Wednesday, 19 May 2010

Setting up SSL for MySQL server

I needed to set up SSL for MySQL on RHEL because the remote backup solution I chose, MySQL-zrm requires secure connections.


Most of the information about creating self-signed certificates and keys is here on this page. You can use the script in example 2, but I discovered a couple of things:


First, the script creates both server and client certs and keys. You only need to do one or the other, not both, to have secure connections. The advantage of client certs and keys is that you can use them in GRANT statements. I chose to have only server certs and keys. So I truncated the script after the commands related to the server.


Secondly, you might want add the option -days N, where N is the number of days of validity, to the openssl req and ca commands, to suit your needs.


Finally, you need to edit the source argument in the cp command to the actual location of the template openssl.cnf on your system. For my RHEL system, it is /etc/pki/tls/openssl.cnf. For RHEL 6, you also need to edit the replace command because the CA directory in openssl.cnf has changed from ./demoCA to /etc/pki/CA.


Put the script in a directory say /etc/mysql, and run it from the directory with ./mkcert.sh. It will create a subdirectory openssl for the results. You will be prompted twice for cert attributes, once for the CA and once for the server cert.


When you have finished, add these lines to /etc/my.cnf in the mysqld section:

ssl-ca=/etc/mysql/openssl/ca-cert.pem
ssl-cert=/etc/mysql/openssl/server-cert.pem
ssl-key=/etc/mysql/openssl/server-key.pem


You should chown, chmod and chcon (SELinux) the contents of /etc/mysql for security. I did:

chown -R mysql:mysql /etc/mysql
chmod -R g-w,o= /etc/mysql
chcon -R -u system_u -r object_r -t mysqld_etc_t /etc/mysql

Then restart the mysql service and look in /var/log/mysqld.log for any errors re the certs. If no errors,  you can check if SSL is available with mysql:

mysql> show variables like '%ssl%';

Answer for have_ssl should be YES. If not, check the file paths.


If you need to start all over, it suffices to delete the directory /etc/mysql/openssl.


Friday, 7 May 2010

Lubuntu: promising start but needs work

This review is far in the past so out of date as Lubuntu has advanced a lot, but I'm leaving it here for posterity.

Lubuntu has joined the *buntu stable of distros and is supposed to be able to use lower spec machines. I have experience with other LXDE based distros like Mint-LXDE and openSUSE-LXDE, and Crunchbang, which isn't actually LXDE but uses openbox. That last I've found quite good on low-memory netbooks. I decided to give Lubuntu a go.

My test hardware was a 400MHz Celeron with 256MB RAM, 6GB hard disk and a 1024x768 screen. I burned a CD-RW and booted with it. It brings up the familiar splash screen and a language chooser on top of it. I picked Install to hard disk right away since I wanted to see what it was like booting for real from a hard disk. First problem, various text error messages to the screen. Second problem, this one serious, it took ages reading the CD to start up a live GUI session with an icon to do the install. That's kind of self-defeating. If you have a low-resource machine, you don't want the user grow much older waiting for the installer to start. Why not go straight into a minimal X installer? The live installer went through the standard 7-step Ubuntu setup rather sluggishly but finished fine. On rebooting from the hard disk it came up with an openbox desktop which worked ok, considering the speed of the CPU. I note that Chromium is the promoted browser. RAM footprint wasn't too bad, free showed something like 128MB actually used.

Overall it feels like it was rushed out to take advantage of 10.04 LTS release publicity. Note, Lubuntu 10.04 is not a LTS release. So a pass for Lubuntu 10.04 from me, but "can do better" next term.