replication-manager provides password obfuscating security by implementing AES encryption.
An encryption key must be generated by running
replication-manager keygen as root. This ensures that no unprivileged user can read the contents of the encryption key.
With the key now generated, you can create encrypted passwords using
replication-manager password. Example:
# replication-manager password secretpass Encrypted password hash: 50711adb2ef2a959577edbda5cbe3d2ace844e750b20629a9bcb
You can now replace your password in the configuration file using this encrypted hash:
user = "root:50711adb2ef2a959577edbda5cbe3d2ace844e750b20629a9bcb"
When an encryption key is detected at
replication-manager monitor start, the encrypted passwords will be automatically decrypted by the application. There is no further configuration change required.
replications-manager-cli clients and API use JWT TLS protocol over https.
The REST API is secured using encrypted token that is used to validate user:password credential of the API, the client will use same default password and so enter the API without asking a password but if the configuration
api-credential is changed, all client will prompt for the password unless given the correct parameter
|Description||Rest API credential in [user]:[password] format|
At startup of the monitor some x509 certificates are loaded from the replication-manager share directory to ensure TLS https secure communication.
Replace the files with your own certificate to make sure your deployment is truly secured.
# Key considerations for algorithm "RSA" ≥ 2048-bit openssl genrsa -out server.key 2048 # Key considerations for algorithm "ECDSA" ≥ secp384r1 # List ECDSA the supported curves (openssl ecparam -list_curves) openssl ecparam -genkey -name secp384r1 -out server.key openssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650
At startup replication-manager monitor will generate in memory extra self signed RSA certificate to ensure token encryption exchange for JWT
|Description||Path to the database connection TLS authority certificate.|
|Description||Path to the database connection TLS client certificate.|
|Description||Database TLS client key.|
|Description||Replication is created using SSL encryption to replicate from master.|
Replication-Manager does not set MASTER_SSL_CA , MASTER_SSL_CERT , MASTER_SSL_KEY in CHANGE MASTER command, instead it relies on MySQL MariaDB to get setup for the replication to be using SSL. with this flag replication just add MASTER_SSL=1 to the replication command.
[client] ssl-ca=cacert.pem ssl-cert=client-cert.pem ssl-key=client-key.pem [mysqld] ssl-ca=cacert.pem ssl-cert=server-cert.pem ssl-key=server-key.pem