Your Web News in One Place

An Interest In:

Web News this Week

Search Archive

Some of Our Sources

View All Sources

Help Webnuz

Referal links:

Sign up for GreenGeeks web hosting
January 15, 2022 04:58 pm GMT

Easiest way to setup MySQL/MariaDB with TLS/SSL in 10 minutes- v10.5 - Any OS - Ubuntu Focal | Developer Tharun

MySQL/MariaDB setup

In this tutorial we will look at how to setup MariaDB/MySQL including SSL/TLS. This will enable the clients connecting with the MySQL server. We will add repository, install mariadb-server, generate certs, place them in the right folder, edit the configurations and test it.

Link to fetch the respective repository

Link to the MariaDB Downloads page

On the above page:

  1. Choose a distribution
  2. Choose a MariaDB Server version

Once you do this, you will be able to view the commands to install MariaDB Server on your system of any operating system ( OS ). In this tutorial I have chosen Ubuntu Focal ( 20.04 ) and a MariaDB Server version of 10.5

Add Apt Repositories

sudo apt-get install software-properties-common dirmngr apt-transport-httpssudo apt-key adv --fetch-keys 'https://mariadb.org/mariadb_release_signing_key.asc'sudo add-apt-repository 'deb [arch=amd64,arm64,ppc64el,s390x] https://mirrors.aliyun.com/mariadb/repo/10.5/ubuntu focal main'sudo apt update

Install MariaDB server

sudo apt install mariadb-server-10.5

Setup root user

service mysql statusmysql_secure_installation # walk through the process with default options along with the new password when promptedroot@ubuntu-focal:/etc/mysql# mysql_secure_installation NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!In order to log into MariaDB to secure it, we'll need the currentpassword for the root user. If you've just installed MariaDB, andhaven't set the root password yet, you should just press enter here.Enter current password for root (enter for none): OK, successfully used password, moving on...Setting the root password or using the unix_socket ensures that nobodycan log into the MariaDB root user without the proper authorisation.Switch to unix_socket authentication [Y/n] YEnabled successfully!Reloading privilege tables.. ... Success!Change the root password? [Y/n] YNew password: <enter-new-password-here>Re-enter new password: <enter-new-password-here>Password updated successfully!Reloading privilege tables.. ... Success!By default, a MariaDB installation has an anonymous user, allowing anyoneto log into MariaDB without having to have a user account created forthem.  This is intended only for testing, and to make the installationgo a bit smoother.  You should remove them before moving into aproduction environment.Remove anonymous users? [Y/n] Y ... Success!Normally, root should only be allowed to connect from 'localhost'.  Thisensures that someone cannot guess at the root password from the network.Disallow root login remotely? [Y/n] Y ... Success!By default, MariaDB comes with a database named 'test' that anyone canaccess.  This is also intended only for testing, and should be removedbefore moving into a production environment.Remove test database and access to it? [Y/n] Y - Dropping test database... ... Success! - Removing privileges on test database... ... Success!Reloading the privilege tables will ensure that all changes made so farwill take effect immediately.Reload privilege tables now? [Y/n] Y ... Success!Cleaning up...All done!  If you've completed all of the above steps, your MariaDBinstallation should now be secure.Thanks for using MariaDB!

Login into MySQL

mysql -uroot -pEnter password: <enter-new-password-here>
Welcome to the MariaDB monitor.  Commands end with ; or \g.Your MariaDB connection id is 47Server version: 10.5.13-MariaDB-1:10.5.13+maria~focal mariadb.org binary distributionCopyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.MariaDB [(none)]> select user,host from mysql.user;+-------------+-----------+| User        | Host      |+-------------+-----------+| root        | 127.0.0.1 || root        | ::1       || mariadb.sys | localhost || root        | localhost |+-------------+-----------+4 rows in set (0.004 sec)MariaDB [(none)]> CREATE USER 'vault'@'192.%' IDENTIFIED BY '2%r3o0u8jf@e8owh*hfeu^8f0';Query OK, 0 rows affected (0.001 sec)MariaDB [(none)]> GRANT ALL PRIVILEGES ON vault.* TO 'vault'@'%';Query OK, 0 rows affected (0.002 sec)MariaDB [(none)]> select user,host from mysql.user;----------+-----------+| User        | Host      |+-------------+-----------+| vault       | %         || root        | 127.0.0.1 || root        | ::1       || mariadb.sys | localhost || root        | localhost |+-------------+-----------+5 rows in set (0.004 sec)

TLS Setup of MariaDB

We have setup MySQL/MariaDB above without TLS. For most of the setups the above would be sufficient. To take it to the next level, we will add TLS ability here such that the data transferred between the client and MySQL is encrypted and secure.

Generation of certificates

There are several ways to generate certificates. If you are at an organization, it probably has a standard way to generate a CA. You are free to go ahead and get the CA Cert, Server Cert and Server Key using that way. If not, follow the below steps. No Pre-requisites required.

Generate CA ( Certificate Authority ) Key and Certificates

mkdir ~/certscd ~/certs# generate CA Key with 4096 bitsopenssl genrsa -des3 -out ca.key 4096# generate CA pem from the ca.keyopenssl req -x509 -new -nodes -key ca.key -sha256 -days 900 -out ca.pem

How to make the operating system trust this self signed cert?

sudo apt-get install -y ca-certificates#Convert the ca.pem certificate to a ca.crt certificate file.openssl x509 -outform der -in ./ca.pem -out ./ca.crt#Copy the ca.crt file to the /usr/local/share/ca-certificates directory.sudo cp ./ca.crt /usr/local/share/ca-certificates#Update the certificate store.sudo update-ca-certificates

Generation of Server key and Server cert

We will generate server key and use it to generate a CSR ( Certificate Signing Request ). We will take this to the Certificate Authority and get it signed by the CA. Thus we will get the server cert. In this process we will also use the server extensions.

# Generate the server.keyopenssl genrsa -out server.key 2048# Generate the CSR and answer the questionsopenssl req -new -key server.key -out server.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:INState or Province Name (full name) [Some-State]:KALocality Name (eg, city) []:BlrOrganization Name (eg, company) [Internet Widgits Pty Ltd]:Developer TharunOrganizational Unit Name (eg, section) []:Blog  Common Name (e.g. server FQDN or YOUR name) []:server-fqdn.server.environmentEmail Address []:[email protected] enter the following 'extra' attributesto be sent with your certificate requestA challenge password []: <not mandatory, can be skipped, hit enter>An optional company name []: <not mandatory, can be skipped, hit enter># Add the below to a file# server.extauthorityKeyIdentifier=keyid,issuerbasicConstraints=CA:FALSEkeyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEnciphermentsubjectAltName = @alt_names[alt_names]DNS.1 = <mention the server FQDN># Create the cert using the Certificate Authority cert and keyopenssl x509 -req -in server.csr -CA ca.pem -CAkey ca.key \-CAcreateserial -out server.crt -days 365 -sha256 -extfile server.ext# Verify the cert generated using the ca# This way you will be able to verify that the server cert was created using this CAopenssl verify -CAfile ca.pem server.crtserver.crt: OK

Place the certs in the MySQL folder

# Create mysql certs foldermkdir /etc/mysql/certscp ~/certs/ca.pem ~/certs/server.crt ~/certs/server.key /etc/mysql/certschown -R mysql: /etc/mysql/certs

Configure MySQL Server

# Place the config in the below file# to override the configs in my.cnfvim /etc/mysql/mariadb.conf.d/50-server.cnf[mysqld]bind-address    = 0.0.0.0ssl_ca=/etc/mysql/certs/ca.pemssl_cert=/etc/mysql/certs/server.crtssl_key=/etc/mysql/certs/server.key

Restart MySQL

service mysql restart

We will be able to login without certificate too, as a root user. When we do this, the connection will not use SSL connection, the data will not be encrypted. Let's confirm that

mysql -uroot -p  # without any SSL/TLS encryption<Enter password>
MariaDB [(none)]> \s--------------mysql  Ver 15.1 Distrib 10.5.13-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2Connection id:          48Current database:Current user:           root@localhostSSL:                    Not in use  #<-----------------------Current pager:          stdoutUsing outfile:          ''Using delimiter:        ;Server:                 MariaDBServer version:         10.5.13-MariaDB-1:10.5.13+maria~focal mariadb.org binary distributionProtocol version:       10Connection:             Localhost via UNIX socketServer characterset:    utf8mb4Db     characterset:    utf8mb4Client characterset:    utf8Conn.  characterset:    utf8UNIX socket:            /run/mysqld/mysqld.sockUptime:                 3 hours 43 min 54 secThreads: 3  Questions: 110  Slow queries: 0  Opens: 34  Open tables: 27  Queries per second avg: 0.008--------------

We can see above that SSL is not in use. Let us login using SSL abilities

mysql -p --ssl-ca=/etc/mysql/certs/ca.pem
MariaDB [(none)]> \s--------------mysql  Ver 15.1 Distrib 10.5.13-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2Connection id:          33Current database:Current user:           root@localhostSSL:                    Cipher in use is TLS_AES_256_GCM_SHA384Current pager:          stdoutUsing outfile:          ''Using delimiter:        ;Server:                 MariaDBServer version:         10.5.13-MariaDB-1:10.5.13+maria~focal mariadb.org binary distributionProtocol version:       10Connection:             Localhost via UNIX socketServer characterset:    utf8mb4Db     characterset:    utf8mb4Client characterset:    utf8Conn.  characterset:    utf8UNIX socket:            /run/mysqld/mysqld.sockUptime:                 2 min 6 secThreads: 1  Questions: 68  Slow queries: 0  Opens: 32  Open tables: 25  Queries per second avg: 0.539--------------MariaDB [(none)]> SHOW VARIABLES LIKE '%ssl%';+---------------------+-----------------------------+| Variable_name       | Value                       |+---------------------+-----------------------------+| have_openssl        | YES                         || have_ssl            | YES                         || ssl_ca              | /etc/mysql/certs/ca.pem     || ssl_capath          |                             || ssl_cert            | /etc/mysql/certs/server.crt || ssl_cipher          |                             || ssl_crl             |                             || ssl_crlpath         |                             || ssl_key             | /etc/mysql/certs/server.key || version_ssl_library | OpenSSL 1.1.1f  31 Mar 2020 |+---------------------+-----------------------------+10 rows in set (0.001 sec)

How to Force users to use SSL?

We saw that the root user had a choice to choose between SSL and non-SSL connection. But what if we wanted to force a user and require SSL connection else drop the connection. This is possible by creating the user with REQUIRE SSL.

MariaDB [(none)]> create user 'tharun'@'%' identified by 'xr7y(#$&*ox8r7#Y$xo87n' REQUIRE SSL; Query OK, 0 rows affected (0.004 sec)MariaDB [(none)]> show grants for 'tharun'@'%';+-------------------------------------------------------------------------------------------------------------------+| Grants for tharun@%  |+-------------------------------------------------------------------------------------------------------------------+| GRANT USAGE ON *.* TO `tharun`@`%` IDENTIFIED BY PASSWORD '*A5F8D7B95653CF24C6DC9628BC84B0B2FF89D9DF' REQUIRE SSL |+-------------------------------------------------------------------------------------------------------------------+1 row in set (0.000 sec)

The user has been created. Now exit out of MySQL prompt and login using the tharun user

root@ubuntu-focal:~/certs# mysql -utharun -pEnter password: ERROR 1045 (28000): Access denied for user 'tharun'@'localhost' (using password: YES)

We see that the user is not able to login without the ca.pem file. Here onwards the client will need the ca.pem file in order to connect to MySQL Server.

More trending articles on Hashicorp Vault:

What is Vault? Why do we need it?

developertharun

Hashicorp Vault | What & Why? | All you need to know about Vault | Secrets management for roadrunners

Tharun Shiv Jan 2 4 min read

#security #beginners #tutorial #devops

Set up a Vault Dev and Production server in 5 minutes:

developertharun

Hashicorp Vault | Dev and Prod server setup | Unseal | Policies | TLS setup

Tharun Shiv Jan 2 5 min read

#security #database #beginners #devops

You can find more articles here: https://dev.to/developertharun

Roadrunners is a series that is aimed at delivering concepts as precisely as possible. Here, a roadrunner is referred to as a person who does things super fast & efficiently. Are you a roadrunner?

Thank you


Original Link: https://dev.to/developertharun/easiest-way-to-setup-mysqlmariadb-with-tlsssl-in-10-minutes-v105-any-os-ubuntu-focal-developer-tharun-4okc

Share this article:    Share on Facebook
View Full Article

Dev To

An online community for sharing and discovering great ideas, having debates, and making friends

More About this Source Visit Dev To