Enabling TLS for MaxScale's REST API

Overview

MariaDB MaxScale supports data-in-transit encryption, which secures data transmitted over the network. The server and the clients encrypt data using the Transport Layer Security (TLS) protocol, which is a newer version of the Secure Socket Layer (SSL) protocol.

TLS must be manually enabled on the MaxScale instance.

Enabling TLS for the REST API

  1. Acquire an X509 certificate and a private key for the MaxScale instance.

    If it is a test or development instance, then self-signed certificates and keys might be sufficient.

  2. Determine which TLS-related global parameters you need to configure.

    Mandatory global parameters for TLS include:

    Parameter

    Description

    admin_ssl_key

    • This parameter defines the private key used by the REST API.

    admin_ssl_cert

    • This parameter defines the certificate used by the REST API.

    admin_ssl_ca_cert

    • This parameter defines the CA certificate that signed the REST API's certificate.

  3. Set your global parameters in maxscale.cnf.

    Global parameters are placed in the [maxscale] configuration group.

    For example:

    [maxscale]
    ...
    admin_ssl_key     = /certs/server-key.pem
    admin_ssl_cert    = /certs/server-cert.pem
    admin_ssl_ca_cert = /certs/ca-cert.pem
    
  4. Restart the MaxScale instance.

    $ sudo systemctl restart maxscale