OceanBase security audit transmission encryption

News 2023-09-16 20:51:05 views: null

In the last issue, we talked about the "Identity Authentication" and "User Management and Access Control" parts of OceanBase security audit. The security mechanism of OceanBase introduced its support for transmission encryption. Today we will mainly practice how to configure transmission encryption and verify whether Really encrypted.

Author: Jin Changlong

Aikeson test engineer is responsible for the testing of DMP products.

Author: Chen Huiming

Aikeson test engineer, mainly involved in DMP and DBLE automated test projects.

Source of this article: Original submission

*Produced by the Aikeson open source community. Original content may not be used without authorization. Please contact the editor and indicate the source for reprinting.

OceanBase's security mechanism introduces its support for transmission encryption. Today we will mainly practice how to configure transmission encryption and verify whether it is actually encrypted.

Environmental preparation

  1. Enterprise Edition OceanBase 4.1 Cluster (3 nodes) + OBProxy

  2. Configure CA, server, and client certificates

This is also possible with OceanBase Community Edition.

OBServer transmission encryption

2.1 Turn on encryption

OceanBase transmission encryption is turned on through multiple configuration items.

Log in to the sys tenant through the root user

Specify how to obtain the private key/certificate/CA certificate

alter system set ssl_external_kms_info = '
{
"ssl_mode":"file"
}';

Configure MySQL port SSL communication

alter system set ssl_client_authentication = 'TRUE';
# 配置为 TRUE 后,MySQL 通信 SSL 即时开启。

Configure SSL whitelist for RPC communication

Since the TCP connections between OBServers are long connections, you need to restart OBServer before RPC SSL encrypted communication can be enabled.

# RPC 通信 SSL 需要配置白名单。
# 整个集群都开启。
alter system set _ob_ssl_invited_nodes='ALL'; 

# 指定 IP 的 OBServer 开启 SSL。
alter system set _ob_ssl_invited_nodes='135.xxx.xx.xx, 128.xxx.xx.xx';

2.2 Verify encryption

MySQL port (2881)

View via \s.

Capture packets.

RPC port (2882)

Log retrieval rpc connection accept, check use_sslwhether the value is True or False.

Capture packets.

ODP transport encryption

After using OBProxy, the client establishes an encrypted connection with OceanBase. It actually establishes an encrypted connection with OBProxy, and then OBProxy establishes an encrypted connection with OBServer. According to this understanding, it is also a necessary prerequisite for the server-side OceanBase cluster to enable SSL client authentication.

3.1 Turn on encryption

  1. Log in using your OBProxy root@proxysysaccount.
  2. Set the certificate, public key, and private key.
UPDATE proxyconfig.security_config SET CONFIG_VAL= '{"sourceType" : "FILE", "CA" : "certs/ca.pem", "publicKey" : "certs/client-cert.pem", "privateKey" : "certs/client-key.pem"}' WHERE APP_NAME = 'obproxy' and VERSION = '1';

Note: The public key and private key configured here are the client-side certificate generated previously, not the server-side. Because OBProxy is an important link between the client and the server. It is the "server" of the client and the "client" of the OceanBase server.

Check whether the setting is successful.

Configure the client and OBProxy to enable SSL connections.

alter proxyconfig set enable_client_ssl=true;

Configure OBProxy and OBServer to enable SSL connections.

alter proxyconfig set enable_server_ssl=true;

Log in with the administrator account of the business tenant and set the SSL whitelist.

alter system set ob_ssl_invited_common_names="obclient";
# 这个参数是租户级别的,需要在要连接的租户里设置,立即生效,不需要重启实例或者集群。

Note: ob_ssl_invited_common_namesThe value must be set to be consistent with the field in the client certificate subject cn(common name).

3.2 Verify encryption

Connection between client and OBProxy

Connection between OBProxy and OBServer

Summarize

There are also several pitfalls in the actual configuration and verification process. It is still necessary to understand and digest more in conjunction with the documentation.

For more technical articles, please visit: https://opensource.actionsky.com/

About SQLE

SQLE from the Axon open source community is a SQL audit tool for database users and managers that supports multi-scenario audits, standardized online processes, native support for MySQL audits and scalable database types.

SQLE get

type address
Repository https://github.com/actiontech/sqle
document https://actiontech.github.io/sqle-docs/
release news https://github.com/actiontech/sqle/releases
Data audit plug-in development documentation https://actiontech.github.io/sqle-docs/docs/dev-manual/plugins/howtouse

Guess you like

Origin blog.csdn.net/ActionTech/article/details/132585395
Recommended
The United States plans to restrict the export of large AI models to China and Russia
Apple to reach agreement with OpenAI to bring ChatGPT to iPhone
Ranking
whisper-webui installation tutorial is silky and easy to use
[Base] Laravel concepts laravel basis, the custom service provider: Contracts, ServiceContainer, ServiceProvider, Facades relations
Import torchvision error problem solving DLL: module not found
observer & watch & notify = pub & sub
A small turntable program [HTML + CSS + JS]
CorelDRAW 2018 shortcuts Daquan
Supervise el botón de menú para lograr un gatillo de presión prolongada
JS将时间秒转换成天小时分钟秒的字符串
RIP basic configuration
[Deleted] solution to a problem a few questions (Noip1994)
Daily
More
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)

Code World

© 2018 codetd.com