Connecting to MaxScale using TLS with MaxCtrl
This page is part of MariaDB's Documentation.
The parent of this page is: MaxCtrl
Topics on this page:
Overview
MaxCtrl is a command-line utility that can perform administrative tasks using MaxScale's REST API. It is possible to connect to MaxScale using TLS with MaxCtrl.
Connecting to MaxScale using TLS
Create a basic or admin user, depending on what kind of user you need:
$ maxctrl create user "maxscale_rest_admin" "maxscale_rest_admin_password" --type=adminReplace
maxscale_rest_adminandmaxscale_rest_admin_passwordwith the desired user and password.If you want to use MaxCtrl remotely, configure the REST API for remote connections.
Several global parameters must be configured in
maxscale.cnf.Parameter
Description
This parameter defines the network address that the REST API listens on.
The default value is 127.0.0.1.
This parameter defines the network port that the REST API listens on.
The default value is 8989.
For example:
[maxscale] ... admin_host = 0.0.0.0 admin_port = 8443
Enable TLS for MaxScale's REST API.
Several global parameters must be configured in
maxscale.cnf.Parameter
Description
This parameter defines the private key used by the REST API.
This parameter defines the certificate used by the REST API.
This parameter defines the CA certificate that signed the REST API's certificate.
For example:
[maxscale] ... admin_ssl_key=/certs/server-key.pem admin_ssl_cert=/certs/server-cert.pem admin_ssl_ca_cert=/certs/ca-cert.pem
Ensure that the client also has a TLS certificate, a private key, and the CA certificate.
Use MaxCtrl to connect with TLS:
$ maxctrl --secure \ --user=maxscale_rest_admin \ --password=maxscale_rest_admin_password \ --hosts=192.0.2.100:8443 --tls-key=/certs/client-key.pem \ --tls-cert=/certs/client-cert.pem \ --tls-ca-cert=/certs/ca.pem
Replace
maxscale_rest_adminandmaxscale_rest_admin_passwordwith the actual user and password.