Security in Enterprise Manager

MariaDB Enterprise Manager provides security at multiple levels, including transport-layer encryption for all components, secure authentication, and a detailed audit log.

This guide covers the primary security configurations. For Users, Roles and Permissions, see User Management.

SSL/TLS Certificate Management

The Enterprise Manager installation generates a self-signed TLS certificate and key for immediate use. For production environments, you should use your own custom certificates.

Place custom certificates

Copy your custom certificate and private key files into the enterprise-manager/certs/ directory on the host machine.

Update the configuration

Open the enterprise-manager/.env file and modify the MEMA_TLS_CERTPATH and MEMA_TLS_KEYPATH variables to point to your new files.

Example: if your files are my-host.crt and my-host.key, your configuration should be:

.env (example)

MEMA_TLS_CERTPATH=/certs/my-host.crt
MEMA_TLS_KEYPATH=/certs/my-host.key

The path you provide must begin with /certs/. This is because the host's certs/ directory is mounted inside the Docker containers at the /certs path.

Restart Enterprise Manager

To apply the changes, restart the services:

docker compose up -d

Enabling the Audit Log

The audit log records all REST API requests made to MariaDB Enterprise Manager, providing a clear trail of administrative actions for security and compliance.

Step: Navigate to the directory

Open a terminal and change into your MariaDB Enterprise Manager installation directory.

cd enterprise-manager/

Step: Edit the .env file

Open the environment file using a text editor.

nano .env

Step: Update the audit log variable

Inside the editor, locate the line for the audit API setting.

Find this line:

MEMA_AUDIT_API=false

Change it to:

MEMA_AUDIT_API=true

Step: Save and exit

Save the changes and exit the editor.

Step: Restart Enterprise Manager

The change requires a restart to take effect.

docker compose up -d

Configuring Secure Connections

Agent to Enterprise Manager Connections

The connection from the mema-agent to the Enterprise Manager server is secured using HTTPS.

To enable encryption: ensure the URL provided in the agent setup command uses https://.

mema-agent setup --endpoint=https://<MEM_Address> ...

To bypass certificate checks: if you are using a self-signed or non-trusted TLS certificate on the Enterprise Manager server, you can add the --otlp-insecure flag to the agent setup command. This is recommended only for testing environments.

Enterprise Manager to Monitored Databases

You can configure secure TLS connections from Enterprise Manager to your monitored MariaDB Servers and MaxScale instances when you first add them.

In the "Add Database" page:

Toggle the SSL/TLS option to ON.
To validate the server's certificate against your Certificate Authority (CA), provide the path to your CA file in the Certificate Authority field. The file must be located in the enterprise-manager/certs/ directory and the path must begin with /certs/.
Check Verify peer certificate to enable validation.
(Optional) Check Verify peer host to ensure the server's hostname matches the certificate.
If the database requires client-side certificates for authentication, provide the paths to your client certificate and key in the Certificate and Key fields, respectively. These files must also be in the enterprise-manager/certs/ directory.

All certificate and key files referenced for server validation or client authentication must be placed in the enterprise-manager/certs/ directory on the host and referenced with a path beginning with /certs/.

PreviousChange Hostname or IP Address NextUsage

Last updated 2 days ago

Was this helpful?