Related Documentation Download this Manual
PDF (US Ltr) - 37.4Mb
PDF (A4) - 37.4Mb
PDF (RPM) - 36.8Mb
HTML Download (TGZ) - 10.2Mb
HTML Download (Zip) - 10.2Mb
HTML Download (RPM) - 8.9Mb
Man Pages (TGZ) - 210.3Kb
Man Pages (Zip) - 318.3Kb
Info (Gzip) - 3.4Mb
Info (Zip) - 3.4Mb
Excerpts from this Manual

MySQL 5.7 Reference Manual  /  InnoDB Cluster  /  Securing your Cluster

19.7 Securing your Cluster

Server instances can be configured to use secure connections. For general information on using SSL with MySQL see Section 7.4, “Using Secure Connections”. This section explains how to configure a cluster to use SSL.

When using createCluster() to set up a cluster, if the server instance provides SSL encryption then it is automatically enabled on the seed instance. Pass the memberSslMode option to the createCluster() method to specify a different SSL mode. The memberSslMode option is a string that configures the SSL mode to be used, it defaults to AUTO. The permitted values are DISABLED, REQUIRED, and AUTO. These modes are defined as:

  • Setting createCluster(memberSslMode=DISABLED) ensures SSL encryption is disabled for the seed instance in the cluster.

  • Setting createCluster(memberSslMode=REQUIRED) then SSL encryption is enabled for the seed instance in the cluster. If it cannot be enabled an error is raised.

  • Setting createCluster(memberSslMode=AUTO) (the default) then SSL encryption is automatically enabled if the server instance supports it, or disabled if the server does not support it.

When you issue the addInstance() and rejoinInstance() commands, SSL encryption on the instance is enabled or disabled based on the setting found for the seed instance. For more control, the addInstance(), and rejoinInstance() commands accept the memberSslMode option. The behavior of the commands in this case is:

  • Setting memberSslMode=DISABLED ensures SSL encryption is disabled for the instance in the cluster.

  • Setting memberSslMode=REQUIRED forces SSL encryption to be enabled for the instance in the cluster.

  • Setting memberSslMode=AUTO (the default) then SSL encryption is automatically enabled or disabled based on the setting used by the seed instance (other members of the cluster) and the available SSL support provided by the instance itself.

When using createCluster() with the adoptFromGR option to adopt an existing Group Replication group, no SSL settings are changed on the adopted cluster:

  • memberSslMode cannot be used with adoptFromGR.

  • If the SSL settings of the adopted cluster are different from the ones supported by the MySQL Shell, in other words SSL for Group Replication recovery and Group Communication, both settings are not modified. This means you are not be able to add new instances to the cluster, unless you change the settings manually for the adopted cluster.

MySQL Shell always enables or disables SSL for the cluster for both Group Replication recovery and Group Communication. A verification is performed and an error issued in case those settings are different for the seed instance (for example as the result of a createCluster() using adoptFromGR) when adding a new instance to the cluster. SSL encryption must be enabled or disabled for all instances in the cluster. Verifications are performed to ensure that this invariant holds when adding a new instance to the cluster.

The deploySandboxInstance() command attempts to deploy sandbox instances with SSL encryption support by default. If it is not possible, the server instance is deployed without SSL support. Use the ignoreSslError option set to false to ensure that sandbox instances are deployed with SSL support, issuing an error if SSL support cannot be provided. When ignoreSslError is true, which is the default, no error is issued during the operation if the SSL support cannot be provided and the server instance is deployed without SSL support.


User Comments
Sign Up Login You must be logged in to post a comment.