GBase 8a集群SSL配置-集群配置部分,包括正式生成,参数配置部分。
目录导航
要求
加密功能要求系统中安装openssl库,能够执行openssl命令
生成密钥
在集群server端系统中,根据需要选择生成ssl密钥的目录,以路径/usr/local/ssl为例
*如果没有ssl目录,需手工创建
首先生成server端的密钥和证书:
进入目录
$ cd /usr/local/ssl |
使用rsa非对称加密算法生成2048位的服务端私钥ca-key.pem
$ openssl genrsa 2048 > ca-key.pem Generating RSA private key, 2048 bit long modulus …………………………………………………………………………………..+++ ………………………………………………………………………………………………………………….+++ e is 65537 (0x10001) |
生成服务端证书ca-cert.pem
需要填写Country Name等信息,本例按照下面方式填写,也可以依据用户实际情况填写,以下是参数说明:
reg: 该指令用来创建和处理PKCS#10格式的证书以及自签名证书,做Root CA
-sha1: 证书采用SHA1哈希算法
-nodes:如果该选项被指定,如果私钥文件已经被创建则不用加密。
-new:本选项产生一个新的CSR,它会要用户输入创建CSR的一些必须的信息
-x509:本选项将产生自签名的证书,即Root CA
-days:指定自签名证书的有效期限。默认为30天。
-key:证书私钥文件的来源
$ openssl req -sha1 -new -x509 -nodes -days 3650 -key ca-key.pem > ca-cert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. Country Name (2 letter code) [XX]:11 State or Province Name (full name) []:1 Locality Name (eg, city) [Default City]:1 Organization Name (eg, company) [Default Company Ltd]:1 Organizational Unit Name (eg, section) []:1 Common Name (eg, your name or your server's hostname) []:1 Email Address []:1 |
重新生成密钥
同样填写一些信息,password部分(A challenge password []: )建议填写复杂一些的密码
-newkey rsa:bits:用于生成新的rsa密钥以及证书请求。如果用户不知道生成的私钥文件名称,默认采用privkey.pem,生成的证书请求。如果用户不指定输出文件(-out),则将证书请求文件打印在屏幕上。生成的私钥文件可以用-keyout来指定。生成过程中需要用户输入私钥的保护口令以及证书申请中的一些信息。
-keyout :指明创建的新的私有密钥文件的文件名。
$ openssl req -sha1 -newkey rsa:2048 -days 730 -nodes -keyout server-key.pem > server-req.pem Generating a 2048 bit RSA private key ……….+++ ……………………………………………………………………..+++ writing new private key to 'server-key.pem' You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. Country Name (2 letter code) [XX]:11 State or Province Name (full name) []:1 Locality Name (eg, city) [Default City]:1 Organization Name (eg, company) [Default Company Ltd]:1 Organizational Unit Name (eg, section) []:1 Common Name (eg, your name or your server's hostname) []:1 Email Address []:1 Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []:1 |
将server-key.pem导出为RSA类型
-out filename:输出证书请求文件
-in filename:输入的证书请求文件
$ openssl rsa -in server-key.pem -out server-key.pem writing RSA key |
生成server-cert.pem
-set_serial n:设置生成证书的证书序列号
$ openssl x509 -sha1 -req -in server-req.pem -days 730 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem Signature ok subject=/C=11/ST=1/L=1/O=1/OU=1/CN=1/emailAddress=1 Getting CA Private Key |
在服务端,在同一目录下,生成client端的密钥和证书:
生成密钥,输入信息与server端相同
$ openssl req -sha1 -newkey rsa:2048 -days 730 -nodes -keyout client-key.pem > client-req.pem Generating a 2048 bit RSA private key ……………………………………………………….+++ ………+++ writing new private key to 'client-key.pem' You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. Country Name (2 letter code) [XX]:11 State or Province Name (full name) []:1 Locality Name (eg, city) [Default City]:1 Organization Name (eg, company) [Default Company Ltd]:1 Organizational Unit Name (eg, section) []:1 Common Name (eg, your name or your server's hostname) []:1 Email Address []:1 Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []:1 |
将client-key.pem导出为RSA类型
$ openssl rsa -in client-key.pem -out client-key.pem writing RSA key |
生成client-cert.pem
$ openssl x509 -sha1 -req -in client-req.pem -days 730 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem Signature ok subject=/C=11/ST=1/L=1/O=1/OU=1/CN=1/emailAddress=1 Getting CA Private Key |
Server端设置
修改服务端上集群层配置文件gbase_8a_gcluster.cnf,在[gbased]里添加ssl信息,以路径/usr/local/ssl 为例,如下方红字所示
$ vi /opt/gcluster/config/gbase_8a_gcluster.cnf [client] port=5258 socket=/tmp/gcluster_5258.sock connect_timeout=43200 default-character-set=gbk [gbased] basedir = /opt/gcluster/server datadir = /opt/gcluster/userdata/gcluster socket=/tmp/gcluster_5258.sock pid-file = /opt/gcluster/log/gcluster/gclusterd.pid default-character-set=gbk ssl-ca=/usr/local/ssl/ca-cert.pem ssl-cert=/usr/local/ssl/server-cert.pem ssl-key=/usr/local/ssl/server-key.pem log-error port=5258 core-file |
查看配置是否成功
重启集群服务:
# service gcware restart
登陆集群:
$ gccli -uroot -p Enter password: GBase client 8.6.1.1 build 65304. Copyright (c) 2004-2016, GBase. All Rights Reserved. gbase> |
查看ssl参数状态,配置成功则显示为“YES”:
gbase> show variables like 'have_%ssl'; +---------------+-------+ | Variable_name | Value | +---------------+-------+ | have_openssl | YES | | have_ssl | YES | +---------------+-------+ 2 rows in set (Elapsed: 00:00:00.00) |