Mysql SSL 配置
转自:http://www.cnblogs.com/huqingyu/archive/2009/03/22/1418936.html建立 CA 憑證:
openssl genrsa 2048 > ca-key.pemopenssl req -new -x509 -nodes -days 1000 -key ca-key.pem -passin pass:123456 -passout pass:123456 -subj /C=CN/O=INFOSEC/CN=nicky > ca-cert.pem 建立 MySQL Server 憑證
openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem -passin pass:123456 -passout pass:123456 -subj /C=CN/O=INFOSEC/CN=nicky > server-req.pem 建立 MySQL Client 憑證:
openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem -passin pass:123456 -passout pass:123456 -subj /C=CN/O=INFOSEC/CN=nicky > client-req.pemopenssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem 修改 MySQL 設定檔 my.cnf,加上:
ssl-ca=/etc/mysql/ca-cert.pemssl-cert=/etc/mysql/server-cert.pemssl-key=/etc/mysql/server-key.pem 重新啟動 MySQL,再檢查一次是否已經打開 SSL 功能:
show VARIABLES like '%ssl%' 结果:
have_opensslDISABLEDhave_sslDISABLEDssl_cassl_capathssl_certssl_cipherssl_key
,MySQL 的設定就告一段落了。
用 MySQL Client 測試一下:
shell> mysql --ssl-ca=ca-cert.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem -u root -p 測試無誤後,接下來要寫個 Java 程式,用 SSL 的方式連 MySQL。撰寫程式前,要先用 Java 的 keytool 建立 truststore 和 keystore:
建立 truststore:
shell> keytool -import -alias mysqlServerCACert -file ca-cert.pem -keystore truststore 建立 keystore:
匯入之前建立的 MySQL Client 憑證,首先要先轉成 DER 格式:
shell> openssl x509 -outform DER -in client-cert.pem -out client.cert 產生 keystore:
shell> keytool -import -file client.cert -keystore keystore -alias mysqlClientCertificate 將建立好的 truststore 和 keystore,放到一個安全的地方,接下來是 Java 的 Code:
/** * MySQL_SSL_Test.java 2011-3-16 上午10:19:04 */package test.datasource;import java.sql.Connection;import java.sql.DriverManager;import java.sql.ResultSet;import java.sql.Statement;public class MySQL_SSL_Test{ static private String db_user = "root"; static private String db_password = "123456"; public static void main(String[] args) { try { Class.forName("com.mysql.jdbc.Driver").newInstance(); System.setProperty("javax.net.ssl.keyStore", "/your_path/keystore"); System.setProperty("javax.net.ssl.keyStorePassword", "password"); System.setProperty("javax.net.ssl.trustStore", "/your_path/truststore"); System.setProperty("javax.net.ssl.trustStorePassword", "password"); Connection con = DriverManager .getConnection("jdbc:mysql://your_host:3306/DATABASE?user=" + db_user + "&password=" + db_password + "&useUnicode=true&characterEncoding=utf8&useSSL=true"); String query = "SELECT * FROM TABLE"; Statement stm = con.createStatement(); ResultSet res = stm.executeQuery(query); while (res.next()) { System.out.println(res.getString(1)); } res.close(); stm.close(); con.close(); } catch (Exception e) { System.out.println("Caught Exception : " + e.toString()); } }} 如果可以順利 Query 出資料,就大功告成啦!
多一層防護,的確安全些,不過就跟防毒軟體一樣,即使常常 Update,也不能保證 100% 的安全,凡事多留意,真的無敵重要的資料,還是不要放在網路上,比較安全囉!
文章参考:http://www.xuan-lu.net/blog/index_278.html
http://holy2010.blog.51cto.com/1086044/506525
页:
[1]