By default, Galera Cluster replicates data between each node without encrypting it. This is generally acceptable when the cluster nodes runs on the same host or in networks where security is guaranteed through other means. However, in cases where the cluster nodes exist on separate networks or they are in a high-risk network, the lack of encryption does introduce security concerns as a malicious actor could potentially eavesdrop on the traffic or get a complete copy of the data by triggering an SST.
To mitigate this concern, Galera Cluster allows you to encrypt data in transit as it is replicated between each cluster node using the Transport Layer Security (TLS) protocol. TLS was formerly known as Secure Socket Layer (SSL), but strictly speaking the SSL protocol is a predecessor to TLS and, that version of the protocol is now considered insecure. The documentation still uses the term SSL often and for compatibility reasons TLS-related server system and status variables still use the prefix ssl_, but internally, MariaDB only supports its secure successors.
In order to secure connections between the cluster nodes, you need to ensure that all servers were compiled with TLS support. See to determine how to check whether a server was compiled with TLS support.
For each cluster node, you also need a certificate, private key, and the Certificate Authority (CA) chain to verify the certificate. If you want to use self-signed certificates that are created with OpenSSL, then see for information on how to create those.
In order to enable TLS for Galera Cluster's replication traffic, there are a number of that you need to set, such as:
You need to set the path to the server's certificate by setting the wsrep_provider_option.
You need to set the path to the server's private key by setting the wsrep_provider_option.
You need to set the path to the certificate authority (CA) chain that can verify the server's certificate by setting the wsrep_provider_option.
If you want to restrict the server to certain ciphers, then you also need to set the wsrep_provider_option.
It is also a good idea to set MariaDB Server's regular TLS-related system variables, so that TLS will be enabled for regular client connections as well. See for information on how to do that.
For example, to set these variables for the server, add the system variables to a relevant server in an :
And then restart the server to make the changes persistent.
By setting both MariaDB Server's TLS-related system variables and Galera Cluster's TLS-related wsrep_provider_options, the server can secure both external client connections and Galera Cluster's replication traffic.
The method that you would use to enable TLS for would depend on the value of .
See for more information.
See : TLS for more information.
This SST method simply uses the (previously mysqldump) utility, so TLS would be enabled by following the guide at
This SST method supports encryption in transit via . See for more information.
This page is licensed: CC BY-SA / Gnu FDL
[mariadb]
...
ssl_cert = /etc/my.cnf.d/certificates/server-cert.pem
ssl_key = /etc/my.cnf.d/certificates/server-key.pem
ssl_ca = /etc/my.cnf.d/certificates/ca.pem
wsrep_provider_options="socket.ssl_cert=/etc/my.cnf.d/certificates/server-cert.pem;socket.ssl_key=/etc/my.cnf.d/certificates/server-key.pem;socket.ssl_ca=/etc/my.cnf.d/certificates/ca.pem"MariaDB Galera security encrypts replication/SST traffic and ensures integrity through firewalls, secure credentials, and network isolation.
WSREP stands for Write-Set Replication.
MariaDB Enterprise Cluster, powered by Galera, adds some security features:
New TLS Modes have been implemented, which can be used to configure mandatory TLS and X.509 certificate verification for Enterprise Cluster:
have been implemented for Enterprise Cluster replication traffic.
have been implemented for SSTs that use MariaDB Enterprise Backup or Rsync.
checks that a Joiner node belongs to the cluster prior to performing a State Snapshot Transfer (SST) or an Incremental State Transfer (IST).
are written to the MariaDB error log when the node's X.509 certificate is close to expiration.
TLS can be for Enterprise Cluster replication traffic.
MariaDB Enterprise Cluster, powered by Galera, adds the system variable, which configures the WSREP TLS Mode used for Enterprise Cluster replication traffic.
The following WSREP TLS Modes are supported:
MariaDB Enterprise Cluster supports the Provider WSREP TLS Mode, which is equivalent to Enterprise Cluster's TLS implementation in earlier versions of MariaDB Server. The Provider WSREP TLS Mode is primarily intended for backward compatibility, and it is most useful for users who need to perform a rolling upgrade to Enterprise Server 10.6.
The Provider WSREP TLS Mode can be configured by setting the system variable to PROVIDER.
TLS is optional in the Provider WSREP TLS Mode. When the provider is not configured to use TLS on a node, the node will connect to the cluster without TLS.
Each node obtains its TLS configuration from the system variable. The following options are used:
For example:
MariaDB Enterprise Cluster adds the Server and Server X.509 WSREP TLS Modes for users who require mandatory TLS.
The Server WSREP TLS Mode can be configured by setting the system variable to SERVER. In the Server WSREP TLS Mode, TLS is mandatory, but X.509 certificate verification is not performed. The Server WSREP TLS Mode is the default.
The Server X.509 WSREP TLS Mode can be configured by setting the system variable to SERVER_X509. In the Server X.509 WSREP TLS Mode, TLS and X.509 certification verification are mandatory.
TLS is mandatory in both the Server and Server X.509 WSREP TLS Modes. When MariaDB Enterprise Server is not configured to use TLS on a node, the node will fail to connect to the cluster.
Each node obtains its TLS configuration from the node's MariaDB Enterprise Server configuration. The following system variables are used:
For example:
MariaDB Enterprise Cluster, powered by Galera, adds the ssl-mode option, which configures the SST TLS Mode for State Snapshot Transfers (SSTs). The ssl-mode option is supported by the following SST methods, which can be configured using the system variable:
The following SST TLS Modes are supported:
In MariaDB Enterprise Server 10.6, MariaDB Enterprise Cluster adds the Backward Compatible SST TLS Mode for SSTs that use MariaDB Enterprise Backup or Rsync. The Backward Compatible SST TLS Mode is primarily intended for backward compatibility with ES 10.5 and earlier, and it is most useful for users who need to perform a rolling upgrade to ES 10.6.
The Backward Compatible SST TLS Mode is the default, but it can also be configured by setting the ssl_mode option to DISABLED in a configuration file in the [sst] group.
TLS is optional in the Backward Compatible SST TLS Mode. When the SST is not configured to use TLS, the SST will occur without TLS.
Each node obtains its TLS configuration from a configuration file in the [sst] group. The following options are used:
For example:
MariaDB Enterprise Cluster adds the Server and Server X.509 SST TLS Modes for SSTs that use MariaDB Enterprise Backup or Rsync. The Server and Server X.509 SST TLS Modes are intended for users who require mandatory TLS.
The Server SST TLS Mode can be configured by setting the ssl_mode option to REQUIRED in a configuration file in the [sst] group. In the Server SST TLS Mode, TLS is mandatory, but X.509 certificate verification is not performed.
The Server X.509 SST TLS Mode can be configured by setting the ssl_mode option to VERIFY_CA or VERIFY_IDENTITY in a configuration file in the [sst] group. In the Server X.509 SST TLS Mode, TLS and X.509 certification verification are mandatory. Prior to the state transfer, the Donor node will verify the Joiner node's X.509 certificate, and the Joiner node will verify the Donor node's X.509 certificate.
TLS is mandatory in both the Server and Server X.509 SST TLS Modes. When MariaDB Enterprise Server is not configured to use TLS on a node, the node will fail to connect during an SST.
Each node obtains its TLS configuration from the node's MariaDB Enterprise Server configuration. The following system variables are used:
For example:
When the are configured, the Server and Server X.509 SST TLS Modes use those parameters instead of the MariaDB Enterprise Server system variables. In that case, the following message will be written to the :
MariaDB Enterprise Cluster, powered by Galera, adds cluster name verification for Joiner nodes, which ensures that the Joiner node does not perform a State Snapshot Transfer (SST) or an Incremental State Transfer (IST) for the wrong cluster.
Prior to performing a State Snapshot Transfer (SST) or Incremental State Transfer (IST), the Donor node verifies the value configured by the Joiner node to verify that the node belongs to the cluster.
MariaDB Enterprise Cluster, powered by Galera, can be configured to write certificate expiration warnings to the when the node's X.509 certificate is close to expiration.
Certificate expiration warnings can be configured using the system variable:
When the wsrep_certificate_expiration_hours_warning system variable is set to 0, certificate expiration warnings are not printed to the MariaDB Error Log.
When the wsrep_certificate_expiration_hours_warning system variable is set to a value N, which is greater than 0, certificate expiration warnings are printed to the MariaDB Error Log when the node's certificate expires in N hours or less.
For example:
MariaDB Enterprise Cluster, powered by Galera, adds new capabilities that allow TLS to be enabled for Enterprise Cluster replication traffic without downtime.
Enabling TLS without downtime relies on two new options implemented for the system variable:
PROVIDER
TLS is optional for Enterprise Cluster replication traffic.
Each node obtains its TLS configuration from the wsrep_provider_options system variable. When the provider is not configured to use TLS on a node, the node will connect to the cluster without TLS.
The Provider WSREP TLS Mode is backward compatible with ES 10.5 and earlier. When performing a rolling upgrade from ES 10.5 and earlier, the Provider WSREP TLS Mode can be configured on the upgraded nodes.
SERVER
TLS is mandatory for Enterprise Cluster replication traffic, but X.509 certificate verification is not performed.
Each node obtains its TLS configuration from the node's MariaDB Enterprise Server configuration. When MariaDB Enterprise Server is not configured to use TLS on a node, the node will fail to connect to the cluster.
The Server WSREP TLS Mode is the default in ES 10.6.
SERVER_X509
TLS and X.509 certificate verification are mandatory for Enterprise Cluster replication traffic.
Each node obtains its TLS configuration from the node's MariaDB Enterprise Server configuration. When MariaDB Enterprise Server is not configured to use TLS on a node, the node will fail to connect to the cluster.
Set this option to true to enable TLS.
Set this option to the path of the CA chain file.
Set this option to the path of the node's X.509 certificate file.
Set this option to the path of the node's private key file.
Set this system variables to the path of the CA chain file.
Optionally set this system variables to the path of the CA chain directory. The directory must have been processed by openssl rehash. When your CA chain is stored in a single file, use the ssl_ca system variable instead.
Set this system variable to the path of the node's X.509 certificate file.
Set this system variable to the path of the node's private key file.
MariaDB Enterprise Backup
mariabackup
Rsync
rsync
DISABLED
Not set
TLS is optional for SST traffic.
Each node obtains its TLS configuration from the tca, tcert, and tkey options. When the SST is not configured to use TLS on a node, the node will connect during the SST without TLS.
The Backward Compatible SST TLS Mode is backward compatible with ES 10.5 and earlier, so it is suitable for rolling upgrades.
The Backward Compatible SST TLS Mode is the default in ES 10.6.
REQUIRED
TLS is mandatory for SST traffic, but X.509 certificate verification is not performed.
Each node obtains its TLS configuration from the node's MariaDB Enterprise Server configuration. When MariaDB Enterprise Server is not configured to use TLS on a node, the node will fail to connect during an SST.
VERIFY_CA
VERIFY_IDENTITY
TLS and X.509 certification verification are mandatory for SST traffic.
Each node obtains its TLS configuration from the node's MariaDB Enterprise Server configuration. When MariaDB Enterprise Server is not configured to use TLS on a node, the node will fail to connect during an SST.
Prior to the state transfer, the Donor node will verify the Joiner node's X.509 certificate, and the Joiner node will verify the Donor node's X.509 certificate.
tca
Set this option to the path of the CA chain file.
tcert
Set this option to the path of the node's X.509 certificate file.
tkey
Set this option to the path of the node's private key file.
Set this system variables to the path of the CA chain file.
Set this system variable to the path of the node's X.509 certificate file.
Set this system variable to the path of the node's private key file.
socket.dynamic
No
false
When set to true, the node will allow TLS and non-TLS communications at the same time.
socket.ssl_reload
Yes
N/A
When set to true with the statement, Enterprise Cluster dynamically re-initializes its TLS context.
This is most useful if you need to replace a certificate that is about to expire without restarting the server.
The paths to the certificate and key files cannot be changed dynamically, so the updated certificates and keys must be placed at the same paths defined by the relevant TLS variables.
[mariadb]
...
wsrep_ssl_mode = PROVIDER
wsrep_provider_options = "socket.ssl=true;socket.ssl_cert=/certs/server-cert.pem;socket.ssl_ca=/certs/ca-cert.pem;socket.ssl_key=/certs/server-key.pem"[mariadb]
...
wsrep_ssl_mode = SERVER_X509
ssl_ca = /certs/ca-cert.pem
ssl_cert = /certs/server-cert.pem
ssl_key = /certs/server-key.pem[mariadb]
...
wsrep_sst_method = mariabackup
wsrep_sst_auth = mariabackup:mypassword
[sst]
ssl_mode = DISABLED
tca = /certs/ca-cert.pem
tcert = /certs/server-cert.pem
tkey = /certs/server-key.pem[mariadb]
...
wsrep_sst_method = mariabackup
wsrep_sst_auth = mariabackup:mypassword
ssl_ca = /certs/ca-cert.pem
ssl_cert = /certs/server-cert.pem
ssl_key = /certs/server-key.pem
[sst]
ssl_mode = VERIFY_CAnew ssl configuration options (ssl-ca, ssl-cert and ssl-key) are ignored by SST due to presence of the tca, tcert and/or tkey in the [sst] section[mariadb]
...
# warn 3 days before certificate expiration
wsrep_certificate_expiration_hours_warning=72