : Apr 23 03:43:09 2028 GMT | + | Not After : Apr 23 04:26:53 2028 GMT |
+ | Subject: C=DE, ST=Bayern (Bavaria), L=Muenchen (Munich), O=Klaus Tachtler, | ||
+ | CN=db.idmz.tachtler.net/ | ||
+ | Subject Public Key Info: | ||
+ | Public Key Algorithm: rsaEncryption | ||
+ | Public-Key: (2048 bit) | ||
+ | Modulus: | ||
+ | 00: | ||
+ | 48: | ||
+ | 59: | ||
+ | c9: | ||
+ | 65: | ||
+ | 19: | ||
+ | 7d: | ||
+ | 20: | ||
+ | f6: | ||
+ | 13: | ||
+ | 39: | ||
+ | 8c: | ||
+ | 8f: | ||
+ | d2: | ||
+ | 66: | ||
+ | 8c: | ||
+ | ed: | ||
+ | 88:2a | ||
+ | Exponent: 65537 (0x10001) | ||
+ | Signature Algorithm: sha256WithRSAEncryption | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | </ | ||
+ | |||
+ | ==== SSL: Client-Zertifikat erstellen ==== | ||
+ | |||
+ | Nachfolgende Befehle erstellen ein **'' | ||
+ | |||
+ | :!: **HINWEIS** - **Dies kann in Client wie z.B.** | ||
+ | * **[[tachtler: | ||
+ | * **[[tachtler: | ||
+ | **eingebunden werden**. | ||
+ | |||
+ | **__1. Schritt__**: | ||
+ | * ''/ | ||
+ | * ''/ | ||
+ | mit nachfolgendem Befehl erstellt werden: | ||
+ | < | ||
+ | # openssl req -newkey rsa:2048 -days 3649 -nodes -keyout / | ||
+ | Generating a 2048 bit RSA private key | ||
+ | ............................................................................................................. | ||
+ | ...........................................+++ | ||
+ | ......+++ | ||
+ | writing new private key to '/ | ||
+ | ----- | ||
+ | You are about to be asked to enter information that will be incorporated | ||
+ | into your certificate request. | ||
+ | What you are about to enter is what is called a Distinguished Name or a DN. | ||
+ | There are quite a few fields but you can leave some blank | ||
+ | For some fields there will be a default value, | ||
+ | If you enter ' | ||
+ | ----- | ||
+ | Country Name (2 letter code) [XX]:DE | ||
+ | State or Province Name (full name) []:Bayern (Bavaria) | ||
+ | Locality Name (eg, city) [Default City]: | ||
+ | Organization Name (eg, company) [Default Company Ltd]:Klaus Tachtler | ||
+ | Organizational Unit Name (eg, section) []:. | ||
+ | Common Name (eg, your name or your server' | ||
+ | Email Address []: | ||
+ | |||
+ | Please enter the following ' | ||
+ | to be sent with your certificate request | ||
+ | A challenge password []: | ||
+ | An optional company name []:. | ||
+ | </ | ||
+ | |||
+ | Mit nachfolgendem Befehl kann nun überprüft werden, ob der **MariaDB Client Schlüssel** und der **MariaDB Client Zertifikatsantrag** erstellt wurden: | ||
+ | < | ||
+ | # ls -la / | ||
+ | / | ||
+ | total 16 | ||
+ | drwxr-xr-x 2 root root 118 Apr 27 05:48 . | ||
+ | drwxr-xr-x 4 root root 32 Apr 27 04:44 .. | ||
+ | -rw-r--r-- 1 root root 1460 Apr 27 04:54 mariadb-ca-crt.pem | ||
+ | -rw-r--r-- 1 root root 1078 Apr 27 05:48 mariadb-client-csr.pem | ||
+ | -rw-r--r-- 1 root root 1338 Apr 27 05:43 mariadb-server-crt.pem | ||
+ | -rw-r--r-- 1 root root 1078 Apr 27 05:42 mariadb-server-csr.pem | ||
+ | |||
+ | / | ||
+ | total 12 | ||
+ | drwxr-xr-x 2 root root 89 Apr 27 05:48 . | ||
+ | drwxr-xr-x 4 root root 32 Apr 27 04:44 .. | ||
+ | -rw-r--r-- 1 root root 1675 Apr 27 04:52 mariadb-ca-key.pem | ||
+ | -rw-r--r-- 1 root root 1704 Apr 27 05:48 mariadb-client-key.pem | ||
+ | -rw-r--r-- 1 root root 1679 Apr 27 05:42 mariadb-server-key.pem | ||
+ | </ | ||
+ | |||
+ | **__2. Schritt__**: | ||
+ | < | ||
+ | # openssl rsa -in / | ||
+ | writing RSA key | ||
+ | </ | ||
+ | |||
+ | **__3. Schritt__**: | ||
+ | < | ||
+ | # # openssl x509 -req -in / | ||
+ | Signature ok | ||
+ | subject=/ | ||
+ | Getting CA Private Key | ||
+ | </ | ||
+ | |||
+ | Mit nachfolgendem Befehl kann überprüft werden, ob das **MariaDB Server Zertifikat** erstellt wurde: | ||
+ | < | ||
+ | # ls -la / | ||
+ | / | ||
+ | total 20 | ||
+ | drwxr-xr-x 2 root root 147 Apr 27 05:50 . | ||
+ | drwxr-xr-x 4 root root 32 Apr 27 04:44 .. | ||
+ | -rw-r--r-- 1 root root 1460 Apr 27 04:54 mariadb-ca-crt.pem | ||
+ | -rw-r--r-- 1 root root 1338 Apr 27 05:50 mariadb-client-crt.pem | ||
+ | -rw-r--r-- 1 root root 1078 Apr 27 05:48 mariadb-client-csr.pem | ||
+ | -rw-r--r-- 1 root root 1338 Apr 27 05:43 mariadb-server-crt.pem | ||
+ | -rw-r--r-- 1 root root 1078 Apr 27 05:42 mariadb-server-csr.pem | ||
+ | |||
+ | / | ||
+ | total 12 | ||
+ | drwxr-xr-x 2 root root 89 Apr 27 05:48 . | ||
+ | drwxr-xr-x 4 root root 32 Apr 27 04:44 .. | ||
+ | -rw-r--r-- 1 root root 1675 Apr 27 04:52 mariadb-ca-key.pem | ||
+ | -rw-r--r-- 1 root root 1675 Apr 27 05:49 mariadb-client-key.pem | ||
+ | -rw-r--r-- 1 root root 1679 Apr 27 05:42 mariadb-server-key.pem | ||
+ | </ | ||
+ | |||
+ | Mit nachfolgendem Befehl kann das soeben erstellt **'' | ||
+ | < | ||
+ | # openssl x509 -noout -text -in / | ||
+ | Certificate: | ||
+ | Data: | ||
+ | Version: 1 (0x0) | ||
+ | Serial Number: 1 (0x1) | ||
+ | Signature Algorithm: sha256WithRSAEncryption | ||
+ | Issuer: C=DE, ST=Bayern (Bavaria), L=Muenchen (Munich), O=Klaus Tachtler, CN=MariaDB | ||
+ | CA/ | ||
+ | Validity | ||
+ | Not Before: Apr 27 03: | ||
+ | Not After : Apr 23 03:50:10 2028 GMT | ||
Subject: C=DE, ST=Bayern (Bavaria), L=Muenchen (Munich), O=Klaus Tachtler, CN=MariaDB | Subject: C=DE, ST=Bayern (Bavaria), L=Muenchen (Munich), O=Klaus Tachtler, CN=MariaDB | ||
- | Server/ | + | Client/ |
Subject Public Key Info: | Subject Public Key Info: | ||
Public Key Algorithm: rsaEncryption | Public Key Algorithm: rsaEncryption | ||
Public-Key: (2048 bit) | Public-Key: (2048 bit) | ||
Modulus: | Modulus: | ||
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
Exponent: 65537 (0x10001) | Exponent: 65537 (0x10001) | ||
Signature Algorithm: sha256WithRSAEncryption | Signature Algorithm: sha256WithRSAEncryption | ||
- | 5a:26:f7:27:e9:c7:72:23:58:f9:b0:24:82:be:a1:90:5e:38: | + | 59:d8:29:47:9f:3f:ff:99:73:1d:b2:fe:20:49:53:68:52:f0: |
- | 42:cc:cb:a2:ad:d6:e2:28:e9:0f:8c:46:60:e1:88:00:34:ee: | + | 82:54:70:f7:f2:33:c5:16:4a:63:15:ea:9f:23:6e:1c:a5:3f: |
- | a9:82:79:59:76:55:23:b3:ea:f3:73:a2:14:90:78:d4:7b:4e: | + | e2:5c:03:76:32:73:d3:ae:63:3d:88:56:71:8e:a7:60:37:a0: |
- | b3:7c:24:10:45:0d:04:88:cb:47:68:b0:a8:51:ce:f2:47:de: | + | b1:9e:7e:41:88:d4:48:16:7c:8a:eb:b2:99:58:d5:b5:39:f2: |
- | ae:ce:6c:ae:48:6b:08:bd:17:4a:79:f9:28:cc:c4:da:ed:cf: | + | 60:f7:71:9b:4b:3f:0e:a8:d6:a8:98:c7:03:ef:18:ec:50:2d: |
- | 10:3b:13:bb:19:41:a5:a9:8d:e3:32:3b:0e:17:ab:4c:42:3f: | + | 2b:5e:86:44: |
- | 09:f1:24:e2:a4:e5:59:37:36:98:9a:00:b5:b0:da:9c:a4:1e: | + | 06:a9:04:11:8c:93:10:ca:ff:d7:bf:c4: |
- | 32:62:83:94:3a:88:9d:02:fc:71:f5:13:b8:d4:67:33:a4:47: | + | 14:a1:6c:b2:61:ef:d3:c6:2a:2a:19:21:b5:df:c1:ed:4d:21: |
- | e2:a2:a2:65:1b:e2:ca:70:1b:4f:cf:7b:43:be:d4:17:f8:f3: | + | 76:e4:3c:26:b3:c1:36:93:7d:21:20:9b:c3:fc:94:d3:29:b9: |
- | 3f:ea:41:56:ae:a8:e8:75:00:ec:da:41:53:6a:cb:fa:23:1e: | + | cd:7b:79:18:43:d0:14:b0:57:83:b0:39:c0:00:61:5e:94:57: |
- | 21:2a:ab:7d:aa:af:72:a3:75:fd:23:b1:14:4d:e6:de:43:8b: | + | b7:bb:2d:9f:64:26:f4:9b:5a:ff:9b:7a:a3:10:50:99:d5:08: |
- | a4:6c:b7:0a:ed:97:44:b8:e6:f2:ac:b9:d9:eb:39:d1:f9:35: | + | 4c:c9:d1:95:33:84:02:fb:95:d4:0f:f9:e8:7c:bf:37:c2:26: |
- | 94:9e:c0:a2:29:5c:69:70:d6:99:af:d1:fb:b0:8b:4e:c9:71: | + | 4f:ab:c4:03:41:71:ce:bf:62:5a:c4:77:89:5a:20:15:56:81: |
- | f4:26:4f:2b:01:6f:c7:6e:a7:45:a7:2a:80:10:a7:3d:2a:a4: | + | 6f:dd:f7:f2:89:4e:fd:98:6e:89:79:58:6a:b9:5d:38:02:e6: |
- | 9c:fb:8f:e2 | + | 3c:f1:31:c9 |
+ | </ | ||
+ | |||
+ | ==== /etc/my.cnf ==== | ||
+ | |||
+ | Um den [[https:// | ||
+ | * **ROOT**-Zertifikat aus der **eigenen CA** und das | ||
+ | * **'' | ||
+ | * **'' | ||
+ | in den mit einzubinden. | ||
+ | |||
+ | Die Anpassungen sind in der Konfigurationsdatei **''/ | ||
+ | < | ||
+ | # Tachtler | ||
+ | </ | ||
+ | gekennzeichnet. | ||
+ | |||
+ | Hier eine mögliche Anpassung (**komplette Konfigurationsdatei/ | ||
+ | <code ini> | ||
+ | [mysqld] | ||
+ | # Tachtler | ||
+ | # default: datadir=/ | ||
+ | datadir=/ | ||
+ | socket=/ | ||
+ | # Disabling symbolic-links is recommended to prevent assorted security risks | ||
+ | symbolic-links=0 | ||
+ | # Settings user and group are ignored when systemd is used. | ||
+ | # If you need to run mysqld under a different user or group, | ||
+ | # customize your systemd unit file for mariadb according to the | ||
+ | # instructions in http:// | ||
+ | |||
+ | # Tachtler - ssl - | ||
+ | ssl-ca=/ | ||
+ | ssl-cert=/ | ||
+ | ssl-key=/ | ||
+ | |||
+ | [mysqld_safe] | ||
+ | log-error=/ | ||
+ | pid-file=/ | ||
+ | |||
+ | # | ||
+ | # include all files from the config directory | ||
+ | # | ||
+ | !includedir / | ||
+ | |||
+ | </ | ||
+ | |||
+ | Um überprüfen zu können, ob eine **SSL**-Verschlüsselung nun im [[https:// | ||
+ | <code mysql> | ||
+ | # mysql -h 127.0.0.1 -u root -p | ||
+ | Enter password: | ||
+ | Welcome to the MariaDB monitor. | ||
+ | Your MariaDB connection id is 7 | ||
+ | Server version: 5.5.56-MariaDB MariaDB Server | ||
+ | |||
+ | Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others. | ||
+ | |||
+ | Type ' | ||
+ | |||
+ | MariaDB [(none)]> | ||
+ | </ | ||
+ | |||
+ | Anschließend zeigt nachfolgender **SQL**-Befehl die **SSL**-Verschlüsselungseinstellungen an: | ||
+ | <code mysql> | ||
+ | MariaDB [(none)]> | ||
+ | +---------------+-------------------------------------------------+ | ||
+ | | Variable_name | Value | | ||
+ | +---------------+-------------------------------------------------+ | ||
+ | | have_openssl | ||
+ | | have_ssl | ||
+ | | ssl_ca | ||
+ | | ssl_capath | ||
+ | | ssl_cert | ||
+ | | ssl_cipher | ||
+ | | ssl_key | ||
+ | +---------------+-------------------------------------------------+ | ||
+ | 7 rows in set (0.01 sec) | ||
+ | </ | ||
+ | |||
+ | Um die Verbindung zum [[https:// | ||
+ | < | ||
+ | MariaDB [(none)]> | ||
+ | Bye | ||
+ | </ | ||
+ | |||
+ | Nachfolgender Befehl baut eine **SSL**-Verschlüsselte Verbindung zum [[https:// | ||
+ | < | ||
+ | # openssl s_client -connect 127.0.0.1:3306 | ||
+ | CONNECTED(00000003) | ||
+ | 140490808899488:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794: | ||
+ | --- | ||
+ | no peer certificate available | ||
+ | --- | ||
+ | No client certificate CA names sent | ||
+ | --- | ||
+ | SSL handshake has read 7 bytes and written 289 bytes | ||
+ | --- | ||
+ | New, (NONE), Cipher is (NONE) | ||
+ | Secure Renegotiation IS NOT supported | ||
+ | Compression: NONE | ||
+ | Expansion: NONE | ||
+ | No ALPN negotiated | ||
+ | SSL-Session: | ||
+ | Protocol | ||
+ | Cipher | ||
+ | Session-ID: | ||
+ | Session-ID-ctx: | ||
+ | Master-Key: | ||
+ | Key-Arg | ||
+ | Krb5 Principal: None | ||
+ | PSK identity: None | ||
+ | PSK identity hint: None | ||
+ | Start Time: 1524802147 | ||
+ | Timeout | ||
+ | Verify return code: 0 (ok) | ||
+ | --- | ||
</ | </ | ||
tachtler/mariadb_centos_7.1524800703.txt.gz · Zuletzt geändert: 2018/04/27 05:45 von klaus