In at this time’s interconnected world, knowledge safety is paramount. Defending delicate data transmitted between purposes and databases is essential, and SSL/TLS (Safe Sockets Layer/Transport Layer Safety) performs a significant function in attaining this. Percona Toolkit, a group of command-line instruments for MySQL, MongoDB, and different databases, has lengthy been a go-to useful resource for database directors. On this weblog put up, we’ll discover how Percona Toolkit’s Perl instruments, which work with MySQL, leverage it to make sure safe database operations.
SSL/TLS supplies an encrypted channel for communication, stopping eavesdropping, tampering, and message forgery. For database operations, the place delicate buyer knowledge, monetary information, or mental property typically reside, enabling SSL/TLS isn’t just a finest apply—it’s a necessity.
Ranging from model 8.0, MySQL not solely helps SSL but additionally makes caching_sha2_password the default authentication plugin. This authentication technique requires a safe connection between the server and the shopper, or an unencrypted connection that helps password alternate utilizing an RSA key pair.
The Percona Toolkit makes use of the Perl programming language and the DBD::mysql driver in most of its instruments that work with MySQL.
The DBD::mysql driver implements DSN (knowledge supply identify) to hook up with a MySQL database. This implementation has many choices, together with SSL/TLS help.
Percona Toolkit additionally connects to databases utilizing DSN (knowledge supply identify) and implements its personal DSN syntax. Percona Toolkit DSN is just not the identical as DBD::MySQL DSN. Whenever you specify DSN as an argument to the Percona Toolkit utility, it parses this DSN and creates a brand new DSN recognizable by the DBD::mysql.
Percona Toolkit’s DSN didn’t have SSL/TLS help till model 3.7.0.
Each Percona Toolkit and DBD::mysql help configuration information. Nevertheless, DBD::mysql requires the choice mysql_ssl=1, which isn’t a regular MySQL shopper choice. It additionally doesn’t help the usual shopper choice ssl_mode. Consequently, we can’t allow SSL help utilizing configuration information.
To resolve this difficulty, in model 3.7.0, we added a brand new DSN choice: s that passes the choice mysql_ssl to DBD::mysql and permits SSL/TLS connection. We additionally added the command-line choice –mysql_ssl and its quick kind -s to allow SSL/TLS even if you happen to don’t specify DSN when connecting to MySQL.
For instance, to make use of pt-archiver with SSL/TLS, hook up with the database utilizing this command:
|
$ ./bin/pt–archiver —supply=h=127.1,P=12345,D=sakila,t=movie,u=***,p=***,s=1 <OTHER OPTIONS> |
Or, if you happen to desire lengthy choices:
|
$ ./bin/pt–archiver —supply=D=sakila,t=movie —host=127.1 —port=12345 —person=*** —password=*** —mysql_ssl=1 <OTHER OPTIONS> |
All different SSL/TLS-related choices, akin to ssl-ca, ssl-cert, ssl-cipher, and others, could possibly be specified within the configuration file if essential. We deliberately didn’t implement separate DSN choices for them to keep away from making Percona Toolkit’s DSN too sophisticated. In the event you want them in DSN, please file a request at https://jira.percona.com/tasks/PT.
This resolution provides complication for working with such instruments as pt-online-schema-change, pt-table-checksum, and pt-table-sync, which join not solely to a single server however to all servers within the replication chain. On this case, if all servers within the chain don’t share the identical shopper key and certificates, and also you need to present paths to them, you must hook up with the supply server and use choice –recursion-method=dsn, the place you specify configuration for every of the servers. In any other case, the instrument will use the identical configuration file as laid out in the primary DSN for the preliminary connection.
This work was a part of the preparation for Percona Toolkit to work with MySQL 8.4 and finalized as a repair for https://jira.percona.com/browse/PT-191 within the upcoming model 3.7.1.
Enabling SSL/TLS help in Percona Toolkit is a major step in direction of bolstering database safety. With the introduction of the brand new DSN choice ‘s‘ in model 3.7.0 and the choice –mysql_ssl in model 3.7.1, Percona Toolkit now seamlessly integrates with safe MySQL connections, addressing the evolving safety panorama and the default caching_sha2_password plugin in MySQL 8.0+. Whereas different SSL/TLS choices are managed through configuration information to keep up DSN simplicity, customers working with replication chains ought to be aware of –recursion-method=dsn for server-specific key and certificates paths. This enhancement, finalized in model 3.7.1 as a repair for PT-191, ensures that Percona Toolkit stays a sturdy and safe resolution for database directors in an more and more interconnected and security-conscious world.
