Configuration File Security

replication-manager provides password obfuscating security by implementing AES encryption.

An encryption key must be generated by running replication-manager keygen as root. This ensures that no unprivileged user can read the contents of the encryption key.

With the key now generated, you can create encrypted passwords using replication-manager password. Example:

# replication-manager password secretpass
Encrypted password hash: 50711adb2ef2a959577edbda5cbe3d2ace844e750b20629a9bcb

You can now replace your password in the configuration file using this encrypted hash:

user = "root:50711adb2ef2a959577edbda5cbe3d2ace844e750b20629a9bcb"

When an encryption key is detected at replication-manager monitor start, the encrypted passwords will be automatically decrypted by the application. There is no further configuration change required.

API Security Configuration

replications-manager-cli clients and API use JWT TLS protocol over https.

The REST API is secured using encrypted token that is used to validate user:password credential of the API, the client will use same default password and so enter the API without asking a password but if the configuration api-credential is changed, all client will prompt for the password unless given the correct parameter user and password flags.

api-credential (2.0), user (1.1)
Item Value
Description Rest API credential in [user]:[password] format
Type string
Default Value "admin:repman"

At startup of the monitor some x509 certificates are loaded from the replication-manager share directory to ensure TLS https secure communication.

Replace the files with your own certificate to make sure your deployment is truly secured.

`monitoring-ssl-cert (2.1)
Item Value
Description HTTPS & API TLS certificate
Type string
Default Value ""
`monitoring-ssl-key (2.1)
Item Value
Description HTTPS & API TLS key
Type string
Default Value ""
# Key considerations for algorithm "RSA" ≥ 2048-bit
openssl genrsa -out server.key 2048

# Key considerations for algorithm "ECDSA" ≥ secp384r1
# List ECDSA the supported curves (openssl ecparam -list_curves)
openssl ecparam -genkey -name secp384r1 -out server.key
openssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650

In addition at startup replication-manager monitor will generate in memory extra self signed RSA certificate to ensure token encryption exchange for JWT

Database Security Configuration

db-servers-tls-ca-cert (2.0)
Item Value
Description Path to the database connection TLS authority certificate.
Type string
Default Value ""
db-servers-tls-client-cert (2.0)
Item Value
Description Path to the database connection TLS client certificate.
Type string
Default Value ""
db-servers-tls-client-key (2.0)
Item Value
Description Database TLS client key.
Type string
Default Value ""
replication-use-ssl (1.0)
Item Value
Description Replication is created using SSL encryption to replicate from master.
Type boolean
Default Value false

Replication-Manager does not set MASTER_SSL_CA , MASTER_SSL_CERT , MASTER_SSL_KEY in CHANGE MASTER command, instead it relies on MySQL MariaDB to get setup for the replication to be using SSL. with this flag replication just add MASTER_SSL=1 to the replication command.