This article covers the steps necessary to configure the SSL settings for a cluster. SSL settings for a cluster are optional when you initially create a cluster and can be done later after the cluster has been created.
If the database server requires SSL, check the box to enable SSL for the cluster. You will need to provide a server certificate and Server Key to ScaleArc. The SSL certificate must be signed by a CA (Certificate Authority) that is already approved by the application hosts for it to be accepted.
If the SSL setting is disabled, ScaleArc negotiates down LOGIN encryption for client connections. Unlike SQL Server, ScaleArc for MySQL does not auto-generate a self-signed SSL certificate. This happens in authentication offload ON mode only.
Follow these steps to configure cluster SSL settings:
- Click the Clusters tab > Add Cluster button on the ScaleArc dashboard.
- Locate the SSL Settings section on the screen. This is the third panel on the Create Cluster screen.
- Select the SSL Offload checkbox to show the SSL Settings screen.
Configure the fields as follows:
Field/Button Description Default/User input SSL Offload
SSL offload allows you to establish secure communication between the client and the server via ScaleArc.
Important: As a prerequisite, if an SQL client needs to initiate full encryption with ScaleArc's SSL enabled cluster, ScaleArc's inbound IP should be reverse-resolvable to the hostname entry in the certificate uploaded on the ScaleArc cluster. Any modification to the SSL Offload requires you to restart the cluster.
Select the checkbox. Server certificate Requires a Server certificate as a prerequisite. The SSL Certificate must be generated by a CA-Authority that is already approved by the application hosts, for it to be accepted by them. All certificates should be in the PEM format. Browse to locate and attach the appropriate Server certificate. Server Key Requires a Server Key as a prerequisite. Key-related files must be in PEM format. Browse to locate and attach the appropriate Server Key. Validate Client Allows ScaleArc to validate the clients connecting to ScaleArc based on their issuer. Select the check box to activate. CA certificate
When ScaleArc communicates with the DB Server, it can also establish SSL connections using certificates, if it is required that ScaleArc's SSL communication with the DB server should use client certificates then enable the "Client Certificate" option and upload the Client Certificate and Key.
Browse to locate and attach the appropriate CA certificate. Enable client certificate Select the check box to activate. Client certificate
ScaleArc can also connect to the MySQL server using client certificates. If you require secure communication between ScaleArc and the DB server then enable the client certificate option and upload the client certificate and key pair.
Browse to locate and attach the appropriate client certificate. Client Key Browse to locate and attach the client key pair. Validate Server
Allows ScaleArc to validate the DB server communication and upload the appropriate CA certificate.
Select the check box to activate. CA certificate Browse to locate and attach the CA certificate. Upload Uploads the attachments. Note that re-uploading or replacing an existing SSL cert requires a cluster restart. Click to complete the upload.