自签名证书由 MySQL Enterprise Monitor 安装或升级过程生成,并设置为 365 天后过期。万一您使用默认证书运行 MySQL Enterprise Service Manager 版本超过一年,则必须生成新证书。如果不生成新证书,MySQL 企业服务管理器和存储库之间的 SSL 连接将失败。本节介绍如何生成这些证书。
这些说明将指导您完成为 MySQL Enterprise Monitor 安装安装 SSL 证书的过程。
所有证书和密钥都存储在 Tomcat 密钥库中。要检查存储在密钥库中的证书,请运行以下命令:
keytool -keystore $INSTALL_ROOT/apache-tomcat/conf/keystore -list -v对于所有与证书相关的活动,建议使用 MySQL Enterprise Monitor 配置实用程序。有关详细信息,请参阅 第 10 章,配置实用程序。
要生成证书并将其添加到默认密钥库,请使用 MySQL Enterprise Monitor 配置实用程序运行以下命令:
config --renew这将重新生成自签名证书。如果证书不是自签名的,则会显示错误。
要为 MySQL Enterprise Service Manager 安装 SSL 证书,请使用 MySQL Enterprise Monitor 配置实用程序将证书导入密钥库。
要导入您的证书,请运行以下命令:
config --import-certificate=/path/to/client.crt要导入现有证书和密钥,请运行以下命令:
config --import-certificate=/path/to/client.crt --import-key=/path/to/client.key重新启动服务管理器。有关停止和启动服务管理器的更多信息,请参阅 Unix/macOS 和Microsoft Windows的说明。
有关 SSL 和 MySQL 服务器的信息,请参阅 创建 SSL 和 RSA 证书和密钥。
To configure SSL-related options for the Agent, the following
values may be placed in
$INSTALL_ROOT/etc/bootstrap.properties
Table 7.1 Agent SSL Configuration Options
| Parameter | Description |
|---|---|
|
Values: True or False (default). SSL connection between service manager and agent. Verify that the hostname of the service manager that the agent is connected to matches what is in the SSL certificate. |
|
Values:True (default) or False. SSL connection between agent and MySQL instance.
If set to |
|
Values: String SSL connection between agent and MySQL instance.
Path to keystore with CA cert(s), if
|
|
Values: String SSL connection between agent and MySQL instance.
Password for the CA keystore, if
|
An example bootstrap.properties SSL
certification section:
ssl-verify-hostname=false
ssl-allow-self-signed-certs=true
ssl-ca-keystore-path=file:///Applications/mysql/enterprise/agent/etc/mykeystore
ssl-ca-keystore-password=password123To import a CA certificate in PEM format to a new keystore on the Agent, execute the following:
$INSTALL_ROOT/java/bin/keytool -import -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $INSTALL_ROOT/etc/cacertsThe tool responds with the certificate details. For example:
Enter keystore password: (the keystore requires at least a 6 character password)
Re-enter new password:
Owner: CN=serverName.com, O=MySQL AB, ST=Uppsala, C=SE
Issuer: O=MySQL AB, L=Uppsala, ST=Uppsala, C=SE
Serial number: 100002
Valid from: Fri Jan 29 12:56:49 CET 2010 until: Wed Jan 28 12:56:49 CET 2015
Certificate fingerprints:
MD5: E5:FB:56:76:78:B1:0C:D7:B0:80:9F:65:06:3E:48:3E
SHA1: 87:59:80:28:CE:15:EF:7E:F1:75:4B:76:77:5E:64:EA:B7:1D:D1:18
SHA256: F4:0B:79:52:CF:F3:A1:A4:7F:B2:D7:C1:65:60:F0:80:93:87:D2:68:9A:A1:
84:F4:06:6E:8E:CF:C1:F6:1B:52
Signature algorithm name: MD5withRSA
Version: 1
Trust this certificate? [no]: (type yes + enter)
Certificate was added to keystore
You must edit the ssl-ca-* configuration
values in bootstrap.properties accordingly,
to use the path to the keystore and password.
The connection between the agent and service manager is also an SSL connection.
SSL configuration for LDAP is configured at the MySQL Enterprise Service Manager Java VM level. That is, it is configured in the keystore of the Java VM bundled with your MySQL Enterprise Monitor installation.
The JVM shipped with MySQL Enterprise Service Manager does not support the AES256 cipher. This can prevent you using LDAP servers which implement that cipher.
To connect to LDAP servers which implement the AES256 cipher, you must download and install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 package. This package is available from: Java Cryptography Extension.
The steps described in this section assume your LDAP server is correctly configured and you have a root CA certificate which was used to generate the LDAP server's certificate.
To enable SSL for LDAP and MySQL Enterprise Service Manager, you must do the following:
如有必要,将 LDAP 服务器的根 CA 证书从 PEM 格式转换为 DER 格式。如果 CA 证书已经是 DER 格式,请继续执行下一步。
openssl x509 -in cacert.pem -inform PEM -out ~/cacert.der -outform DER将 DER 格式的 CA 证书导入 MySQL Enterprise Service Manager Java 密钥库。
bin从MySQL Enterprise Service Manager 的 Java 安装目录 运行以下命令:keytool -import -trustcacerts -alias ldapssl -file ~/cacert.der -keystore lib/security/cacerts使用以下命令重新启动 MySQL 企业服务管理器:
mysql/enterprise/monitor/mysqlmonitorctl.sh restart