Movatterモバイル変換

ssl_ca: The path name of the Certificate Authority (CA) certificate file. (--ssl-capath is similar but specifies the path name of a directory of CA certificate files.)

ssl_cert: The path name of the server public key certificate file. This certificate can be sent to the client and authenticated against the CA certificate that it has.

ssl_key: The path name of the server private key file.

To name the replica's certificate and SSL private key files usingCHANGE MASTER TO, add the appropriateMASTER_SSL_xxx options, like this:

    -> MASTER_SSL_CA = 'ca_file_name',    -> MASTER_SSL_CAPATH = 'ca_directory_name',    -> MASTER_SSL_CERT = 'cert_file_name',    -> MASTER_SSL_KEY = 'key_file_name',

These options correspond to the--ssl-xxx options with the same names, as described inCommand Options for Encrypted Connections. For these options to take effect,MASTER_SSL=1 must also be set. For a replication connection, specifying a value for either ofMASTER_SSL_CA orMASTER_SSL_CAPATH corresponds to setting--ssl-mode=VERIFY_CA. The connection attempt succeeds only if a valid matching Certificate Authority (CA) certificate is found using the specified information.

To activate host name identity verification, add theMASTER_SSL_VERIFY_SERVER_CERT option:

    -> MASTER_SSL_VERIFY_SERVER_CERT=1,

This option corresponds to the--ssl-verify-server-cert option, which is deprecated as of MySQL 5.7.11 and removed in MySQL 8.0. For a replication connection, specifyingMASTER_SSL_VERIFY_SERVER_CERT=1 corresponds to setting--ssl-mode=VERIFY_IDENTITY, as described inCommand Options for Encrypted Connections. For this option to take effect,MASTER_SSL=1 must also be set. Host name identity verification does not work with self-signed certificates.

To activate certificate revocation list (CRL) checks, add theMASTER_SSL_CRL orMASTER_SSL_CRLPATH option, as shown here:

    -> MASTER_SSL_CRL = 'crl_file_name',    -> MASTER_SSL_CRLPATH = 'crl_directory_name',

These options correspond to the--ssl-xxx options with the same names, as described inCommand Options for Encrypted Connections. If they are not specified, no CRL checking takes place.

To specify lists of ciphers and encryption protocols permitted by the replica for the replication connection, add theMASTER_SSL_CIPHER andMASTER_TLS_VERSION options, like this:

    -> MASTER_SSL_CIPHER = 'cipher_list',    -> MASTER_TLS_VERSION = 'protocol_list',    -> SOURCE_TLS_CIPHERSUITES = 'ciphersuite_list',

TheMASTER_SSL_CIPHER option specifies the list of ciphers permitted by the replica for the replication connection, with one or more cipher names separated by colons. TheMASTER_TLS_VERSION option specifies the encryption protocols permitted by the replica for the replication connection. The format is like that for thetls_version system variable, with one or more comma-separated protocol versions. The protocols and ciphers that you can use in these lists depend on the SSL library used to compile MySQL. For information about the formats and permitted values, seeSection 6.3.2, “Encrypted Connection TLS Protocols and Ciphers”.

After the source information has been updated, start the replication process on the replica, like this:

mysql> START SLAVE;

You can use theSHOW SLAVE STATUS statement to confirm that an encrypted connection was established successfully.

Requiring encrypted connections on the replica does not ensure that the source requires encrypted connections from replicas. If you want to ensure that the source only accepts replicas that connect using encrypted connections, create a replication user account on the source using theREQUIRE SSL option, then grant that user theREPLICATION SLAVE privilege. For example:

mysql> CREATE USER 'repl'@'%.example.com' IDENTIFIED BY 'password'    -> REQUIRE SSL;mysql> GRANT REPLICATION SLAVE ON *.*    -> TO 'repl'@'%.example.com';

If you have an existing replication user account on the source, you can addREQUIRE SSL to it with this statement:

mysql> ALTER USER 'repl'@'%.example.com' REQUIRE SSL;