MySQL Replication  /  Replication Solutions  /  Setting Up Replication to Use Encrypted Connections

3.8 Setting Up Replication to Use Encrypted Connections

To use an encrypted connection for the transfer of the binary log required during replication, both the source and the replica servers must support encrypted network connections. If either server does not support encrypted connections (because it has not been compiled or configured for them), replication through an encrypted connection is not possible.

Setting up encrypted connections for replication is similar to doing so for client/server connections. You must obtain (or create) a suitable security certificate that you can use on the source, and a similar certificate (from the same certificate authority) on each replica. You must also obtain suitable key files.

For more information on setting up a server and client for encrypted connections, see Configuring MySQL to Use Encrypted Connections.

To enable encrypted connections on the source, you must create or obtain suitable certificate and key files, and then add the following configuration parameters to the source's configuration within the [mysqld] section of the source's my.cnf file, changing the file names as necessary:

[mysqld]
ssl_ca=cacert.pem
ssl_cert=server-cert.pem
ssl_key=server-key.pem

The paths to the files may be relative or absolute; we recommend that you always use complete paths for this purpose.

The configuration parameters are as follows:

  • ssl_ca: The path name of the Certificate Authority (CA) certificate file. (--ssl-capath is similar but specifies the path name of a directory of CA certificate files.)

  • ssl_cert: The path name of the server public key certificate file. This certificate can be sent to the client and authenticated against the CA certificate that it has.

  • ssl_key: The path name of the server private key file.

To enable encrypted connections on the replica, use the CHANGE MASTER TO statement.

  • To name the replica's certificate and SSL private key files using CHANGE MASTER TO, add the appropriate MASTER_SSL_xxx options, like this:

        -> MASTER_SSL_CA = 'ca_file_name',
        -> MASTER_SSL_CAPATH = 'ca_directory_name',
        -> MASTER_SSL_CERT = 'cert_file_name',
        -> MASTER_SSL_KEY = 'key_file_name',

    These options correspond to the --ssl-xxx options with the same names, as described in Command Options for Encrypted Connections. For these options to take effect, MASTER_SSL=1 must also be set. For a replication connection, specifying a value for either of MASTER_SSL_CA or MASTER_SSL_CAPATH corresponds to setting --ssl-mode=VERIFY_CA. The connection attempt succeeds only if a valid matching Certificate Authority (CA) certificate is found using the specified information.

  • To activate host name identity verification, add the MASTER_SSL_VERIFY_SERVER_CERT option:

        -> MASTER_SSL_VERIFY_SERVER_CERT=1,
  • After the source information has been updated, start the replication process on the replica, like this:

    mysql> START SLAVE;

    You can use the SHOW SLAVE STATUS statement to confirm that an encrypted connection was established successfully.

  • If you want to enforce the use of encrypted connections during replication, create a user with the REPLICATION SLAVE privilege and use the REQUIRE SSL option for that user. For example:

    mysql> CREATE USER 'repl'@'%.example.com' IDENTIFIED BY 'password';
    mysql> GRANT REPLICATION SLAVE ON *.*
        -> TO 'repl'@'%.example.com' REQUIRE SSL;

    If you have an existing replication user account on the source, you can add REQUIRE SSL to it with this statement:

    mysql> GRANT USAGE ON *.*
        -> TO 'repl'@'%.example.com' REQUIRE SSL;