MySQL Cluster Manager 8.4 supports TLS Link Encryption for NDB Cluster, which is available for NDB Cluster 8.3.0 and later. This section describes a few scenarios for using MySQL Cluster Manager to configure or manage TLS connections in an NDB Cluster.
Create a new cluster with TLS enabled on initial startup
Create a site, package, and a cluster with the desired configuration—see Section 4.4, “Setting Up MySQL NDB Clusters with MySQL Cluster Manager” for instructions. Then follow the steps for a basic or a user-defined setup.
Basic setup.
Create the CA and certificates for the cluster; this also
defines
--ndb-tls-search-path
for any managed process in the cluster:
mcm> create certs mycluster;
+-----------------------------------+
| Command result |
+-----------------------------------+
| Certificates created successfully |
+-----------------------------------+
1 row in set (8.56 sec)
Verify --ndb-tls-search-path
settings:
mcm> get -d ndb-tls*: mycluster;
+---------------------+----------------------------------------+----------+---------+----------+---------+-------+--------------+
| Name | Value | Process1 | NodeId1 | Process2 | NodeId2 | Level | Comment |
+---------------------+----------------------------------------+----------+---------+----------+---------+-------+--------------+
| ndb_tls_search_path | /foo/mcm_data/clusters/mycluster/certs | ndb_mgmd | 145 | | | | Command Line |
| ndb_tls_search_path | /foo/mcm_data/clusters/mycluster/certs | ndbmtd | 1 | | | | Command Line |
| ndb_tls_search_path | /foo/mcm_data/clusters/mycluster/certs | ndbmtd | 2 | | | | Command Line |
| ndb_tls_search_path | /foo/mcm_data/clusters/mycluster/certs | mysqld | 146 | | | | |
| ndb_tls_search_path | /foo/mcm_data/clusters/mycluster/certs | mysqld | 147 | | | | |
+---------------------+----------------------------------------+----------+---------+----------+---------+-------+--------------+
5 rows in set (0.10 sec)
User-defined setup.
Set --ndb-tls-search-path
(the
command is split into multiple lines for easy reading only; it
should be entered in a single line):
mcm> set
ndb_tls_search_path:ndb_mgmd=/foo/mcm_data/clusters/mycluster/certs,
ndb_tls_search_path:ndbmtd=/foo/mcm_data/clusters/mycluster/certs,
ndb_tls_search_path:mysqld=/foo/mcm_data/clusters/mycluster/certs
mycluster;
+-----------------------------------+
| Command result |
+-----------------------------------+
| Cluster reconfigured successfully |
+-----------------------------------+
1 row in set (3.17 sec)
Ensure --ndb-tls-search-path
is
set correctly for all managed processes (and issue more
set
commands for corrections, if
needed):
mcm> get -d ndb-tls*: mycluster;
+---------------------+----------------------------------------+----------+---------+----------+---------+-------+--------------+
| Name | Value | Process1 | NodeId1 | Process2 | NodeId2 | Level | Comment |
+---------------------+----------------------------------------+----------+---------+----------+---------+-------+--------------+
| ndb_tls_search_path | /foo/mcm_data/clusters/mycluster/certs | ndb_mgmd | 145 | | | | Command Line |
| ndb_tls_search_path | /foo/mcm_data/clusters/mycluster/certs | ndbmtd | 1 | | | | Command Line |
| ndb_tls_search_path | /foo/mcm_data/clusters/mycluster/certs | ndbmtd | 2 | | | | Command Line |
| ndb_tls_search_path | /foo/mcm_data/clusters/mycluster/certs | mysqld | 146 | | | | |
| ndb_tls_search_path | /foo/mcm_data/clusters/mycluster/certs | mysqld | 147 | | | | |
+---------------------+----------------------------------------+----------+---------+----------+---------+-------+--------------+
5 rows in set (0.10 sec)
For both kinds of setups, create CA and certificates for the cluster (notice that the certificates are only loaded once by the processes at startup):
mcm> create certs mycluster;
+-----------------------------------+
| Command result |
+-----------------------------------+
| Certificates created successfully |
+-----------------------------------+
1 row in set (8.56 sec)
Enable RequireTls
for
ndb_mgmd and datanodes with another
set
command.
mcm> set RequireTls:ndb_mgmd=true,RequireTls:ndbmtd=true mycluster;
+-----------------------------------+
| Command result |
+-----------------------------------+
| Cluster reconfigured successfully |
+-----------------------------------+
1 row in set (3.56 sec)
Optionally one may also enable
RequireCertificate
,
or set --ndb-mgm-tls mode
to
strict
:
mcm> set RequireCertificate:ndb_mgmd=true,RequireCertificate:ndbmtd=true mycluster;
+-----------------------------------+
| Command result |
+-----------------------------------+
| Cluster reconfigured successfully |
+-----------------------------------+
1 row in set (2.53 sec)
mcm> set ndb_mgm_tls:ndb_mgmd=strict,ndb_mgm_tls:ndbmtd=strict mycluster;
+-----------------------------------+
| Command result |
+-----------------------------------+
| Cluster reconfigured successfully |
+-----------------------------------+
1 row in set (2.39 sec)
Start the cluster:
mcm> start cluster mycluster;
+------------------------------+
| Command result |
+------------------------------+
| Cluster started successfully |
+------------------------------+
1 row in set (1 min 33.62 sec)
Cluster is now running with TLS enabled, required, and (optionally) with certificates required for peers, and in strict mode.
Enable TLS for an Existing Cluster
Assuming you have a cluster already created and started by MySQL Cluster Manager, follow these steps to enable TLS connections for it.
Ensure --ndb-tls-search-path
is
set correctly for all managed processes, and issue the needed
set
commands for corrections if
needed:
mcm> get -d ndb-tls*: mycluster;
+---------------------+----------------------------------------+----------+---------+----------+---------+-------+--------------+
| Name | Value | Process1 | NodeId1 | Process2 | NodeId2 | Level | Comment |
+---------------------+----------------------------------------+----------+---------+----------+---------+-------+--------------+
| ndb_tls_search_path | /foo/mcm_data/clusters/mycluster/certs | ndb_mgmd | 145 | | | | Command Line |
| ndb_tls_search_path | /foo/mcm_data/clusters/mycluster/certs | ndbmtd | 1 | | | | Command Line |
| ndb_tls_search_path | /foo/mcm_data/clusters/mycluster/certs | ndbmtd | 2 | | | | Command Line |
| ndb_tls_search_path | /foo/mcm_data/clusters/mycluster/certs | mysqld | 146 | | | | |
| ndb_tls_search_path | /foo/mcm_data/clusters/mycluster/certs | mysqld | 147 | | | | |
+---------------------+----------------------------------------+----------+---------+----------+---------+-------+--------------+
5 rows in set (0.10 sec)
Create the CA and certificates for the cluster using MySQL Cluster Manager:
mcm> create certs mycluster;
+-----------------------------------+
| Command result |
+-----------------------------------+
| Certificates created successfully |
+-----------------------------------+
1 row in set (8.57 sec)
Restart the cluster so that processes load the certificates created (notice that the certificates are only loaded once by the processes at startup):
mcm> restart cluster mycluster;
+--------------------------------+
| Command result |
+--------------------------------+
| Cluster restarted successfully |
+--------------------------------+
1 row in set (1 min 38.09 sec)
Enable RequireTls
for
ndb_mgmd and datanodes with another
set
command:
mcm> set RequireTls:ndb_mgmd=true,RequireTls:ndbmtd=true mycluster;
+-----------------------------------+
| Command result |
+-----------------------------------+
| Cluster reconfigured successfully |
+-----------------------------------+
1 row in set (1 min 47.38 sec)
Cluster is now running with TLS enabled and required.
Optionally, one may also enable
RequireCertificate
,
or set either --ndb-mgm-tls
mode
to strict
:
mcm> set RequireCertificate:ndb_mgmd=true,RequireCertificate:ndbmtd=true mycluster;
+-----------------------------------+
| Command result |
+-----------------------------------+
| Cluster reconfigured successfully |
+-----------------------------------+
1 row in set (1 min 42.53 sec)
mcm> set ndb_mgm_tls:ndb_mgmd=strict,ndb_mgm_tls:ndbmtd=strict mycluster;
+-----------------------------------+
| Command result |
+-----------------------------------+
| Cluster reconfigured successfully |
+-----------------------------------+
1 row in set (1 min 48.13 sec)
Cluster is now running with TLS enabled, required, and (optionally) with certificates required for peers, and strict mode.