PDF (A4) - 41.3Mb
Man Pages (TGZ) - 262.8Kb
Man Pages (Zip) - 368.8Kb
Info (Gzip) - 4.1Mb
Info (Zip) - 4.1Mb
Thecomponent_keyring_hashicorp component is an extension included in MySQL Enterprise Edition, a commercial product. To learn more about commercial products, seehttps://www.mysql.com/products/.
Thecomponent_keyring_hashicorp keyring component communicates with HashiCorp Vault for back end storage, and supports HashiCorp Vault AppRole authentication. No key information is permanently stored in the MySQL server's local storage. (An optional in-memory key cache may be used as intermediate storage.) Random key generation is performed on the MySQL server side, with the keys subsequently stored in Hashicorp Vault.
component_keyring_hashicorp is intended to replace thekeyring_hashicorp plugin (which is now deprecated), and makes use of the component infrastructure. For more information, seeKeyring Components Versus Keyring Plugins.
Thekeyring_hashicorp components supports the functions that comprise the standard MySQL Keyring service interface. Keyring operations performed by those functions are accessible at two levels:
SQL interface: In SQL statements, call the functions described inSection 8.4.5.14, “General-Purpose Keyring Key-Management Functions”.
C interface: In C-language code, call the keyring service functions described inSection 7.6.8.2, “The Keyring Service”.
Example (using the SQL interface):
SELECT keyring_key_generate('MyKey', 'AES', 32);SELECT keyring_key_remove('MyKey'); For information about the characteristics of key values permitted bykeyring_hashicorp, seeSection 8.4.5.12, “Supported Keyring Key Types and Lengths”.
To installcomponent_keyring_hashicorp, use the general instructions found inSection 8.4.5.2, “Keyring Component Installation”, together with the configuration information specific tocomponent_keyring_hashicorp found here. Component-specific configuration includes preparation of the certificate and key files needed for connecting to HashiCorp Vault, as well as configuring HashiCorp Vault itself. The following sections provide the necessary instructions.
Thekeyring_hashicorp component requires a secure connection to the HashiCorp Vault server, employing the HTTPS protocol. A typical setup includes a set of certificate and key files:
company.crt: A custom CA certificate belonging to the organization. This file is used both by HashiCorp Vault server and thekeyring_hashicorpplugin.vault.key: The private key of the HashiCorp Vault server instance. This file is used by HashiCorp Vault server.vault.crt: The certificate of the HashiCorp Vault server instance. This file must be signed by the organization CA certificate.
The following instructions describe how to create the certificate and key files using OpenSSL. (If you already have those files, proceed toHashiCorp Vault Setup.) The instructions as shown apply to Linux platforms and may require adjustment for other platforms.
Certificates generated by these instructions are self-signed, which may not be very secure. After you gain experience using such files, consider obtaining certificate/key material from a registered certificate authority.
Prepare the company and HashiCorp Vault server keys.
Use the following commands to generate the key files:
openssl genrsa -aes256 -out company.key 4096openssl genrsa -aes256 -out vault.key 2048The commands produce files holding the company private key (
company.key) and the Vault server private key (vault.key). The keys are randomly generated RSA keys of 4,096 and 2,048 bits, respectively.Each command prompts for a password. For testing purposes, the password is not required. To disable it, omit the
-aes256argument.The key files hold sensitive information and should be stored in a secure location. The password (also sensitive) is required later, so write it down and store it in a secure location.
(Optional) To check key file content and validity, use the following commands:
openssl rsa -in company.key -checkopenssl rsa -in vault.key -checkCreate the company CA certificate.
Use the following command to create a company CA certificate file named
company.crtthat is valid for 365 days (enter the command on a single line):openssl req -x509 -new -nodes -key company.key -sha256 -days 365 -out company.crtIf you used the
-aes256argument to perform key encryption during key generation, you are prompted for the company key password during CA certificate creation. You are also prompted for information about the certificate holder (that is, you or your company), as shown here:Country Name (2 letter code) [AU]:State or Province Name (full name) [Some-State]:Locality Name (eg, city) []:Organization Name (eg, company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section) []:Common Name (e.g. server FQDN or YOUR name) []:Email Address []:Answer the prompts with appropriate values.
Create a certificate signing request.
To create a HashiCorp Vault server certificate, a Certificate Signing Request (CSR) must be prepared for the newly created server key. Create a configuration file named
request.confcontaining the following lines. If the HashiCorp Vault server does not run on the local host, substitute appropriate CN and IP values, and make any other changes required.[req]distinguished_name = vaultx509_entensions = v3_reqprompt = no[vault]C = USST = CAL = RWCO = CompanyCN = 127.0.0.1[v3_req]subjectAltName = @alternativesauthorityKeyIdentifier = keyid,issuerbasicConstraints = CA:TRUE[alternatives]IP = 127.0.0.1Use this command to create the signing request:
openssl req -new -key vault.key -config request.conf -out request.csrThe output file (
request.csr) is an intermediate file that serves as input for creation of the server certificate.Create the HashiCorp Vault server certificate.
Sign the combined information from the HashiCorp Vault server key (
vault.key) and the CSR (request.csr) with the company certificate (company.crt) to create the HashiCorp Vault server certificate (vault.crt). Use the following command to do this (enter the command on a single line):openssl x509 -req -in request.csr -CA company.crt -CAkey company.key -CAcreateserial -out vault.crt -days 365 -sha256To make the
vault.crtserver certificate useful, append the contents of thecompany.crtcompany certificate to it. This is required so that the company certificate is delivered along with the server certificate in requests.cat company.crt >> vault.crtIf you display the contents of the
vault.crtfile, it should look like this:-----BEGIN CERTIFICATE-----...content of HashiCorp Vault server certificate ...-----END CERTIFICATE----------BEGIN CERTIFICATE-----...content of company certificate ...-----END CERTIFICATE-----
The following instructions describe how to create a HashiCorp Vault setup that facilitates testing thecomponent_keyring_hashicorp component.
A test setup is similar to a production setup, but production use of HashiCorp Vault entails additional security considerations such as use of non-self-signed certificates and storing the company certificate in the system trust store. You must implement whatever additional security steps are needed to satisfy your operational requirements.
These instructions assume availability of the certificate and key files created inCertificate and Key Preparation. See that section if you do not have those files.
Fetch the HashiCorp Vault binary.
Download the HashiCorp Vault binary appropriate for your platform fromhttps://www.vaultproject.io/downloads.html.
Extract the content of the archive to produce the executablevault command, which is used to perform HashiCorp Vault operations. If necessary, add the directory where you install the command to the system path.
(Optional) HashiCorp Vault supports autocomplete options that make it easier to use. For more information, seehttps://learn.hashicorp.com/vault/getting-started/install#command-completion.
Create the HashiCorp Vault server configuration file.
Prepare a configuration file named
config.hclwith the following content. For thetls_cert_file,tls_key_file, andpathvalues, substitute path names appropriate for your system.listener "tcp" { address="127.0.0.1:8200" tls_cert_file="/home/username/certificates/vault.crt" tls_key_file="/home/username/certificates/vault.key"}storage "file" { path = "/home/username/vaultstorage/storage"}ui = trueStart the HashiCorp Vault server.
To start the Vault server, use the following command, where the
-configoption specifies the path to the configuration file just created:vault server -config=config.hclDuring this step, you may be prompted for a password for the Vault server private key stored in the
vault.keyfile.The server should start, displaying some information on the console (IP, port, and so forth).
So that you can enter the remaining commands, put thevault server command in the background or open another terminal before continuing.
Initialize the HashiCorp Vault server.
NoteThe operations described in this step are required only when starting Vault the first time, to obtain the unseal key and root token. Subsequent Vault instance restarts require only unsealing using the unseal key.
Issue the following commands (assuming Bourne shell syntax):
export VAULT_SKIP_VERIFY=1vault operator init -n 1 -t 1The first command enables thevault command to temporarily ignore the fact that no company certificate has been added to the system trust store. It compensates for the fact that our self-signed CA is not added to that store. (For production use, such a certificate should be added.)
The second command creates a single unseal key with a requirement for a single unseal key to be present for unsealing. (For production use, an instance would have multiple unseal keys with up to that many keys required to be entered to unseal it. The unseal keys should be delivered to key custodians within the company. Use of a single key might be considered a security issue because that permits the vault to be unsealed by a single key custodian.)
Vault should reply with information about the unseal key and root token, plus some additional text (the actual unseal key and root token values differ from those shown here):
...Unseal Key 1: I2xwcFQc892O0Nt2pBiRNlnkHzTUrWS+JybL39BjcOE=Initial Root Token: s.vTvXeo3tPEYehfcd9WH7oUKz...Store the unseal key and root token in a secure location.
Unseal the HashiCorp Vault server.
Use this command to unseal the Vault server:
vault operator unsealWhen prompted to enter the unseal key, use the key obtained previously during Vault initialization.
Vault should produce output indicating that setup is complete and the vault is unsealed.
Log in to the HashiCorp Vault server and verify its status.
Prepare the environment variables required for logging in as root:
vault login s.vTvXeo3tPEYehfcd9WH7oUKzFor the token value in that command, substitute the content of the root token obtained previously during Vault initialization.
Verify the Vault server status:
vault statusThe output should contain these lines (among others):
...Initialized trueSealed false...Set up HashiCorp Vault authentication and storage.
NoteThe operations described in this step are needed only the first time the Vault instance is run. They need not be repeated afterward.
Enable the AppRole authentication method and verify that it is in the authentication method list:
vault auth enable approlevault auth listEnable the Vault KeyValue storage engine:
vault secrets enable -version=1 kvCreate and set up a role for use with the
keyring_hashicorpplugin (enter the command on a single line):vault write auth/approle/role/mysql token_num_uses=0 token_ttl=20m token_max_ttl=30m secret_id_num_uses=0Add an AppRole security policy.
NoteThe operations described in this step are needed only the first time the Vault instance is run. They need not be repeated afterward.
Prepare a policy that to permit the previously created role to access appropriate secrets. Create a new file named
mysql.hclwith the following content:path "kv/mysql/*" { capabilities = ["create", "read", "update", "delete", "list"]}Notekv/mysql/in this example may need adjustment per your local installation policies and security requirements. If so, make the same adjustment wherever elsekv/mysql/appears in these instructions.Import the policy file to the Vault server to create a policy named
mysql-policy, then assign the policy to the new role:vault policy write mysql-policy mysql.hclvault write auth/approle/role/mysql policies=mysql-policyObtain the ID of the newly created role and store it in a secure location:
vault read auth/approle/role/mysql/role-idGenerate a secret ID for the role and store it in a secure location:
vault write -f auth/approle/role/mysql/secret-idAfter these AppRole role ID and secret ID credentials are generated, they are expected to remain valid indefinitely. They need not be generated again and the
keyring_hashicorpplugin can be configured with them for use on an ongoing basis. For more information about AuthRole authentication, visithttps://www.vaultproject.io/docs/auth/approle.html.
When it initializes,component_keyring_hashicorp reads a component global configuration file namedcomponent_keyring_hashicorp.cnf inplugin_dir. If this file contains{"read_local_config": true}, the component ignores any other items in the global file, and instead attempts to read its configuration information from a local configuration file (also namedcomponent_keyring_hashicorp.cnf) in the MySQL data directory (datadir).
If the component does not find the global configuration file or (in cases where it looks for one) a local configuration file, it cannot start.
Thecomponent_keyring_hashicorp.cnf configuration file or files must be in valid JSON format.
Configuration items supported incomponent_keyring_hashicorp.cnf are shown in the following table:
| Configuration Item | Description | Required | Valid Values | Default | Corresponding System Variable |
|---|---|---|---|---|---|
auth_mode | Whether to use AppRole or token-based authentication. | No. | approle,token | approle | None |
auth_path | Authentication path where AppRole authentication is enabled within the HashiCorp Vault server. | No. | Valid Unix-style file system path; cannot be empty. | /v1/auth/approle/login | keyring_hashicorp_auth_path |
ca_path | Path to local file (accessible to MySQL server) containing properly formatted TLS certificate authority. | No | File system path valid for the system hosting the MySQL server. Path must be absolute. | Empty string | keyring_hashicorp_ca_path |
caching | Whether to enable in-memory key cache. If enabled,component_keyring_hashicorp populates it during initialization; only the key list is populated. | No. | ON,OFF | OFF | keyring_hashicorp_caching |
role_id | The HashiCorp Vault AppRole authentication role ID. | Yes, whenauth_mode isapprole. | Must be in valid UUID format. | Empty string | keyring_hashicorp_role_id |
secret_id | The HashiCorp Vault AppRole authentication secret ID, in UUID format. | Yes, whenauth_mode isapprole. | Must be in valid UUID format. | Empty string | keyring_hashicorp_secret_id |
server_url | URL of HashiCorp Vault server. | No. | A valid URL beginning withhttps://. | https://127.0.0.1:8200 | keyring_hashicorp_server_url |
store_path | Path within HashiCorp Vault server which is writeable when appropriate AppRole credentials are provided bycomponent_keyring_hashicorp. To specify credentials, setrole_id andsecret_id (seecomponent_keyring_hashicorp Configuration). | Yes. | Empty string | Valid Unix-style file system path; cannot be empty. | keyring_hashicorp_store_path |
token_path | Path to token file. | Yes, whenauth_mode istoken. | None | File system path valid for the system hosting the MySQL server. | None |
component_keyring_hashicorp does not support any of the system variables provided by thekeyring_hashicorp plugin; the latter are shown in the last column of the preceding table to help with migrating from the plugin to the component. SeeMigration from HashiCorp Vault Plugin, for more information.
To be usable during the server startup process,component_keyring_hashicorp must be loaded using a manifest filemysqld.my (seeSection 8.4.5.2, “Keyring Component Installation”). This file should contain the following item:
{ "components": "file://component_keyring_hashicorp"} Amysqld.my or other manifest file may contain references to multiple components; for simplicity, we show here only the item loading the HashiCorp Keyring component.
The contents of a samplecomponent_keyring_hashicorp.cnf file using AppRole authentication are shown here:
{ "server_url" : "https://my.vault.server.fqdn:8200", "role_id" : "12345678-abcd-bcde-cdef-12345678abcd", "secret_id" : "12345678-abcd-bcde-cdef-12345678abcd", "store_path" : "/v1/kv/mysql", "auth_path" : "/v1/auth/approle/login", "ca_path" : "/export/home/hashicorp/vault.crt", "caching" : "ON"}This example shows a sample configuration file for a setup using token-based authentication:
{ "server_url" : "https://my.vault.server.fqdn:8200", "store_path" : "/v1/kv/mysql", "auth_path" : "/v1/auth/approle/login", "ca_path" : "/export/home/hashicorp/vault.crt", "caching" : "ON", "auth_mode" : "token", "token_path" : "/export/home/hashicorp/token.txt"} All HashiCorp API routes are prefixed with a protocol version (which you can see in the preceding example as/v1/). If HashiCorp develops new protocol versions, it may be necessary to change/v1/ to something else in your configuration.
MySQL Server authenticates against HashiCorp Vault using AppRole authentication. Successful authentication requires that two secrets be provided to Vault, a role ID and a secret ID, which are similar in concept to user name and password. The role ID and secret ID values to use are those obtained during the HashiCorp Vault setup procedure performed previously. To specify the two IDs, assign their respective values torole_id andsecret_id. The setup procedure also results in the store path/v1/kv/mysql, which is used forstore_path incomponent_keyring_hashicorp.cnf.
To migrate from the HashiCorp Vault keyring plugin to the HashiCorp Vault keyring component, it is necessary to set up loading of the component, create a component configuration equivalent to that used by the plugin, stop loading of the plugin, and remove any references to the plugin or its associated system variables from all configuration files. You can accomplish these tasks by performing the steps shown here:
Create or modify a local or global manifest file
mysqld.my(seeSection 8.4.5.2, “Keyring Component Installation”). The content of the file must include (completely) thecomponentsitem shown here:{ "components": "file://component_keyring_hashicorp"}Obtain the values of any of the following startup options that you find in the MySQL server's
my.conffile:NoteMySQL Components are not compatible with
--early-plugin-load, so this value is not needed bycomponent_keyring_hashicorp.A portion of such a configuration file is shown here:
[mysqld]early-plugin-load=keyring_hashicorp.sokeyring_hashicorp_role_id='ee3b495c-d0c9-11e9-8881-8444c71c32aa'keyring_hashicorp_secret_id='0512af29-d0ca-11e9-95ee-0010e00dd718'keyring_hashicorp_store_path='/v1/kv/mysql'keyring_hashicorp_auth_path='/v1/auth/approle/login'keyring_hashicorp_ca_path='/export/home/hashicorp/vault.crt'keyring_hashicorp_caching='ON'Write a component configuration file
component_keyring_hashicorp.cnf(seecomponent_keyring_hashicorp Configuration) which sets each of the configuration items to the value obtained in the previous step for its equivalent system variable, as shown here:{ "server_url" : "https://my.vault.server.fqdn:8200", "role_id" : "ee3b495c-d0c9-11e9-8881-8444c71c32aa", "secret_id" : "0512af29-d0ca-11e9-95ee-0010e00dd718", "store_path" : "/v1/kv/mysql", "auth_path" : "/v1/auth/approle/login", "ca_path" : "/export/home/hashicorp/vault.crt", "caching" : "ON"}Perform any migration of keys that might be required. SeeSection 8.4.5.13, “Migrating Keys Between Keyring Keystores”, for more information.
Uninstall the plugin using
UNINSTALL PLUGIN. SeeUninstalling Plugins.Remove any references to the plugin in
my.cnfand any other MySQL configuration files. Be sure to remove the line shown here:early-plugin-load=keyring_hashicorp.soIn addition, you should remove references to any variables specific to the HashiCorp keyring plugin (equivalent options listed previously). Variables which have been persisted (saved to
mysqld-auto.cnf) must be removed from the server's configuration usingRESET PERSIST.Restartmysqld to cause the changes to take effect.
PDF (A4) - 41.3Mb
Man Pages (TGZ) - 262.8Kb
Man Pages (Zip) - 368.8Kb
Info (Gzip) - 4.1Mb
Info (Zip) - 4.1Mb