Configure secured MySQL connections with SnapCenter Server

Contributors netapp-soumikd netapp-asubhas Download PDF of this page

You can generate Secure Sockets Layer (SSL) certificates and key files if you want to secure the communication between SnapCenter Server and MySQL Server in standalone configurations or Network Load Balancing (NLB) configurations.

Configure secured MySQL connections for standalone SnapCenter Server configurations

You can generate Secure Sockets Layer (SSL) certificates and key files, if you want to secure the communication between SnapCenter Server and MySQL Server. You must configure the certificates and key files in the MySQL Server and SnapCenter Server.

The following certificates are generated:

  • CA certificate

  • Server public certificate and private key file

  • Client public certificate and private key file

Steps

  1. Set up the SSL certificates and key files for MySQL servers and clients on Windows by using the openssl command.

    Note The common name value that is used for the server certificate, client certificate, and key files must each differ from the common name value that is used for the CA certificate. If the common name values are the same, the certificate and key files fail for servers that are compiled by using OpenSSL.

    Best Practice: You should use the server fully qualified domain name (FQDN) as the common name for the server certificate.

  2. Copy the SSL certificates and key files to the MySQL Data folder.

    The default MySQL Data folder path is C:\ProgramData\NetApp\SnapCenter\MySQL Data\Data\.

  3. Update the CA certificate, server public certificate, client public certificate, server private key, and client private key paths in the MySQL server configuration file (my.ini).

    The default MySQL server configuration file (my.ini) path is C:\ProgramData\NetApp\SnapCenter\MySQL Data\my.ini.

    Note You must specify the CA certificate, server public certificate, and server private key paths in the [mysqld] section of the MySQL server configuration file (my.ini).

    You must specify the CA certificate, client public certificate, and client private key paths in the [client] section of the MySQL server configuration file (my.ini).

    The following example shows the certificates and key files copied to the [mysqld] section of the my.ini file in the default folder C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data.

    ssl-ca="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/ca.pem"
    ssl-cert="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/server-cert.pem"
    ssl-key="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/server-key.pem"

    The following example shows the paths updated in the [client] section of the my.ini file.

    ssl-ca="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/ca.pem"
    ssl-cert="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/client-cert.pem"
    ssl-key="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/client-key.pem"
  4. Stop the SnapCenter Server web application in the Internet Information Server (IIS).

  5. Restart the MySQL service.

  6. Update the value of the MySQLProtocol key in the web.config file.

    The following example shows the value of the MySQLProtocol key updated in the web.config file.

    <add key="MySQLProtocol" value="SSL" />
  7. Update the web.config file with the paths that were provided in the [client] section of the my.ini file.

    The following example shows the paths updated in the [client] section of the my.ini file.

    <add key="ssl-client-cert" value="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/client-cert.pem" />
    <add key="ssl-client-key" value="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/client-key.pem" />
    <add key="ssl-ca" value="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/ca.pem" />
  8. Start the SnapCenter Server web application in the IIS.

Configure secured MySQL connections for HA configurations

You can generate Secure Sockets Layer (SSL) certificates and key files for both the High Availability (HA) nodes if you want to secure the communication between SnapCenter Server and MySQL servers. You must configure the certificates and key files in the MySQL servers and on the HA nodes.

The following certificates are generated:

  • CA certificate

    A CA certificate is generated on one of the HA nodes, and this CA certificate is copied to the other HA node.

  • Server public certificate and server private key files for both the HA nodes

  • Client public certificate and client private key files for both the HA nodes

Steps

  1. For the first HA node, set up the SSL certificates and key files for MySQL servers and clients on Windows by using the openssl command.

    Note The common name value that is used for the server certificate, client certificate, and key files must each differ from the common name value that is used for the CA certificate. If the common name values are the same, the certificate and key files fail for servers that are compiled by using OpenSSL.

    Best Practice: You should use the server fully qualified domain name (FQDN) as the common name for the server certificate.

  2. Copy the SSL certificates and key files to the MySQL Data folder.

    The default MySQL Data folder path is C:\ProgramData\NetApp\SnapCenter\MySQL Data\Data\.

  3. Update the CA certificate, server public certificate, client public certificate, server private key, and client private key paths in the MySQL server configuration file (my.ini).

    The default MySQL server configuration file (my.ini) path is C:\ProgramData\NetApp\SnapCenter\MySQL Data\my.ini.

    Note You must specify CA certificate, server public certificate, and server private key paths in the [mysqld] section of the MySQL server configuration file (my.ini).

    You must specify CA certificate, client public certificate, and client private key paths in the [client] section of the MySQL server configuration file (my.ini).

    The following example shows the certificates and key files copied to the [mysqld] section of the my.ini file in the default folder C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data.

    ssl-ca="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/ca.pem"
    ssl-cert="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/server-cert.pem"
    ssl-key="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/server-key.pem"

    The following example shows the paths updated in the [client] section of the my.ini file.

    ssl-ca="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/ca.pem"
    ssl-cert="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/client-cert.pem"
    ssl-key="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/client-key.pem"
  4. For the second HA node, copy the CA certificate and generate server public certificate, server private key files, client public certificate, and client private key files. perform the following steps:

    1. Copy the CA certificate generated on the first HA node to the MySQL Data folder of the second NLB node.

      The default MySQL Data folder path is C:\ProgramData\NetApp\SnapCenter\MySQL Data\Data\.

      Note You must not create a CA certificate again. You should create only the server public certificate, client public certificate, server private key file, and client private key file.
    2. For the first HA node, set up the SSL certificates and key files for MySQL servers and clients on Windows by using the openssl command.

      Note The common name value that is used for the server certificate, client certificate, and key files must each differ from the common name value that is used for the CA certificate. If the common name values are the same, the certificate and key files fail for servers that are compiled by using OpenSSL.

      It is recommended to use the server FQDN as the common name for the server certificate.

    3. Copy the SSL certificates and key files to the MySQL Data folder.

    4. Update the CA certificate, server public certificate, client public certificate, server private key, and client private key paths in the MySQL server configuration file (my.ini).

      Note You must specify the CA certificate, server public certificate, and server private key paths in the [mysqld] section of the MySQL server configuration file (my.ini).

      You must specify the CA certificate, client public certificate, and client private key paths in the [client] section of the MySQL server configuration file (my.ini).

      The following example shows the certificates and key files copied to the [mysqld] section of the my.ini file in the default folder C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data.

      ssl-ca="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/ca.pem"
      ssl-cert="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/server-cert.pem"
      ssl-key="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/server-key.pem"

      The following example shows the paths updated in the [client] section of the my.ini file.

      ssl-ca="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/ca.pem"
      ssl-cert="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/server-cert.pem"
      ssl-key="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/server-key.pem"
  5. Stop the SnapCenter Server web application in the Internet Information Server (IIS) on both the HA nodes.

  6. Restart the MySQL service on both the HA nodes.

  7. Update the value of the MySQLProtocol key in the web.config file for both the HA nodes.

    The following example shows the value of MySQLProtocol key updated in the web.config file.

    <add key="MySQLProtocol" value="SSL" />
  8. Update the web.config file with the paths that you specified in the [client] section of the my.ini file for both the HA nodes.

    The following example shows the paths updated in the [client] section of the my.ini files.

    <add key="ssl-client-cert" value="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/client-cert.pem" />
    <add key="ssl-client-key" value="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/client-key.pem" />
    <add key="ssl-ca" value="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/ca.pem" />
  9. Start the SnapCenter Server web application in the IIS on both the HA nodes.

  10. Use the Set-SmRepositoryConfig -RebuildSlave -Force PowerShell cmdlet with the -Force option on one of the HA nodes to establish secured MySQL replication on both the HA nodes.

    Even if the replication status is healthy, the -Force option allows you to rebuild the slave repository.