Connecting to MaxScale using TLS with MaxCtrl

Overview

MaxCtrl is a command-line utility that can perform administrative tasks using MaxScale's REST API. It is possible to connect to MaxScale using TLS with MaxCtrl.

Connecting to MaxScale using TLS

  1. Create a basic or admin user, depending on what kind of user you need:

    $ maxctrl create user "maxscale_rest_admin" "maxscale_rest_admin_password" --type=admin
    

    Replace maxscale_rest_admin and maxscale_rest_admin_password with the desired user and password.

  2. If you want to use MaxCtrl remotely, configure the REST API for remote connections.

    Several global parameters must be configured in maxscale.cnf.

    Parameter

    Description

    admin_host

    • This parameter defines the network address that the REST API listens on.

    • The default value is 127.0.0.1.

    admin_port

    • This parameter defines the network port that the REST API listens on.

    • The default value is 8989.

    For example:

    [maxscale]
    ...
    admin_host            = 0.0.0.0
    admin_port            = 8443
    
  3. Enable TLS for MaxScale's REST API.

    Several global parameters must be configured in maxscale.cnf.

    Parameter

    Description

    admin_ssl_key

    • This parameter defines the private key used by the REST API.

    admin_ssl_cert

    • This parameter defines the certificate used by the REST API.

    admin_ssl_ca_cert

    • This parameter defines the CA certificate that signed the REST API's certificate.

    For example:

    [maxscale]
    ...
    admin_ssl_key=/certs/server-key.pem
    admin_ssl_cert=/certs/server-cert.pem
    admin_ssl_ca_cert=/certs/ca-cert.pem
    
  4. Ensure that the client also has a TLS certificate, a private key, and the CA certificate.

  5. Use MaxCtrl to connect with TLS:

    $ maxctrl --secure \
       --user=maxscale_rest_admin \
       --password=maxscale_rest_admin_password \
       --hosts=192.0.2.100:8443
       --tls-key=/certs/client-key.pem \
       --tls-cert=/certs/client-cert.pem \
       --tls-ca-cert=/certs/ca.pem
    

    Replace maxscale_rest_admin and maxscale_rest_admin_password with the actual user and password.