1 MySQL encryption configuration

概述

本文将以CentOS 8.2和MySQL 8.0.21为例,介绍如何配置数据库加密连接。

如果MySQL主机设置为localhost,加密选项将是不可用,这种情况下,Zabbix前端和数据库之间使用socket文件连接(在Unix上)或共享内存(在Windows上),所以不能加密。

加密组合列表不限于本页列出的。还有更多组合可供选择。

先决条件

安装MySQL请参照 official repository.

有关如何使用 MySQL 存储库的详细信息 请参照MySQL documentation

MySQL服务器已准备好使用自签名证书接受安全连接.

若想查看哪些用户正在使用加密连接,请运行以下查询 (Performance Schema 选项应打开):

  1. mysql> SELECT sbt.variable_value AS tls_version, t2.variable_value AS cipher, processlist_user AS user, processlist_host AS host 
  2.                FROM performance_schema.status_by_thread  AS sbt
  3.                JOIN performance_schema.threads AS t ON t.thread_id = sbt.thread_id
  4.                JOIN performance_schema.status_by_thread AS t2 ON t2.thread_id = t.thread_id
  5.                WHERE sbt.variable_name = 'Ssl_version' and t2.variable_name = 'Ssl_cipher'
  6.                ORDER BY tls_version;

所需模式

MySQL 配置

当前版本数据库的加密模式已经可以开箱即用 encryption mode. 将在初始设置及启动后创建服务器端证书.

为主要组件创建用户和角色:

  1. mysql> CREATE USER   
  2.         'zbx_srv'@'%' IDENTIFIED WITH mysql_native_password BY '<strong_password>',   
  3.         'zbx_web'@'%' IDENTIFIED WITH mysql_native_password BY '<strong_password>'
  4.         REQUIRE SSL   
  5.         PASSWORD HISTORY 5; 
  7.        mysql> CREATE ROLE 'zbx_srv_role', 'zbx_web_role'; 
  9.        mysql> GRANT SELECT, UPDATE, DELETE, INSERT, CREATE, DROP, ALTER, INDEX, REFERENCES ON zabbix.* TO 'zbx_srv_role'; 
  10.        mysql> GRANT SELECT, UPDATE, DELETE, INSERT ON zabbix.* TO 'zbx_web_role'; 
  12.        mysql> GRANT 'zbx_srv_role' TO 'zbx_srv'@'%'; 
  13.        mysql> GRANT 'zbx_web_role' TO 'zbx_web'@'%'; 
  15.        mysql> SET DEFAULT ROLE 'zbx_srv_role' TO 'zbx_srv'@'%'; 
  16.        mysql> SET DEFAULT ROLE 'zbx_web_role' TO 'zbx_web'@'%';

注意, X.509 协议不检查标识, 但会将用户设置为仅使用加密连接。配置用户的更多详细信息请参阅MySQL文档 MySQL documentation

运行如下命令以检查连接(socket连接不能用于安全连接测试):

  1. $ mysql -u zbx_srv -p -h 10.211.55.9 --ssl-mode=REQUIRED

检查当前状态和可用的密码套件:

  1. mysql> status
  2.        --------------
  3.        mysql Ver 8.0.21 for Linux on x86_64 (MySQL Community Server - GPL)
  5.        Connection id: 62
  6.        Current database:
  7.        Current user: [email protected]
  8.        SSL: Cipher in use is TLS_AES_256_GCM_SHA384
  11.        mysql> SHOW SESSION STATUS LIKE 'Ssl_cipher_list'\G;
  12.        *************************** 1. row ***************************
  13.        Variable_name: Ssl_cipher_list
  14.        Value: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES256-SHA:CAMELLIA256-SHA:CAMELLIA128-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA
  15.        1 row in set (0.00 sec)
  17.        ERROR:
  18.        No query specified

前端

要为 Zabbix 前端和数据库之间的连接建立传输加密,请执行以下操作:

  • 勾选 Database TLS encryption
  • 取消勾选 Verify database certificate

1 MySQL encryption configuration - 图1

服务端

要为服务端和数据库之间启用连接传输加密,请修改该文件 /etc/zabbix/zabbix_server.conf:

  1. ...
  2.        DBHost=10.211.55.9
  3.        DBName=zabbix
  4.        DBUser=zbx_srv
  5.        DBPassword=<strong_password>
  6.        DBTLSConnect=required
  7.        ...

验证 CA 模式

将所需的MySQL CA复制到Zabbix前端服务器,分配适当的权限以允许Web服务器读取此文件。

Verify CA 模式在 SLES 12 and RHEL 7 不会生效,因为所在系统的 MySQL 库过老.

使用证书验证为 Zabbix 前端和数据库之间的连接启用加密:

  • 勾选Database TLS encryptionVerify database certificate
  • 指定数据库 TLS CA 文件的路径

1 MySQL encryption configuration - 图2

或者,可以在 /etc/zabbix/web/zabbix.conf.php 配置:

  1. ...
  2.        $DB['ENCRYPTION'] = true;
  3.        $DB['KEY_FILE'] = '';
  4.        $DB['CERT_FILE'] = '';
  5.        $DB['CA_FILE'] = '/etc/ssl/mysql/ca.pem';
  6.        $DB['VERIFY_HOST'] = false;
  7.        $DB['CIPHER_LIST'] = '';
  8.        ...

使用命令行工具对用户进行故障排除,以检查所需用户是否可以连接:

  1. $ mysql -u zbx_web -p -h 10.211.55.9 --ssl-mode=REQUIRED --ssl-ca=/var/lib/mysql/ca.pem

服务端

要为Zabbix服务器和数据库之间的连接启用加密和证书验证,请配置 /etc/zabbix/zabbix_server.conf:

  1. ...
  2.        DBHost=10.211.55.9
  3.        DBName=zabbix
  4.        DBUser=zbx_srv
  5.        DBPassword=<strong_password>
  6.        DBTLSConnect=verify_ca
  7.        DBTLSCAFile=/etc/ssl/mysql/ca.pem
  8.        ...

验证完整模式

MySQL 配置

MySQL CE 请参考如下配置 (/etc/my.cnf.d/server-tls.cnf) :

[mysqld]

  1. ...
  2.        # in this examples keys are located in the MySQL CE datadir directory
  3.        ssl_ca=ca.pem
  4.        ssl_cert=server-cert.pem
  5.        ssl_key=server-key.pem
  6.        require_secure_transport=ON
  7.        tls_version=TLSv1.3
  8.        ...

MySQL CE服务器和客户端(Zabbix前端)的密钥应根据MySQl CE文档手动创建:Creating SSL and RSA certificates and keys using MySQL or Creating SSL certificates and keys using openssl

MySQL服务器证书应设置为包含FQDN的名称,因为Zabbix前端将使用域名与数据库或数据库主机的IP地址进行通信。

创建MySQL用户:

  1. mysql> CREATE USER
  2.          'zbx_srv'@'%' IDENTIFIED WITH mysql_native_password BY '<strong_password>',
  3.          'zbx_web'@'%' IDENTIFIED WITH mysql_native_password BY '<strong_password>'
  4.          REQUIRE X509
  5.          PASSWORD HISTORY 5;

检查是否可使用该用户登录:

  1. $ mysql -u zbx_web -p -h 10.211.55.9 --ssl-mode=VERIFY_IDENTITY --ssl-ca=/var/lib/mysql/ca.pem --ssl-cert=/var/lib/mysql/client-cert.pem --ssl-key=/var/lib/mysql/client-key.pem

前端

启用加密,并对 Zabbix 前端和数据库之间的连接进行验证:

  • 检查数据库 TLS 加密并验证数据库证书

  • 数据库指定的 TLS 密钥文件路径

  • 数据库指定的 TLS CA 文件路径

  • 数据库指定的 TLS 证书文件路径

注意,MySQL 这个选项 Database host verification 是被选中的并显示为灰色.

密码列表应当为空,以便前端和服务器可以从两端支持的列表中协商出所需的密码列表。

1 MySQL encryption configuration - 图3

或者可以在此配置 /etc/zabbix/web/zabbix.conf.php:

  1. ...
  2.        // Used for TLS connection with strictly defined Cipher list.
  3.        $DB['ENCRYPTION'] = true;
  4.        $DB['KEY_FILE'] = '/etc/ssl/mysql/client-key.pem';
  5.        $DB['CERT_FILE'] = '/etc/ssl/mysql/client-cert.pem';
  6.        $DB['CA_FILE'] = '/etc/ssl/mysql/ca.pem';
  7.        $DB['VERIFY_HOST'] = true;
  8.        $DB['CIPHER_LIST'] = 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GC';
  9.        ...
  11.        // 或
  13.        ...
  14.        // Used for TLS connection without Cipher list defined - selected by MySQL server
  15.        $DB['ENCRYPTION'] = true;
  16.        $DB['KEY_FILE'] = '/etc/ssl/mysql/client-key.pem';
  17.        $DB['CERT_FILE'] = '/etc/ssl/mysql/client-cert.pem';
  18.        $DB['CA_FILE'] = '/etc/ssl/mysql/ca.pem';
  19.        $DB['VERIFY_HOST'] = true;
  20.        $DB['CIPHER_LIST'] = '';
  21.        ...

服务端

要为Zabbix服务端和数据库之间启用加密连接并进行完全验证,请配置 /etc/zabbix/zabbix_server.conf:

  1. ...
  2.        DBHost=10.211.55.9
  3.        DBName=zabbix
  4.        DBUser=zbx_srv
  5.        DBPassword=<strong_password>
  6.        DBTLSConnect=verify_full
  7.        DBTLSCAFile=/etc/ssl/mysql/ca.pem
  8.        DBTLSCertFile=/etc/ssl/mysql/client-cert.pem
  9.        DBTLSKeyFile=/etc/ssl/mysql/client-key.pem
  10.        ...