南大通用GBase 8a集群SSL配置-客户端gccli

  • client配置

将server端生成的ca-cert.pem,client-req.pem,client-key.pem,client-cert.pem拷贝到client端/usr/local/tmp/ssl/目录(以和服务端区别)

修改客户端集群层配置文件gbase_8a_gcluster.cnf,在[client]里添加ssl信息,以路径/usr/local/tmp/ssl/为例,如下加粗字所示

$ vi /opt/gcluster/config/gbase_8a_gcluster.cnf
[client]
port=5258
socket=/tmp/gcluster_5258.sock
connect_timeout=43200
default-character-set=gbk
ssl-ca=/usr/local/tmp/ssl/ca-cert.pem
ssl-cert=/usr/local/tmp/ssl/client-cert.pem
ssl-key=/usr/local/tmp/ssl/client-key.pem

[gbased]
basedir = /opt/gcluster/server
datadir = /opt/gcluster/userdata/gcluster
socket=/tmp/gcluster_5258.sock
pid-file = /opt/gcluster/log/gcluster/gclusterd.pid
default-character-set=gbk
log-error
port=5258
core-file

(14)通过client端远程访问server,比如用ssluser用户登陆192.168.134.131的server:

[gbase@localhost config]$ gccli -h192.168.134.131 -ussluser -p
Enter password:
GBase client 8.6.1.1 build 65111. Copyright (c) 2004-2016, GBase. All Rights Reserved.
gbase>

运行status命令,ssl部分显示有“Cipher in use”,表示ssl加密连接成功:

gbase> status;
gccli Ver 14.14 Distrib 8.6.1.1, for unknown-linux-gnu (x86_64) using readline 6.0
Connection id: 13
Current database: information_schema
Current user: ssluser@192.168.134.132
SSL: Cipher in use is DHE-RSA-AES256-SHA
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 8.6.1.1-65304
Protocol version: 10
Connection: 192.168.134.131 via TCP/IP
Server characterset: utf8
Db characterset: utf8
Client characterset: utf8
Conn. characterset: utf8
TCP port: 5258
Uptime: Elapsed: 25:24:49.00
Threads: 4 Questions: 40 Slow queries: 2 Opens: 17 Flush tables: 1 Open tables: 10 Queries per second avg: 0.0

       以上,如果client端没有进行上述配置,则仍然会按默认方式连接server,也就是说加密访问和非加密访问,对集群而言,不是互斥的,可以理解为2个选项。