Enabling SSLΒΆ

For the encryption of replication traffic, Galera Cluster supports SSL. It does not support authentication. SSL is a cluster-wide option. You must enable it for all nodes in the cluster or none at all.


Galera Cluster SLL support only covers Galera Cluster communications. State Snapshot Transfers happen outside of Galera Cluster, so you must protect them separately. For example, consider using the internal SSL support of the MySQL client or the stunnel program to protect rsync traffic.

To implement SSL on your cluster, complete the following steps:

  1. Generate a private certificate/key pair for the cluster. For instance, using openssl run the following command:

    $ openssl req -new -x509 -days 365000 -nodes \
       -keyout key.pem -out cert.pem


    When the certificate expires, there is no way to update the cluster without a complete shutdown. Use a large value for the -days parameter.

  2. Use a secure channel to copy the certificate/key pair files into the /etc/mysql/ directory on each node in the cluster.

  3. On each node, update the configuration file, (my.cnf or my.ini, depending on your build), to include the certificate/key pair.

    socket.ssl_cert = /path/to/cert.pem
    socket.ssl_key = /path/to/key.pem

Once all of the nodes have the update, Galera Cluster will use SSL to encrypt communication between the nodes.

See also

For information on other parameters for SSL, see socket.ssl_compression and socket.ssl_cipher.