Kmaiti

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Friday, 30 December 2011

How to install mysql and configure SSL with it?

Posted on 04:11 by Unknown
* How to install mysql and configure SSL with it?
* Received following error while I locally try to connect to mysql server over SSL.

[root@]# mysql --ssl-cert=/var/lib/mysql/openssl-md5/ca-cert.pem --ssl-key=/var/lib/mysql/openssl-md5/client-key.pem --ssl-cert=/var/lib/mysql/openssl-md5/client-cert.pem -u root -p -v -v -v

Enter password:

ERROR 2026 (HY000): SSL connection error

My used environment

* Red Hat Enterprise Linux 5.7

Required packages :

* perl-DBD-MySQL-3.0007-2.el5
perl-DBI-1.52-2.el5
mysql-server-5.0.77-4.el5_6.6
mysql-5.0.77-4.el5_6.6
mysql-5.0.77-4.el5_6.6

Resolution

1. Download all mysql related packages or use yum command to install the packages. You can use "rpm -ivh " to install them manually.
2. Start mysql.
4. Change mysql root password

Example :

[root@ /]# rpm -ivh perl-DBI-1.52-2.el5.x86_64.rpm

warning: perl-DBI-1.52-2.el5.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 37017186

Preparing... ########################################### [100%]

1:perl-DBI ########################################### [100%]

[root@/]# rpm -ivh mysql-5.0.77-4.el5_6.6.i386.rpm << This is needed on 64 bit os

warning: mysql-5.0.77-4.el5_6.6.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186

Preparing... ########################################### [100%]

1:mysql ########################################### [100%]

[root@ /]# rpm -ivh mysql-5.0.77-4.el5_6.6.x86_64.rpm <<

warning: mysql-5.0.77-4.el5_6.6.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 37017186

Preparing... ########################################### [100%]

1:mysql ########################################### [100%]

[root@ /]#

[root@ /]# rpm -ivh perl-DBD-MySQL-3.0007-2.el5.x86_64.rpm

warning: perl-DBD-MySQL-3.0007-2.el5.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 37017186

Preparing... ########################################### [100%]

1:perl-DBD-MySQL ########################################### [100%]

[root@/]#



[root@ /]# rpm -ivh mysql-server-5.0.77-4.el5_6.6.x86_64.rpm
warning: mysql-server-5.0.77-4.el5_6.6.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
Preparing... ########################################### [100%]
1:mysql-server ########################################### [100%]
[root@ /



OR



$yum install mysql-server mysql

* Verify istalled packages :

$rpm -qa |egrep -i 'mysql|perl-DBD-MySQL|perl-DBI|mysql-server'

perl-DBD-MySQL-3.0007-2.el5

perl-DBI-1.52-2.el5

mysql-server-5.0.77-4.el5_6.6

mysql-5.0.77-4.el5_6.6

mysql-5.0.77-4.el5_6.6

* Start mysqld service :

$/etc/init.d/mysqld restart
Stopping MySQL: [FAILED]
Initializing MySQL database: Installing MySQL system tables...
OK
Filling help tables...
OK



To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system



PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:
/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h dhcp209-14.gsslab.pnq.redhat.com password 'new-password'



Alternatively you can run:
/usr/bin/mysql_secure_installation



which will also give you the option of removing the test
databases and anonymous user created by default. This is
strongly recommended for production servers.



See the manual for more instructions.



You can start the MySQL daemon with:
cd /usr ; /usr/bin/mysqld_safe &



You can test the MySQL daemon with mysql-test-run.pl
cd mysql-test ; perl mysql-test-run.pl



Please report any problems with the /usr/bin/mysqlbug script!



The latest information about MySQL is available on the web at
http://www.mysql.com
Support MySQL by buying support/licenses at http://shop.mysql.com
[ OK ]
Starting MySQL: [ OK ]
[root@]# /etc/init.d/mysqld status
mysqld (pid 15065) is running...



[root@]# mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.0.77 Source distribution



Type 'help;' or '\h' for help. Type '\c' to clear the buffer.



mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| test |
+--------------------+
3 rows in set (0.00 sec)



mysql> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A



Database changed
mysql> show tables;
+---------------------------+
| Tables_in_mysql |
+---------------------------+
| columns_priv |
| db |
| func |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| proc |
| procs_priv |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
| user |
+---------------------------+
17 rows in set (0.00 sec)



mysql> quit
Bye
[root@dhcp209-14 /]# netstat -plan |grep :3306
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 15065/mysqld
[root@dhcp209-14 /]#
----------

mysql> show variables like '%%ssl%%';
+---------------+----------+
| Variable_name | Value |
+---------------+----------+
| have_openssl | DISABLED |
| have_ssl | DISABLED |
| ssl_ca | |
| ssl_capath | |
| ssl_cert | |
| ssl_cipher | |
| ssl_key | |
+---------------+----------+
7 rows in set (0.00 sec)

mysql>

* Reset mysql root password :

$/usr/bin/mysqladmin -u root password 'mysql'

* Configurring SSL for mysql server and client(who will access server) :

$mkdir -p /etc/mysql/newcerts

$chown -R mysql:mysql /etc/mysql/newcerts

* Creating certificate autority :

$cd /etc/mysql/newcerts

$openssl genrsa 2048 > ca-key.pem
$openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem

* Creating certificate for server using above CA certificate :

$openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem > server-req.pem
$openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem

* Creating cerificate for client using above CA certificate(similar like server) :

$openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem > client-req.pem
$openssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem

* Make sure following entries are present in /etc/my.cnf file :

[mysqld]

datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql
# Default to using old password format for compatibility with mysql 3.x
# clients (those using the mysqlclient10 compatibility package).
old_passwords=1



# Disabling symbolic-links is recommended to prevent assorted security risks;
# to do so, uncomment this line:
# symbolic-links=0
ssl # < ssl-ca=/etc/mysql/newcerts/ca-cert.pem # << Important.
ssl-cert=/etc/mysql/newcerts/server-cert.pem # << Important
ssl-key=/etc/mysql/newcerts/server-key.pem # << Important



[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid

* Execute following commands (Used "mysql" password for user "mysql"):

$/etc/init.d/mysqld restart

$mysql -u root -p

$mysql> GRANT ALL ON *.* TO 'mysql'@'%' IDENTIFIED BY 'mysql' REQUIRE SSL;

* Testing :

$cd /etc/mysql/newcerts

$mysql --ssl-cert=ca-cert.pem --ssl-key=client-key.pem --ssl-cert=client-cert.pem -u root -p -v -v -v

Enter password: << pw = mysql

Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.0.77 Source distribution



Reading history-file /root/.mysql_history
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.



mysql> SHOW STATUS LIKE 'Ssl_cipher';
--------------
SHOW STATUS LIKE 'Ssl_cipher'
--------------



+---------------+--------------------+
| Variable_name | Value |
+---------------+--------------------+
| Ssl_cipher | DHE-RSA-AES256-SHA | < +---------------+--------------------+
1 row in set (0.00 sec)



mysql> show variables like '%%ssl%%';
--------------
show variables like '%%ssl%%'
--------------



+---------------+-------------------------------------+
| Variable_name | Value |
+---------------+-------------------------------------+
| have_openssl | YES | < | have_ssl | YES | < | ssl_ca | /etc/mysql/newcerts/ca-cert.pem |
| ssl_capath | |
| ssl_cert | /etc/mysql/newcerts/server-cert.pem |
| ssl_cipher | |
| ssl_key | /etc/mysql/newcerts/server-key.pem |
+---------------+-------------------------------------+
7 rows in set (0.01 sec)



mysql> quit
Writing history-file /root/.mysql_history
Bye





[root@]# mysql --ssl-cert=/etc/mysql/newcerts/ca-cert.pem --ssl-key=/etc/mysql/newcerts/client-key.pem --ssl-cert=/etc/mysql/newcerts/client-cert.pem -u root -p -v -v -v
Enter password: << pw = mysql



Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.0.77 Source distribution



Reading history-file /root/.mysql_history
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.



mysql> show variables like '%%ssl%%';
--------------
show variables like '%%ssl%%'
--------------



+---------------+-------------------------------------+
| Variable_name | Value |
+---------------+-------------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /etc/mysql/newcerts/ca-cert.pem |
| ssl_capath | |
| ssl_cert | /etc/mysql/newcerts/server-cert.pem |
| ssl_cipher | |
| ssl_key | /etc/mysql/newcerts/server-key.pem |
+---------------+-------------------------------------+
7 rows in set (0.01 sec)



mysql> SHOW STATUS LIKE 'Ssl_cipher';
--------------
SHOW STATUS LIKE 'Ssl_cipher'
--------------



+---------------+--------------------+
| Variable_name | Value |
+---------------+--------------------+
| Ssl_cipher | DHE-RSA-AES256-SHA | << Confirmed
+---------------+--------------------+
1 row in set (0.00 sec)


mysql>

mysql> quit
Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • [a fatal error or timeout occurred while processing this directive] + cpanel
    Guys, Just check the cpanel log file and you'll get the clue from there. I got following messages : execute : tail -f /usr/local/cpanel/...
  • How to verify UDP packet communication between two linux system?
    Guys, Today, I had to check UDP packet communication between linux and a windows system. Main purpose of the windows system was to capturing...
  • How do I determine if my x86-compatible Intel system is multi-processor, multi-core or supports hyperthreading?
    Guys, We need to know about multi-processor, multi-core or supports hyperthreading. Here are the details : Physical ID (Physical processor o...
  • NDMP communication failure error
    Guys, Issue : Netbackup server sends alert NDMP communication failure once everyday. But there is no issue to run scheduled backup jobs. Env...
  • How to store sftp log messages in custom file on RHEL 6?
    How to setup chrooted sftp account on RHEL 6? $groupadd sftponly $$useradd user123 $usermod -d /myhome -g sftponly -s /bin/false user123 $mk...
  • configure: error: This c-client library is built with Kerberos support
    Guys, I got the error message during executing easyapache. I have manually recompiled the php on cpanel server. Here is the script that I ha...
  • New posts are coming soon..
    Hi Guys, It's been a long time I didn't post any article or issue here. There were few transitions in my career and I was bit busy. ...
  • WHM + http showing failed ?
    Guys, Please check the log of the apache server like : 1. tail -f /usr/local/apache/logs/error_log 2. check the http port in /usr/local/apac...
  • How to enable php in apache on RHEL ?
    1. In order to enable php engine in apache, you should make sure php is installed in the system first. Then refer following steps : locate l...
  • How to access the webalizer from the outside of the cpanel?
    Guys, I don't want to post this type of article since you'll get it from the Google. But still I did. I followed following steps : E...

Categories

  • ACL
  • ESX
  • Linux
  • Storage
  • UCS

Blog Archive

  • ►  2013 (5)
    • ►  May (1)
    • ►  April (3)
    • ►  February (1)
  • ►  2012 (10)
    • ►  July (1)
    • ►  June (1)
    • ►  April (1)
    • ►  March (3)
    • ►  February (3)
    • ►  January (1)
  • ▼  2011 (86)
    • ▼  December (3)
      • How to locally generate CA certificate and server ...
      • How to install mysql and configure SSL with it?
      • How to generate UDP packets and capture them?
    • ►  November (2)
    • ►  September (19)
    • ►  August (9)
    • ►  July (5)
    • ►  June (9)
    • ►  May (12)
    • ►  April (3)
    • ►  March (4)
    • ►  February (5)
    • ►  January (15)
  • ►  2010 (152)
    • ►  December (9)
    • ►  November (34)
    • ►  October (20)
    • ►  September (14)
    • ►  August (24)
    • ►  July (19)
    • ►  June (3)
    • ►  May (25)
    • ►  April (3)
    • ►  January (1)
Powered by Blogger.