MySQL Cluster Manager 9.1 Release Notes
MySQL Cluster Manager supports secure connections using TLS for the following:
The following options are used to configure the secure connections (see the option descriptions for details):
Enable and Disable Secure Connections. Secure connections can be enabled or disabled by configuring the relevant options in the mcmd configuration file in the mcmd section:
[mcmd]
ssl_key = /absolute/path/to/key
ssl_cert = relative/path/cert
ssl_ca = /path/to/ca_certThe options can also be configured at the command line:
$> mcmd --mcmd.ssl_key=/absolute/path/to/key --mcmd.ssl_cert=relative/path/cert --mcmd.ssl_ca=/path/to/ca_cert
ssl_key and
ssl_cert may specify the file name of
the TLS key and certificate. Both absolute and relative paths are
allowed—relative paths are relative to the current working
directory.
To enable or disable secure connections, stop all agents, reconfigure the secure connection options, and restart all agents.
Client Connections.
With ssl_ca specified,
mcmd enforces client certificates validation.
The mcm client should then provide ssl_key and
ssl_cert information when connecting
$> ./bin/mcmd --mcmd.ssl_key=/foo/server-key.pem --mcmd.ssl_cert=/foo/server-cert.pem --mcmd.ssl_ca=/foo/cacert.pem --mcmd.ssl_mode=REQUIRED
MySQL Cluster Manager 9.1.0 (64bit) started
$> ./bin/mcm --ssl-key=/foo/client-key.pem --ssl-cert=/foo/client-cert.pem
Welcome to the MySQL Cluster Manager client. Commands end with ; or \g.
Your connection id is 0
Agent version: 9.1.0 MySQL Cluster Manager
The client may also connect using
--ssl-mode=VERIFY_CA and
--ssl-ca=cacert.pem to validate certificates from
the client side:
$> ./bin/mcm --ssl-mode=VERIFY_CA --ssl-ca=/foo/cacert.pem --ssl-key=/foo/client-key.pem --ssl-cert=/foo/client-cert.pem
Welcome to the MySQL Cluster Manager client. Commands end with ; or \g.
Your connection id is 0
Agent version: 9.1.0 MySQL Cluster ManagerInformation on Secure Connections.
The show settings command has
an --tls option to show the TLS-specific
settings
$> ./mcm -e 'show settings --tls'
+---------+------------+----------+
| Section | Key | Value |
+---------+------------+----------+
| mcmd | ssl_ca | |
| mcmd | ssl_cert | |
| mcmd | ssl_cipher | |
| mcmd | ssl_key | |
| mcmd | ssl_mode | DISABLED |
+---------+------------+----------+
The show variables commands shows the supported
tls versions and the supported SSL ciphers:
$> ./mcm -e 'show variables'
+--------------------------+---------------------------+
| Variable_name | Value |
+--------------------------+---------------------------+
| auto_increment_increment | 1 |
| character_set_client | latin1 |
| ssl_cipher_list | LIST-OF-SUPPORTED-CIPHERS |
| tls_version_list | TLSv1.2,TLSv1.3 |
+--------------------------+---------------------------+
The show status command, used
with no operands, shows runtime information of the connected mcmd,
including the TLS version and the cipher in use::
$> ./mcm -e 'show status'
+--------------+------------------------------------+
| Property | Value |
+--------------+------------------------------------+
| agent number | 1 |
| cwd | /path/to/current/working/directory |
| max_msg_id | 234 |
| max_synode | {1a2b3c4d 0 234} |
| ssl_cipher | ECDCH-THE-CIPHER-NAME |
| tls_version | TLSv1.3 |
| uptime | 45 |
| version | 9.1.0 |
+--------------+------------------------------------+