Configuring secured MySQL connections for NLB configurations

You can generate Secure Sockets Layer (SSL) certificates and key files for both the Network Load Balancing (NLB) nodes if you want to secure the communication between SnapCenter Server and MySQL servers. You must configure the certificates and key files in the MySQL servers and on the NLB nodes.

Before you begin

SnapCenter Server must be installed.

About this task

The following certificates are generated:

Steps

  1. For the first NLB node, set up the SSL certificates and key files for MySQL servers and clients on Windows by using the openssl command.

    MySQL Version 5.7: Creating SSL Certificates and Keys Using openssl

    Note: The common name value that is used for the server certificate, client certificate, and key files must each differ from the common name value that is used for the CA certificate. If the common name values are the same, the certificate and key files fail for servers that are compiled by using OpenSSL.
    Best Practice: You should use the server fully qualified domain name (FQDN) as the common name for the server certificate.
    1. Copy the SSL certificates and key files to the MySQL Data folder.
      The default MySQL Data folder path is C:\ProgramData\NetApp\SnapCenter\MySQL Data\Data\.
    2. Update the CA certificate, server public certificate, client public certificate, server private key, and client private key paths in the MySQL server configuration file (my.ini).
      The default MySQL server configuration file (my.ini) path is C:\ProgramData\NetApp\SnapCenter\MySQL Data\my.ini.
      Note: You must specify CA certificate, server public certificate, and server private key paths in the [mysqld] section of the MySQL server configuration file (my.ini).

      You must specify CA certificate, client public certificate, and client private key paths in the [client] section of the MySQL server configuration file (my.ini).

      Example
      The following example shows the certificates and key files copied to the [mysqld] section of the my.ini file in the default folder C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data.
      ssl-ca="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/ca.pem"
      ssl-cert="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/server-cert.pem"
      ssl-key="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/server-key.pem"

      The following example shows the paths updated in the [client] section of the my.ini file.

      ssl-ca="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/ca.pem"
      ssl-cert="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/client-cert.pem"
      ssl-key="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/client-key.pem"
  2. For the second NLB node, copy the CA certificate and generate server public certificate, server private key files, client public certificate, and client private key files. perform the following steps:
    1. Copy the CA certificate generated on the first NLB node to the MySQL Data folder of the second NLB node.
      The default MySQL Data folder path is C:\ProgramData\NetApp\SnapCenter\MySQL Data\Data\.
      Note: You must not create a CA certificate again. You should create only the server public certificate, client public certificate, server private key file, and client private key file.
    2. For the first NLB node, set up the SSL certificates and key files for MySQL servers and clients on Windows by using the openssl command.

      MySQL Version 5.7: Creating SSL Certificates and Keys Using openssl

      Note: The common name value that is used for the server certificate, client certificate, and key files must each differ from the common name value that is used for the CA certificate. If the common name values are the same, the certificate and key files fail for servers that are compiled by using OpenSSL.

      It is recommended to use the server FQDN as the common name for the server certificate.

    3. Copy the SSL certificates and key files to the MySQL Data folder.
    4. Update the CA certificate, server public certificate, client public certificate, server private key, and client private key paths in the MySQL server configuration file (my.ini).
      Note: You must specify the CA certificate, server public certificate, and server private key paths in the [mysqld] section of the MySQL server configuration file (my.ini).

      You must specify the CA certificate, client public certificate, and client private key paths in the [client] section of the MySQL server configuration file (my.ini).

      Example
      The following example shows the certificates and key files copied to the [mysqld] section of the my.ini file in the default folder C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data.
      ssl-ca="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/ca.pem"
      ssl-cert="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/server-cert.pem"
      ssl-key="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/server-key.pem"

      The following example shows the paths updated in the [client] section of the my.ini file.

      ssl-ca="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/ca.pem"
      ssl-cert="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/server-cert.pem"
      ssl-key="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/server-key.pem"
  3. Stop the SnapCenter Server web application in the Internet Information Server (IIS) on both the NLB nodes.
  4. Restart the MySQL service on both the NLB nodes.
  5. Update the value of the MySQLProtocol key in the web.config file for both the NLB nodes.
    Example
    The following example shows the value of MySQLProtocol key updated in the web.config file.
    <add key="MySQLProtocol" value="SSL" />
  6. Update the web.config file with the paths that you specified in the [client] section of the my.ini file for both the NLB nodes.
    Example

    The following example shows the paths updated in the [client] section of the my.ini files.

    <add key="ssl-client-cert" value="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/client-cert.pem" />
    <add key="ssl-client-key" value="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/client-key.pem" />
    <add key="ssl-ca" value="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/ca.pem" />
  7. Start the SnapCenter Server web application in the IIS on both the NLB nodes.
  8. Use the Set-SmRepositoryConfig -RebuildSlave -Force PowerShell cmdlet with the -Force option on one of the NLB nodes to establish secured MySQL replication on both the NLB nodes.
    Even if the replication status is healthy, the -Force option allows you to rebuild the slave repository.