Securing MariaDB Galera Cluster using SSL

In MariaDB Galera cluster, the data (writeset) is replicated across all the nodes over network. This data traffic can be secured by enabling SSL connection between the nodes. In order to achieve this, one needs to have SSL certificate/key pair (Here’s how to generate one). The certificate and key can then be copied to all the nodes. Once done, instruct the nodes to establish SSL connection on startup by simply pointing to the certificate/key files using wsrep_provider_options system variable.

wsrep_provider_options='socket.ssl_cert=/tmp/cert.pem;socket.ssl_key=/tmp/key.pem'

Following is the list of SSL options that Galera supports (details : Galera parameters:

  • socket.ssl : Enable/disable SSL, explicitly
  • socket.ssl_ca : SSL CA file
  • socket.ssl_cert : SSL certificate file
  • socket.ssl_cipher : SSL cipher list
  • socket.ssl_compression : Enable/disable SSL compression
  • socket.ssl_key : SSL key file
  • socket.ssl_password_file : SSL password file, in case the key is encrypted

At the time of writing, there is no way to check if galera connection is encrypted using SQL (issue#165). The only way is to look into the node’s error log for the following :

150516 14:22:03 [Note] WSREP: SSL handshake successful, remote endpoint ssl://127.0.0.1:46661 local endpoint ssl://127.0.0.1:4000 cipher: AES128-SHA compression: 
150516 14:22:03 [Note] WSREP: (6f49f928, 'ssl://0.0.0.0:4000') turning message relay requesting on, nonlive peers: 
150516 14:22:03 [Note] WSREP: declaring 73263ae6 at ssl://127.0.0.1:4010 stable

Lastly, it is important to note that SST (snapshot state transfer) traffic is not affected, whatsoever, by the use of galera SSL options.

Generating self-signed SSL certificate/key pair

Here, I present a simple command to generate a self signed SSL certificate/key pair that can be used to secure the communication channel between communicating parties.

$ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days `echo "365 * 2" | bc` -nodes
Generating a 2048 bit RSA private key
.....................................+++
.....................................+++
unable to write 'random state'
writing new private key to 'key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

$ ls
cert.pem  key.pem

$ $ date
Mon May 11 15:18:24 EDT 2015

$ openssl x509 -noout -startdate -enddate -in cert.pem
notBefore=May 11 19:12:03 2015 GMT
notAfter=May 10 19:12:03 2017 GMT

Note: -nodes switch skips encryption of the key.