MySQL Cluster Manager supports secure connections using TLS for the following:
The following options are used to configure the secure connections (see the option descriptions for details):
Enable and Disable Secure Connections. Secure connections can be enabled or disabled by configuring the relevant options in themcmd configuration file in themcmd section:
[mcmd]ssl_key =/absolute/path/to/keyssl_cert =relative/path/certssl_ca =/path/to/ca_certThe options can also be configured at the command line:
$> mcmd --mcmd.ssl_key=/absolute/path/to/key --mcmd.ssl_cert=relative/path/cert --mcmd.ssl_ca=/path/to/ca_certssl_key andssl_cert may specify the file name of the TLS key and certificate. Both absolute and relative paths are allowed—relative paths are relative to the current working directory.
To enable or disable secure connections, stop all agents, reconfigure the secure connection options, and restart all agents.
Client Connections. Withssl_ca specified,mcmd enforces client certificates validation. The mcm client should then providessl_key andssl_cert information when connecting
$> ./bin/mcmd --mcmd.ssl_key=/foo/server-key.pem --mcmd.ssl_cert=/foo/server-cert.pem --mcmd.ssl_ca=/foo/cacert.pem --mcmd.ssl_mode=REQUIREDMySQL Cluster Manager 8.4.6 (64bit) started$> ./bin/mcm --ssl-key=/foo/client-key.pem --ssl-cert=/foo/client-cert.pemWelcome to the MySQL Cluster Manager client. Commands end with ; or \g.Your connection id is 0Agent version: 8.4.6 MySQL Cluster Manager The client may also connect using--ssl-mode=VERIFY_CA and--ssl-ca=cacert.pem to validate certificates from the client side:
$> ./bin/mcm --ssl-mode=VERIFY_CA --ssl-ca=/foo/cacert.pem --ssl-key=/foo/client-key.pem --ssl-cert=/foo/client-cert.pemWelcome to the MySQL Cluster Manager client. Commands end with ; or \g.Your connection id is 0Agent version: 8.4.6 MySQL Cluster ManagerInformation on Secure Connections. Theshow settings command has an--tls option to show the TLS-specific settings
$> ./mcm -e 'show settings --tls'+---------+------------+----------+| Section | Key | Value |+---------+------------+----------+| mcmd | ssl_ca | || mcmd | ssl_cert | || mcmd | ssl_cipher | || mcmd | ssl_key | || mcmd | ssl_mode | DISABLED |+---------+------------+----------+ Theshow variables commands shows the supported tls versions and the supported SSL ciphers:
$> ./mcm -e 'show variables'+--------------------------+---------------------------+| Variable_name | Value |+--------------------------+---------------------------+| auto_increment_increment | 1 || character_set_client | latin1 || ssl_cipher_list | LIST-OF-SUPPORTED-CIPHERS || tls_version_list | TLSv1.2,TLSv1.3 |+--------------------------+---------------------------+ Theshow status command, used with no operands, shows runtime information of the connected mcmd, including the TLS version and the cipher in use::
$> ./mcm -e 'show status'+--------------+------------------------------------+| Property | Value |+--------------+------------------------------------+| agent number | 1 || cwd | /path/to/current/working/directory || max_msg_id | 234 || max_synode | {1a2b3c4d 0 234} || ssl_cipher | ECDCH-THE-CIPHER-NAME || tls_version | TLSv1.3 || uptime | 45 || version | 8.4.6 |+--------------+------------------------------------+