Securing MariaDB Galera Cluster using SSL

In MariaDB Galera cluster, the data (writeset) is replicated across all the nodes over network. This data traffic can be secured by enabling SSL connection between the nodes. In order to achieve this, one needs to have SSL certificate/key pair (Here’s how to generate one). The certificate and key can then be copied to all the nodes. Once done, instruct the nodes to establish SSL connection on startup by simply pointing to the certificate/key files using wsrep_provider_options system variable.

wsrep_provider_options='socket.ssl_cert=/tmp/cert.pem;socket.ssl_key=/tmp/key.pem'

Following is the list of SSL options that Galera supports (details : Galera parameters:

  • socket.ssl : Enable/disable SSL, explicitly
  • socket.ssl_ca : SSL CA file
  • socket.ssl_cert : SSL certificate file
  • socket.ssl_cipher : SSL cipher list
  • socket.ssl_compression : Enable/disable SSL compression
  • socket.ssl_key : SSL key file
  • socket.ssl_password_file : SSL password file, in case the key is encrypted

At the time of writing, there is no way to check if galera connection is encrypted using SQL (issue#165). The only way is to look into the node’s error log for the following :

150516 14:22:03 [Note] WSREP: SSL handshake successful, remote endpoint ssl://127.0.0.1:46661 local endpoint ssl://127.0.0.1:4000 cipher: AES128-SHA compression: 
150516 14:22:03 [Note] WSREP: (6f49f928, 'ssl://0.0.0.0:4000') turning message relay requesting on, nonlive peers: 
150516 14:22:03 [Note] WSREP: declaring 73263ae6 at ssl://127.0.0.1:4010 stable

Lastly, it is important to note that SST (snapshot state transfer) traffic is not affected, whatsoever, by the use of galera SSL options.

Leave a Reply

Your email address will not be published. Required fields are marked *