SSL encryption is clearly one of the must-haves for database deployments. It is required by all security standards and even if your organization does not have to comply with PCI DSS, HIPPA or other similar standards, you probably still want to have your traffic secured properly.
ClusterControl provides you with options to manage SSL on the clusters it manages.
On the screen above we can see that SSL encryption is enabled for both frontend connections and intra-cluster connections in the MariaDB Galera Cluster. Nowadays, due to the SSL being the de facto standard, modern versions of the databases come with self-signed, ready certificates and SSL enabled. This is great if you would like to ensure that your traffic is secured. On the other hand, if you would like to add another layer of security, you may want to use your own certificates, ensuring that only nodes that you set up can attempt to connect to the database. ClusterControl has you covered and in this blog post we will take a look at the SSL certificate management options that are available.
First of all, if you want to rotate SSL certificates, you can easily do it from ClusterControl. Just click on the “Change Certificate” and you will be presented with two options:
You can create a new, self-signed certificate or you can use existing certificates that you have already imported or created. If you’ll go with the creation of a new certificate, you will be asked couple of questions:
You should decide on the certificate expiration date and answer if you want the new certificate to be applied immediately or not. Applying it requires a rolling restart of the Galera Cluster.
Alternatively, you can go to the Key Management section of ClusterControl, where you can manage SSL certificates.
As you can see, there is a list of certificates in use by the Galera Cluster. You can also generate or import new certificates.
It can be done in a couple of ways. Let’s start with creating a CA and key. This step is not required, you can as well create a self-signed certificate.
After CA is created, we can create the server and client certificates.
Once that is completed, you will see the certificates appear on the list on the left. Such certificates can be used later.
If you have existing certificates, self-signed or not, you can as well import them into ClusterControl and use them with the SSL management that is available.
Let’s say we have a new certificate, either created or imported, and we want to use it for SSL encryption of the traffic between Galera nodes. All you need to do is to click on the “Change Certificate”.
As a next step, you should pick that you will be using an existing certificate.
Finally, you can pick the certificate from the list. That’s pretty much it. Click on the Save Changes button and ClusterControl will start the process of changing the certificate. Please keep in mind that all changes in the SSL certificate settings will require nodes to be restarted.
After some time the job is completed and we can verify that the certificate is indeed in use:
As you can see, SSL certificate management in ClusterControl is quite easy and straightforward. It allows you to use your own certificates as well as generating new ones. All of that makes it easy to ensure that your data is properly encrypted in transit.