MySQL Cluster Manager 9.1 User Manual  /  Using MySQL Cluster Manager  /  Using Encrypted Connections for MySQL Cluster Manager Agents and Clients

4.10 Using Encrypted Connections for MySQL Cluster Manager Agents and Clients

MySQL Cluster Manager supports secure connections using TLS for the following:

  • mcm client and mcmd agent connections

  • mcmd agent and mysqld node connections

  • mcmd agent connections

The following options are used to configure the secure connections (see the option descriptions for details):

Enable and Disable Secure Connections.  Secure connections can be enabled or disabled by configuring the relevant options in the mcmd configuration file in the mcmd section:

[mcmd]
ssl_key = /absolute/path/to/key
ssl_cert = relative/path/cert
ssl_ca = /path/to/ca_cert

The options can also be configured at the command line:

$> mcmd --mcmd.ssl_key=/absolute/path/to/key --mcmd.ssl_cert=relative/path/cert --mcmd.ssl_ca=/path/to/ca_cert

ssl_key and ssl_cert may specify the file name of the TLS key and certificate. Both absolute and relative paths are allowed—relative paths are relative to the current working directory.

To enable or disable secure connections, stop all agents, reconfigure the secure connection options, and restart all agents.

Client Connections.  With ssl_ca specified, mcmd enforces client certificates validation. The mcm client should then provide ssl_key and ssl_cert information when connecting

$> ./bin/mcmd --mcmd.ssl_key=/foo/server-key.pem --mcmd.ssl_cert=/foo/server-cert.pem --mcmd.ssl_ca=/foo/cacert.pem --mcmd.ssl_mode=REQUIRED
MySQL Cluster Manager 9.1.0 (64bit) started

$> ./bin/mcm --ssl-key=/foo/client-key.pem --ssl-cert=/foo/client-cert.pem
Welcome to the MySQL Cluster Manager client. Commands end with ; or \g.
Your connection id is 0
Agent version: 9.1.0 MySQL Cluster Manager

The client may also connect using --ssl-mode=VERIFY_CA and --ssl-ca=cacert.pem to validate certificates from the client side:

$> ./bin/mcm --ssl-mode=VERIFY_CA --ssl-ca=/foo/cacert.pem --ssl-key=/foo/client-key.pem --ssl-cert=/foo/client-cert.pem
Welcome to the MySQL Cluster Manager client. Commands end with ; or \g.
Your connection id is 0
Agent version: 9.1.0 MySQL Cluster Manager

Information on Secure Connections.  The show settings command has an --tls option to show the TLS-specific settings

$> ./mcm -e 'show settings --tls'
+---------+------------+----------+
| Section | Key        | Value    |
+---------+------------+----------+
| mcmd    | ssl_ca     |          |
| mcmd    | ssl_cert   |          |
| mcmd    | ssl_cipher |          |
| mcmd    | ssl_key    |          |
| mcmd    | ssl_mode   | DISABLED |
+---------+------------+----------+

The show variables commands shows the supported tls versions and the supported SSL ciphers:

$> ./mcm -e 'show variables'
+--------------------------+---------------------------+
| Variable_name            | Value                     |
+--------------------------+---------------------------+
| auto_increment_increment | 1                         |
| character_set_client     | latin1                    |
| ssl_cipher_list          | LIST-OF-SUPPORTED-CIPHERS |
| tls_version_list         | TLSv1.2,TLSv1.3           |
+--------------------------+---------------------------+

The show status command, used with no operands, shows runtime information of the connected mcmd, including the TLS version and the cipher in use::

$> ./mcm -e 'show status'
+--------------+------------------------------------+
| Property     | Value                              |
+--------------+------------------------------------+
| agent number | 1                                  |
| cwd          | /path/to/current/working/directory |
| max_msg_id   | 234                                |
| max_synode   | {1a2b3c4d 0 234}                   |
| ssl_cipher   | ECDCH-THE-CIPHER-NAME              |
| tls_version  | TLSv1.3                            |
| uptime       | 45                                 |
| version      | 9.1.0                              |
+--------------+------------------------------------+