MySQL Cluster Manager 9.1 User Manual  /  Using MySQL Cluster Manager  /  Using TLS Connections for NDB Clusters

4.11 Using TLS Connections for NDB Clusters

MySQL Cluster Manager 9.1 supports TLS Link Encryption for NDB Cluster, which is available for NDB Cluster 8.3.0 and later. This section describes a few scenarios for using MySQL Cluster Manager to configure or manage TLS connections in an NDB Cluster.

Create a new cluster with TLS enabled on initial startup

Create a site, package, and a cluster with the desired configuration—see Section 4.4, “Setting Up MySQL NDB Clusters with MySQL Cluster Manager” for instructions. Then follow the steps for a basic or a user-defined setup.

Basic setup.  Create the CA and certificates for the cluster; this also defines --ndb-tls-search-path for any managed process in the cluster:

mcm> create certs mycluster;
+-----------------------------------+
| Command result                    |
+-----------------------------------+
| Certificates created successfully |
+-----------------------------------+
1 row in set (8.56 sec)

Verify --ndb-tls-search-path settings:

mcm> get -d ndb-tls*: mycluster;
+---------------------+----------------------------------------+----------+---------+----------+---------+-------+--------------+
| Name                | Value                                  | Process1 | NodeId1 | Process2 | NodeId2 | Level | Comment      |
+---------------------+----------------------------------------+----------+---------+----------+---------+-------+--------------+
| ndb_tls_search_path | /foo/mcm_data/clusters/mycluster/certs | ndb_mgmd | 145     |          |         |       | Command Line |
| ndb_tls_search_path | /foo/mcm_data/clusters/mycluster/certs | ndbmtd   | 1       |          |         |       | Command Line |
| ndb_tls_search_path | /foo/mcm_data/clusters/mycluster/certs | ndbmtd   | 2       |          |         |       | Command Line |
| ndb_tls_search_path | /foo/mcm_data/clusters/mycluster/certs | mysqld   | 146     |          |         |       |              |
| ndb_tls_search_path | /foo/mcm_data/clusters/mycluster/certs | mysqld   | 147     |          |         |       |              |
+---------------------+----------------------------------------+----------+---------+----------+---------+-------+--------------+
5 rows in set (0.10 sec)

User-defined setup.  Set --ndb-tls-search-path (the command is split into multiple lines for easy reading only; it should be entered in a single line):

mcm> set
     ndb_tls_search_path:ndb_mgmd=/foo/mcm_data/clusters/mycluster/certs,
     ndb_tls_search_path:ndbmtd=/foo/mcm_data/clusters/mycluster/certs,
     ndb_tls_search_path:mysqld=/foo/mcm_data/clusters/mycluster/certs
     mycluster;
+-----------------------------------+
| Command result                    |
+-----------------------------------+
| Cluster reconfigured successfully |
+-----------------------------------+
1 row in set (3.17 sec)

Ensure --ndb-tls-search-path is set correctly for all managed processes (and issue more set commands for corrections, if needed):

mcm> get -d ndb-tls*: mycluster;
+---------------------+----------------------------------------+----------+---------+----------+---------+-------+--------------+
| Name                | Value                                  | Process1 | NodeId1 | Process2 | NodeId2 | Level | Comment      |
+---------------------+----------------------------------------+----------+---------+----------+---------+-------+--------------+
| ndb_tls_search_path | /foo/mcm_data/clusters/mycluster/certs | ndb_mgmd | 145     |          |         |       | Command Line |
| ndb_tls_search_path | /foo/mcm_data/clusters/mycluster/certs | ndbmtd   | 1       |          |         |       | Command Line |
| ndb_tls_search_path | /foo/mcm_data/clusters/mycluster/certs | ndbmtd   | 2       |          |         |       | Command Line |
| ndb_tls_search_path | /foo/mcm_data/clusters/mycluster/certs | mysqld   | 146     |          |         |       |              |
| ndb_tls_search_path | /foo/mcm_data/clusters/mycluster/certs | mysqld   | 147     |          |         |       |              |
+---------------------+----------------------------------------+----------+---------+----------+---------+-------+--------------+
5 rows in set (0.10 sec)

For both kinds of setups, create CA and certificates for the cluster (notice that the certificates are only loaded once by the processes at startup):

mcm> create certs mycluster;
+-----------------------------------+
| Command result                    |
+-----------------------------------+
| Certificates created successfully |
+-----------------------------------+
1 row in set (8.56 sec)

Enable RequireTls for ndb_mgmd and datanodes with another set command.

mcm> set RequireTls:ndb_mgmd=true,RequireTls:ndbmtd=true mycluster;
+-----------------------------------+
| Command result                    |
+-----------------------------------+
| Cluster reconfigured successfully |
+-----------------------------------+
1 row in set (3.56 sec)

Optionally one may also enable RequireCertificate, or set --ndb-mgm-tls mode to strict:

mcm> set RequireCertificate:ndb_mgmd=true,RequireCertificate:ndbmtd=true mycluster;
+-----------------------------------+
| Command result                    |
+-----------------------------------+
| Cluster reconfigured successfully |
+-----------------------------------+
1 row in set (2.53 sec)

mcm> set ndb_mgm_tls:ndb_mgmd=strict,ndb_mgm_tls:ndbmtd=strict mycluster;
+-----------------------------------+
| Command result                    |
+-----------------------------------+
| Cluster reconfigured successfully |
+-----------------------------------+
1 row in set (2.39 sec)

Start the cluster:

mcm> start cluster mycluster;
+------------------------------+
| Command result               |
+------------------------------+
| Cluster started successfully |
+------------------------------+
1 row in set (1 min 33.62 sec)

Cluster is now running with TLS enabled, required, and (optionally) with certificates required for peers, and in strict mode.

Enable TLS for an Existing Cluster

Assuming you have a cluster already created and started by MySQL Cluster Manager, follow these steps to enable TLS connections for it.

Ensure --ndb-tls-search-path is set correctly for all managed processes, and issue the needed set commands for corrections if needed:

mcm> get -d ndb-tls*: mycluster;
+---------------------+----------------------------------------+----------+---------+----------+---------+-------+--------------+
| Name                | Value                                  | Process1 | NodeId1 | Process2 | NodeId2 | Level | Comment      |
+---------------------+----------------------------------------+----------+---------+----------+---------+-------+--------------+
| ndb_tls_search_path | /foo/mcm_data/clusters/mycluster/certs | ndb_mgmd | 145     |          |         |       | Command Line |
| ndb_tls_search_path | /foo/mcm_data/clusters/mycluster/certs | ndbmtd   | 1       |          |         |       | Command Line |
| ndb_tls_search_path | /foo/mcm_data/clusters/mycluster/certs | ndbmtd   | 2       |          |         |       | Command Line |
| ndb_tls_search_path | /foo/mcm_data/clusters/mycluster/certs | mysqld   | 146     |          |         |       |              |
| ndb_tls_search_path | /foo/mcm_data/clusters/mycluster/certs | mysqld   | 147     |          |         |       |              |
+---------------------+----------------------------------------+----------+---------+----------+---------+-------+--------------+
5 rows in set (0.10 sec)

Create the CA and certificates for the cluster using MySQL Cluster Manager:

mcm> create certs mycluster;
+-----------------------------------+
| Command result                    |
+-----------------------------------+
| Certificates created successfully |
+-----------------------------------+
1 row in set (8.57 sec)

Restart the cluster so that processes load the certificates created (notice that the certificates are only loaded once by the processes at startup):

mcm> restart cluster mycluster;
+--------------------------------+
| Command result                 |
+--------------------------------+
| Cluster restarted successfully |
+--------------------------------+
1 row in set (1 min 38.09 sec)

Enable RequireTls for ndb_mgmd and datanodes with another set command:

mcm> set RequireTls:ndb_mgmd=true,RequireTls:ndbmtd=true mycluster;
+-----------------------------------+
| Command result                    |
+-----------------------------------+
| Cluster reconfigured successfully |
+-----------------------------------+
1 row in set (1 min 47.38 sec)

Cluster is now running with TLS enabled and required.

Optionally, one may also enable RequireCertificate, or set either --ndb-mgm-tls mode to strict:

mcm> set RequireCertificate:ndb_mgmd=true,RequireCertificate:ndbmtd=true mycluster;
+-----------------------------------+
| Command result                    |
+-----------------------------------+
| Cluster reconfigured successfully |
+-----------------------------------+
1 row in set (1 min 42.53 sec)

mcm> set ndb_mgm_tls:ndb_mgmd=strict,ndb_mgm_tls:ndbmtd=strict mycluster;
+-----------------------------------+
| Command result                    |
+-----------------------------------+
| Cluster reconfigured successfully |
+-----------------------------------+
1 row in set (1 min 48.13 sec)

Cluster is now running with TLS enabled, required, and (optionally) with certificates required for peers, and strict mode.