GSI Enabled MySQL - Testing
To Grid-enable MySQL is to allow client authentication using X509 certificates as used in
the Globus Toolkit. Using the X509 certificates issued by the Globus Toolkit CA will alleviate
the need for the client to authenticate separately after issuing the "grid-proxy-init" command.
To do this in MySQL, one needs to connect over an SSL encrypted channel. This document will
outline the steps needed to prepare MySQL for such connections, demonstrate a simple Perl
DBI script which accomplishes the connection, and discuss future plans for testing and
implementation.
Setup
- MySQL
For a more in-depth explanation of the why's and how's, see the MySQL
documentation.
What is included here are exerpts and observations from that documentation.
-
Build MySQL with SSL enabled. The following conditions apply to MySQL 4.0.0 or greater.
If you are running an older version, you should definitely check the documentation mentioned above.
- Install OpenSSL Library >= OpenSSL 0.9.6
- Configure and build with options --with-vio --with-openssl
- Check that your server supports OpenSSL by examining if
SHOW VARIABLES LIKE 'have_openssl' returns
YES
- X509 Certificates
Check documentation for more detailed explanation of key creation.
- Setup. First create a directory for the keys, copy and modify openssl.cnf
DIR=~/openssl
PRIV=$DIR/private
mkdir $DIR $PRIV $DIR/newcerts
cp /usr/share/openssl.cnf $DIR/openssl.cnf
replace .demoCA $DIR -- $DIR/openssl.cnf
- Certificate Authority
openssl req -new -keyout cakey.pem -out $PRIV/cacert.pem -config $DIR/openssl.cnf
- Server Request and Key
openssl req -new -keyout $DIR/server-key.pem -out $DIR/server-req.pem \
-days 3600 -config $DIR/openssl.cnf
openssl rsa -in $DIR/server-key.pem -out $DIR/server-key.pem
openssl ca -policy policy_anything -out $DIR/server-cert.pem \
-config $DIR/openssl.cnf -infiles $DIR/server-req.pem
- Client Request and Key
openssl req -new -keyout $DIR/client-key.pem -out $DIR/client-req.pem \
-days 3600 -config $DIR/openssl.cnf
openssl rsa -in $DIR/client-key.pem -out $DIR/client-key.pem
openssl ca -policy policy_anything -out $DIR/client-cert.pem \
-config $DIR/openssl.cnf -infiles $DIR/client-req.pem
- Init Files
MySQLd needs to be made aware of the certificates at start-up time. MySQLd reads
/etc/my.cnf at start-up time.
Add the following lines (be sure to replace $DIR with the actuaal location) to /etc/my.cnf
[server]
ssl-ca=$DIR/cacert.pem
ssl-cert=$DIR/server-cert.pem
ssl-key=$DIR/server-key.pem
Add the following lines (be sure to replace $DIR with the actuaal location) to ~/.my.cnf
[client]
ssl-ca=$DIR/cacert.pem
ssl-cert=$DIR/client-cert.pem
ssl-key=$DIR/client-key.pem
- Grant Options
Again, the MySQL documentation should be consulted, but basically, the following options
are added to the grant options in the user table of the mysql database.
Not all of the following options have been tested at this time,
but they will be before all is said and done.
These options are added as needed in the following manner...
mysql> GRANT ALL PRIVILEGES ON test.* to username@localhost
-> IDENTIFIED BY "secretpass" REQUIRE SSL;
- REQUIRE SSL limits the server to allow only SSL connections
REQUIRE X509 "issuer" means that the client should have a valid certificate,
but we do not care about the exact certificate, issuer or subjectREQUIRE ISSUER means the client must present a valid X509 certificate
issued by issuer "issuer".REQUIRE SUBJECT "subject" requires clients to have a valid X509 certificate
with the subject "subject" on it.REQUIRE CIPHER "cipher" is needed to ensure strong ciphers and keylengths
will be used. (ie. REQUIRE CIPHER "EDH-RSA-DES-CBC3-SHA")
Perl DBI/DBD
Perl DBI needs to connect over an SSL encrypted connection. SSL needs to be enabled.
You must configure DBD::mysql with
-ssl, then build and install it
on the machine where you will be running your Perl code.
Testing
**Richard A. Casella -