MariaDB Enterprise Cluster Security
This page is part of MariaDB's Documentation.
The parent of this page is: Security
Topics on this page:
Overview
In MariaDB Enterprise Server 10.6, MariaDB Enterprise Cluster, powered by Galera, adds some new security features:
New TLS Modes have been implemented, which can be used to configure mandatory TLS and X.509 certificate verification for Enterprise Cluster:
WSREP TLS Modes have been implemented for Enterprise Cluster replication traffic.
SST TLS Modes have been implemented for SSTs that use MariaDB Enterprise Backup or Rsync.
Cluster name verification checks that a Joiner node belongs to the cluster prior to performing a State Snapshot Transfer (SST) or an Incremental State Transfer (IST).
Certificate expiration warnings are written to the MariaDB error log when the node's X.509 certificate is close to expiration.
TLS can be enabled without downtime for Enterprise Cluster replication traffic.
WSREP TLS Modes
In MariaDB Enterprise Server 10.6, MariaDB Enterprise Cluster, powered by Galera, adds the wsrep_
The following WSREP TLS Modes are supported:
WSREP TLS Mode | Values | Description |
---|---|---|
|
| |
|
| |
|
|
WSREP TLS Modes: Provider
In MariaDB Enterprise Server 10.6, MariaDB Enterprise Cluster supports the Provider WSREP TLS Mode, which is equivalent to Enterprise Cluster's TLS implementation in ES 10.5 and earlier. The Provider WSREP TLS Mode is primarily intended for backward compatibility, and it is most useful for users who need to perform a rolling upgrade to ES 10.6.
The Provider WSREP TLS Mode can be configured by setting the wsrep_PROVIDER
.
TLS is optional in the Provider WSREP TLS Mode. When the provider is not configured to use TLS on a node, the node will connect to the cluster without TLS.
Each node obtains its TLS configuration from the wsrep_
WSREP Provider Option | Description |
---|---|
Set this option to | |
Set this option to the path of the CA chain file. | |
Set this option to the path of the node's X.509 certificate file. | |
Set this option to the path of the node's private key file. |
For example:
[mariadb]
...
wsrep_ssl_mode = PROVIDER
wsrep_provider_options = "socket.ssl=true;socket.ssl_cert=/certs/server-cert.pem;socket.ssl_ca=/certs/ca-cert.pem;socket.ssl_key=/certs/server-key.pem"
WSREP TLS Modes: Server and Server X.509
In MariaDB Enterprise Server 10.6, MariaDB Enterprise Cluster adds the Server and Server X.509 WSREP TLS Modes for users who require mandatory TLS.
The Server WSREP TLS Mode can be configured by setting the wsrep_SERVER
. In the Server WSREP TLS Mode, TLS is mandatory, but X.509 certificate verification is not performed. The Server WSREP TLS Mode is the default in ES 10.6.
The Server X.509 WSREP TLS Mode can be configured by setting the wsrep_SERVER_X509
. In the Server X.509 WSREP TLS Mode, TLS and X.509 certification verification are mandatory.
TLS is mandatory in both the Server and Server X.509 WSREP TLS Modes. When MariaDB Enterprise Server is not configured to use TLS on a node, the node will fail to connect to the cluster.
Each node obtains its TLS configuration from the node's MariaDB Enterprise Server configuration. The following system variables are used:
System Variable | Description |
---|---|
Set this system variables to the path of the CA chain file. | |
Optionally set this system variables to the path of the CA chain directory. The directory must have been processed by | |
Set this system variable to the path of the node's X.509 certificate file. | |
Set this system variable to the path of the node's private key file. |
For example:
[mariadb]
...
wsrep_ssl_mode = SERVER_X509
ssl_ca = /certs/ca-cert.pem
ssl_cert = /certs/server-cert.pem
ssl_key = /certs/server-key.pem
SST TLS Modes
In MariaDB Enterprise Server 10.6, MariaDB Enterprise Cluster, powered by Galera, adds the ssl-mode
option, which configures the SST TLS Mode for State Snapshot Transfers (SSTs). The ssl-mode
option is supported by the following SST methods, which can be configured using the wsrep_
SST Method | |
---|---|
MariaDB Enterprise Backup |
|
Rsync |
|
The following SST TLS Modes are supported:
SST TLS Mode | Values | Description |
---|---|---|
|
| |
|
| |
|
|
SST TLS Modes: Backward Compatible
In MariaDB Enterprise Server 10.6, MariaDB Enterprise Cluster adds the Backward Compatible SST TLS Mode for SSTs that use MariaDB Enterprise Backup or Rsync. The Backward Compatible SST TLS Mode is primarily intended for backward compatibility with ES 10.5 and earlier, and it is most useful for users who need to perform a rolling upgrade to ES 10.6.
The Backward Compatible SST TLS Mode is the default, but it can also be configured by setting the ssl_mode
option to DISABLED
in a configuration file in the [sst]
group.
TLS is optional in the Backward Compatible SST TLS Mode. When the SST is not configured to use TLS, the SST will occur without TLS.
Each node obtains its TLS configuration from a configuration file in the [sst]
group. The following options are used:
Option | Description |
---|---|
| Set this option to the path of the CA chain file. |
| Set this option to the path of the node's X.509 certificate file. |
| Set this option to the path of the node's private key file. |
For example:
[mariadb]
...
wsrep_sst_method = mariabackup
wsrep_sst_auth = mariabackup:mypassword
[sst]
ssl_mode = DISABLED
tca = /certs/ca-cert.pem
tcert = /certs/server-cert.pem
tkey = /certs/server-key.pem
SST TLS Modes: Server and Server X.509
In MariaDB Enterprise Server 10.6, MariaDB Enterprise Cluster adds the Server and Server X.509 SST TLS Modes for SSTs that use MariaDB Enterprise Backup or Rsync. The Server and Server X.509 SST TLS Modes are intended for users who require mandatory TLS.
The Server SST TLS Mode can be configured by setting the ssl_mode
option to REQUIRED
in a configuration file in the [sst]
group. In the Server SST TLS Mode, TLS is mandatory, but X.509 certificate verification is not performed.
The Server X.509 SST TLS Mode can be configured by setting the ssl_mode
option to VERIFY_CA
or VERIFY_IDENTITY
in a configuration file in the [sst]
group. In the Server X.509 SST TLS Mode, TLS and X.509 certification verification are mandatory. Prior to the state transfer, the Donor node will verify the Joiner node's X.509 certificate, and the Joiner node will verify the Donor node's X.509 certificate.
TLS is mandatory in both the Server and Server X.509 SST TLS Modes. When MariaDB Enterprise Server is not configured to use TLS on a node, the node will fail to connect during an SST.
Each node obtains its TLS configuration from the node's MariaDB Enterprise Server configuration. The following system variables are used:
System Variable | Description |
---|---|
Set this system variables to the path of the CA chain file. | |
Set this system variable to the path of the node's X.509 certificate file. | |
Set this system variable to the path of the node's private key file. |
For example:
[mariadb]
...
wsrep_sst_method = mariabackup
wsrep_sst_auth = mariabackup:mypassword
ssl_ca = /certs/ca-cert.pem
ssl_cert = /certs/server-cert.pem
ssl_key = /certs/server-key.pem
[sst]
ssl_mode = VERIFY_CA
When the backward-compatible TLS parameters in the [sst] group are configured, the Server and Server X.509 SST TLS Modes use those parameters instead of the MariaDB Enterprise Server system variables. In that case, the following message will be written to the MariaDB error log:
new ssl configuration options (ssl-ca, ssl-cert and ssl-key) are ignored by SST due to presence of the tca, tcert and/or tkey in the [sst] section
Cluster Name Verification
In MariaDB Enterprise Server 10.6, MariaDB Enterprise Cluster, powered by Galera, adds cluster name verification for Joiner nodes, which ensures that the Joiner node does not perform a State Snapshot Transfer (SST) or an Incremental State Transfer (IST) for the wrong cluster.
Prior to performing a State Snapshot Transfer (SST) or Incremental State Transfer (IST), the Donor node verifies the wsrep_
Certificate Expiration Warnings
In MariaDB Enterprise Server 10.6, MariaDB Enterprise Cluster, powered by Galera, can be configured to write certificate expiration warnings to the MariaDB Error Log when the node's X.509 certificate is close to expiration.
Certificate expiration warnings can be configured using the wsrep_
When the wsrep_
certificate_ system variable is set toexpiration_ hours_ warning 0
, certificate expiration warnings are not printed to the MariaDB Error Log.When the wsrep_
certificate_ system variable is set to a valueexpiration_ hours_ warning N
, which is greater than0
, certificate expiration warnings are printed to the MariaDB Error Log when the node's certificate expires inN
hours or less.
For example:
[mariadb]
...
# warn 3 days before certificate expiration
wsrep_certificate_expiration_hours_warning=72
Enable TLS without Downtime
In MariaDB Enterprise Server 10.6, MariaDB Enterprise Cluster, powered by Galera, adds new capabilities that allow TLS to be enabled for Enterprise Cluster replication traffic without downtime.
Enabling TLS without downtime relies on two new options implemented for the wsrep_
Option | Dynamic? | Default | Description |
---|---|---|---|
| No |
|
|
| Yes | N/A |
|