6.4.4.8 Using the keyring_okv KMIP Plugin使用keyring_okv KMIP插件

Note注意

The keyring_okv plugin is an extension included in MySQL Enterprise Edition, a commercial product. To learn more about commercial products, see https://www.mysql.com/products/.keyring_okv插件是商业产品MySQL企业版中包含的扩展。要了解有关商业产品的更多信息,请参阅https://www.mysql.com/products/

The Key Management Interoperability Protocol (KMIP) enables communication of cryptographic keys between a key management server and its clients. 密钥管理互操作性协议(KMIP)实现了密钥管理服务器与其客户端之间的加密密钥通信。The keyring_okv keyring plugin uses the KMIP 1.1 protocol to communicate securely as a client of a KMIP back end. keyring_okv密钥环插件使用KMIP 1.1协议作为KMIP后端的客户端进行安全通信。Keyring material is generated exclusively by the back end, not by keyring_okv. 钥匙圈材料仅由后端生成,而不是由Keyring_okv生成。The plugin works with these KMIP-compatible products:该插件适用于以下KMIP兼容产品:

The keyring_okv plugin supports the functions that comprise the standard MySQL Keyring service interface. Keyring operations performed by those functions are accessible at two levels:keyring_okv插件支持构成标准MySQL keyring服务接口的功能。这些功能执行的钥匙扣操作可在两个级别访问:

Example (using the SQL interface):示例(使用SQL接口):

SELECT keyring_key_generate('MyKey', 'AES', 32);
SELECT keyring_key_remove('MyKey');

For information about the characteristics of key values permitted by keyring_okv, Section 6.4.4.12, “Supported Keyring Key Types and Lengths”.或有关keyring_okv第6.4.4.12节,“支持的钥匙圈钥匙类型和长度”允许的钥匙值特征的信息。

To install keyring_okv, use the general instructions found in Section 6.4.4.3, “Keyring Plugin Installation”, together with the configuration information specific to keyring_okv found here.要安装keyring_okv,请使用第6.4.4.3节,“keyring插件安装”中的一般说明,以及此处提供的特定于keyring_okv的配置信息。

General keyring_okv Configuration通用钥匙圈_okv配置

Regardless of which KMIP back end the keyring_okv plugin uses for keyring storage, the keyring_okv_conf_dir system variable configures the location of the directory used by keyring_okv for its support files. 无论keyring_okv插件使用哪个KMIP后端进行密钥环存储,keyring_okv_conf_dir系统变量都会配置keyring_okv用于其支持文件的目录的位置。The default value is empty, so you must set the variable to name a properly configured directory before the plugin can communicate with the KMIP back end. Unless you do so, keyring_okv writes a message to the error log during server startup that it cannot communicate:默认值为空,因此您必须将变量设置为命名一个配置正确的目录,然后插件才能与KMIP后端通信。除非您这样做,否则keyring_okv会在服务器启动期间向错误日志中写入一条无法通信的消息:

[Warning] Plugin keyring_okv reported: 'For keyring_okv to be
initialized, please point the keyring_okv_conf_dir variable to a directory
containing Oracle Key Vault configuration file and ssl materials'

The keyring_okv_conf_dir variable must name a directory that contains the following items:keyring_okv_conf_dir变量必须命名一个包含以下项的目录:

  • okvclient.ora: A file that contains details of the KMIP back end with which keyring_okv communicates.:一个包含与keyring_okv通信的KMIP后端详细信息的文件。

  • ssl: A directory that contains the certificate and key files required to establish a secure connection with the KMIP back end: CA.pem, cert.pem, and key.pem. :一个目录,其中包含与KMIP后端建立安全连接所需的证书和密钥文件:CA.pemcert.pemkey.pemIf the key file is password-protected, the ssl directory can contain a single-line text file named password.txt containing the password needed to decrypt the key file.如果密钥文件受密码保护,则ssl目录可以包含一个名为password.txt的单行文本文件,其中包含解密密钥文件所需的密码。

Both the okvclient.ora file and ssl directory with the certificate and key files are required for keyring_okv to work properly. keyring_okv正常工作需要okvclient.ora文件和带有证书和密钥文件的ssl目录。The procedure used to populate the configuration directory with these files depends on the KMIP back end used with keyring_okv, as described elsewhere.用这些文件填充配置目录的过程取决于与keyring_okv一起使用的KMIP后端,如别处所述。

The configuration directory used by keyring_okv as the location for its support files should have a restrictive mode and be accessible only to the account used to run the MySQL server. keyring_okv用作其支持文件位置的配置目录应具有限制模式,并且只能由用于运行MySQL服务器的帐户访问。For example, on Unix and Unix-like systems, to use the /usr/local/mysql/mysql-keyring-okv directory, the following commands (executed as root) create the directory and set its mode and ownership:例如,在Unix和类Unix系统上,要使用/usr/local/mysql/mysql-keyring-okv目录,以下命令(以root身份执行)创建该目录并设置其模式和所有权:

cd /usr/local/mysql
mkdir mysql-keyring-okv
chmod 750 mysql-keyring-okv
chown mysql mysql-keyring-okv
chgrp mysql mysql-keyring-okv

To be usable during the server startup process, keyring_okv must be loaded using the --early-plugin-load option. 为了在服务器启动过程中使用,必须使用--early-plugin-load选项加载keyring_okvAlso, set the keyring_okv_conf_dir system variable to tell keyring_okv where to find its configuration directory. 此外,设置keyring_okv_conf_dir系统变量,告诉keyring_okv在哪里可以找到其配置目录。For example, use these lines in the server my.cnf file, adjusting the .so suffix and directory location for your platform as necessary:例如,在服务器my.cnf文件中使用以下行,根据需要调整.so后缀和平台的目录位置:

[mysqld]
early-plugin-load=keyring_okv.so
keyring_okv_conf_dir=/usr/local/mysql/mysql-keyring-okv

For additional information about keyring_okv_conf_dir, see Section 6.4.4.18, “Keyring System Variables”.有关keyring_okv_conf_dir的更多信息,请参阅第6.4.4.18节,“keyring系统变量”

Configuring keyring_okv for Oracle Key Vault为Oracle密钥库配置keyring_okv

The discussion here assumes that you are familiar with Oracle Key Vault. Some pertinent information sources:这里的讨论假设您熟悉Oracle密钥库。一些相关信息来源:

In Oracle Key Vault terminology, clients that use Oracle Key Vault to store and retrieve security objects are called endpoints. To communicate with Oracle Key Vault, it is necessary to register as an endpoint and enroll by downloading and installing endpoint support files.在Oracle Key Vault术语中,使用Oracle Key Vault存储和检索安全对象的客户端称为端点。要与Oracle Key Vault通信,必须注册为端点,并通过下载和安装端点支持文件进行注册。

The following procedure briefly summarizes the process of setting up keyring_okv for use with Oracle Key Vault:以下过程简要总结了设置keyring_okv以与Oracle密钥库一起使用的过程:

  1. Create the configuration directory for the keyring_okv plugin to use.keyring_okv插件创建要使用的配置目录。

  2. Register an endpoint with Oracle Key Vault to obtain an enrollment token.在Oracle密钥库中注册端点以获取注册令牌。

  3. Use the enrollment token to obtain the okvclient.jar client software download.使用注册令牌获取okvclient.jar客户端软件下载。

  4. Install the client software to populate the keyring_okv configuration directory that contains the Oracle Key Vault support files.安装客户端软件以填充包含Oracle Key Vault支持文件的keyring_okv配置目录。

Use the following procedure to configure keyring_okv and Oracle Key Vault to work together. This description only summarizes how to interact with Oracle Key Vault. 使用以下过程配置keyring_okv和Oracle密钥库以协同工作。本说明仅总结了如何与Oracle密钥库交互。For details, visit the Oracle Key Vault site and consult the Oracle Key Vault Administrator's Guide.有关详细信息,请访问Oracle密钥库网站并参阅《Oracle密钥库管理员指南》。

  1. Create the configuration directory that contains the Oracle Key Vault support files, and make sure that the keyring_okv_conf_dir system variable is set to name that directory (for details, see General keyring_okv Configuration).创建包含Oracle Key Vault支持文件的配置目录,并确保将keyring_okv_conf_dir系统变量设置为该目录的名称(有关详细信息,请参阅通用keyring_okv配置)。

  2. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.以具有系统管理员角色的用户身份登录Oracle Key Vault管理控制台。

  3. Select the Endpoints tab to arrive at the Endpoints page. On the Endpoints page, click Add.选择“端点”选项卡以到达“端点”页面。在“端点”页面上,单击“添加”。

  4. Provide the required endpoint information and click Register. The endpoint type should be Other. Successful registration results in an enrollment token.提供所需的端点信息,然后单击注册。端点类型应为“其他”。成功注册将生成注册令牌。

  5. Log out from the Oracle Key Vault server.从Oracle Key Vault服务器注销。

  6. Connect again to the Oracle Key Vault server, this time without logging in. Use the endpoint enrollment token to enroll and request the okvclient.jar software download. Save this file to your system.再次连接到Oracle Key Vault服务器,这次不登录。使用端点注册令牌注册并请求okvclient.jar软件下载。将此文件保存到您的系统。

  7. Install the okvclient.jar file using the following command (you must have JDK 1.4 or higher):使用以下命令安装okvclient.jar文件(您必须拥有JDK 1.4或更高版本):

    java -jar okvclient.jar -d dir_name [-v]

    The directory name following the -d option is the location in which to install extracted files. -d选项后面的目录名是安装提取文件的位置。The -v option, if given, causes log information to be produced that may be useful if the command fails.如果给出-v选项,则会生成日志信息,如果命令失败,这些信息可能会很有用。

    When the command asks for an Oracle Key Vault endpoint password, do not provide one. Instead, press Enter. (The result is that no password is required when the endpoint connects to Oracle Key Vault.)当命令要求输入Oracle Key Vault端点密码时,请不要提供。相反,请按Enter键。(结果是,当端点连接到Oracle密钥库时,不需要密码。)

  8. The preceding command produces an okvclient.ora file, which should be in this location under the directory named by the -d option in the preceding java -jar command:前面的命令生成一个okvclient.ora文件,该文件应位于前面java -jar命令中-d选项指定的目录下的以下位置:

    install_dir/conf/okvclient.ora

    The file contents include lines that look something like this:文件内容包括看起来像这样的行:

    SERVER=host_ip:port_num
STANDBY_SERVER=host_ip:port_num

    The keyring_okv plugin attempts to communicate with the server running on the host named by the SERVER variable and falls back to STANDBY_SERVER if that fails:keyring_okv插件尝试与在server变量命名的主机上运行的服务器通信,如果失败,则回退到STANDBY_SERVER

    • For the SERVER variable, a setting in the okvclient.ora file is mandatory.对于SERVER变量,okvclient.ora文件中的设置是必需的。

    • For the STANDBY_SERVER variable, a setting in the okvclient.ora file is optional.对于STANDBY_SERVER变量,okvclient.ora文件中的设置是可选的。

  9. Go to the Oracle Key Vault installer directory and test the setup by running this command:转到Oracle Key Vault安装程序目录,并通过运行以下命令测试设置:

    okvutil/bin/okvutil list

    The output should look something like this:输出应该看起来像这样:

    Unique ID                               Type            Identifier
255AB8DE-C97F-482C-E053-0100007F28B9	Symmetric Key	-
264BF6E0-A20E-7C42-E053-0100007FB29C	Symmetric Key	-

    For a fresh Oracle Key Vault server (a server without any key in it), the output looks like this instead, to indicate that there are no keys in the vault:对于新的Oracle Key Vault服务器(其中没有任何密钥的服务器),输出看起来像这样,表示Vault中没有密钥:

    no objects found

  10. Use this command to extract the ssl directory containing SSL materials from the okvclient.jar file:使用此命令从okvclient.jar文件中提取包含ssl材料的ssl目录:

    jar xf okvclient.jar ssl

  11. Copy the Oracle Key Vault support files (the okvclient.ora file and the ssl directory) into the configuration directory.将Oracle Key Vault支持文件(okvclient.ora文件和ssl目录)复制到配置目录中。

  12. (Optional) If you wish to password-protect the key file, use the instructions in Password-Protecting the keyring_okv Key File.(可选)如果您希望对密钥文件进行密码保护,请使用密码保护keyring_okv密钥文件中的说明

After completing the preceding procedure, restart the MySQL server. It loads the keyring_okv plugin and keyring_okv uses the files in its configuration directory to communicate with Oracle Key Vault.完成上述过程后,重新启动MySQL服务器。它加载keyring_okv插件,keyring_okv使用其配置目录中的文件与Oracle密钥库通信。

Configuring keyring_okv for Gemalto SafeNet KeySecure Appliance为金雅拓SafeNet KeySecure设备配置keyring_okv

Gemalto SafeNet KeySecure Appliance uses the KMIP protocol (version 1.1 or 1.2). The keyring_okv keyring plugin (which supports KMIP 1.1) can use KeySecure as its KMIP back end for keyring storage.金雅拓SafeNet KeySecure设备使用KMIP协议(版本1.1或1.2)。keyring_okv密钥环插件(支持KMIP 1.1)可以使用KeySecure作为其用于密钥环存储的KMIP后端。

Use the following procedure to configure keyring_okv and KeySecure to work together. 使用以下过程配置keyring_okv和KeySecure以协同工作。The description only summarizes how to interact with KeySecure. 本说明仅总结了如何与KeySecure交互。For details, consult the section named Add a KMIP Server in the KeySecure User Guide.有关详细信息,请参阅《KeySecure用户指南》中名为“添加KMIP服务器”的部分。

  1. Create the configuration directory that contains the KeySecure support files, and make sure that the keyring_okv_conf_dir system variable is set to name that directory (for details, see General keyring_okv Configuration).创建包含KeySecure支持文件的配置目录,并确保将keyring_okv_conf_dir系统变量设置为该目录的名称(有关详细信息,请参阅常规keyring_okv配置)。

  2. In the configuration directory, create a subdirectory named ssl to use for storing the required SSL certificate and key files.在配置目录中,创建一个名为ssl的子目录,用于存储所需的ssl证书和密钥文件。

  3. In the configuration directory, create a file named okvclient.ora. It should have following format:在配置目录中,创建一个名为okvclient.ora的文件。它应该具有以下格式:

    SERVER=host_ip:port_num
STANDBY_SERVER=host_ip:port_num

    For example, if KeySecure is running on host 198.51.100.20 and listening on port 9002, the okvclient.ora file looks like this:例如,如果KeySecure在主机198.51.100.20上运行,并在端口9002上侦听,okvclient.ora文件如下:

    SERVER=198.51.100.20:9002
STANDBY_SERVER=198.51.100.20:9002

  4. Connect to the KeySecure Management Console as an administrator with credentials for Certificate Authorities access.使用证书颁发机构访问凭据以管理员身份连接到KeySecure管理控制台。

  5. Navigate to Security >> Local CAs and create a local certificate authority (CA).导航到“安全”>>“本地CA”并创建本地证书颁发机构(CA)。

  6. Go to Trusted CA Lists. Select Default and click on Properties. Then select Edit for Trusted Certificate Authority List and add the CA just created.转到受信任的CA列表。选择默认值,然后单击属性。然后选择“编辑”作为“受信任的证书颁发机构列表”,并添加刚刚创建的CA。

  7. Download the CA and save it in the ssl directory as a file named CA.pem.下载CA并将其作为名为CA.pem的文件保存在ssl目录中。

  8. Navigate to Security >> Certificate Requests and create a certificate. Then you can download a compressed tar file containing certificate PEM files.导航到安全>>证书请求并创建证书。然后,您可以下载包含证书PEM文件的压缩tar文件。

  9. Extract the PEM files from in the downloaded file. 从下载的文件中提取PEM文件。For example, if the file name is csr_w_pk_pkcs8.gz, decompress and unpack it using this command:例如,如果文件名为csr_w_pk_pkcs8gz,请使用以下命令解压缩并解包:

    tar zxvf csr_w_pk_pkcs8.gz

    Two files result from the extraction operation: certificate_request.pem and private_key_pkcs8.pem.提取操作产生两个文件:certificate_request.pemprivate_key_pkcs8pemprivate_key_pkcs8.pem

  10. Use this openssl command to decrypt the private key and create a file named key.pem:使用此openssl命令解密私钥并创建一个名为key.pem的文件:

    openssl pkcs8 -in private_key_pkcs8.pem -out key.pem

  11. Copy the key.pem file into the ssl directory.key.pem文件复制到ssl目录中。

  12. Copy the certificate request in certificate_request.pem into the clipboard.certificate_request.pem中的证书请求复制到剪贴板中。

  13. Navigate to Security >> Local CAs. 导航到“安全”>>“本地CA”。Select the same CA that you created earlier (the one you downloaded to create the CA.pem file), and click Sign Request. Paste the Certificate Request from the clipboard, 选择您之前创建的相同CA(您下载以创建CApem文件的CA),然后单击“签名请求”。从剪贴板粘贴证书请求,choose a certificate purpose of Client (the keyring is a client of KeySecure), and click Sign Request. The result is a certificate signed with the selected CA in a new page.<选择客户端的证书用途(密钥环是KeySecure的客户端),然后单击签名请求。结果是在新页面中使用所选CA签名的证书</p>

  14. Copy the signed certificate to the clipboard, then save the clipboard contents as a file named cert.pem in the ssl directory.将签名的证书复制到剪贴板,然后将剪贴板内容另存为ssl目录中名为cert.pem的文件。

  15. (Optional) If you wish to password-protect the key file, use the instructions in Password-Protecting the keyring_okv Key File.(可选)如果您希望对密钥文件进行密码保护,请使用密码保护keyring_okv密钥文件中的说明。

After completing the preceding procedure, restart the MySQL server. 完成上述过程后,重新启动MySQL服务器。It loads the keyring_okv plugin and keyring_okv uses the files in its configuration directory to communicate with KeySecure.它加载keyring_okv插件,keyring_okv使用其配置目录中的文件与KeySecure通信。

Configuring keyring_okv for Townsend Alliance Key Manager为汤森联盟密钥管理器配置keyring_okv

Townsend Alliance Key Manager uses the KMIP protocol. 汤森联盟密钥管理器使用KMIP协议。The keyring_okv keyring plugin can use Alliance Key Manager as its KMIP back end for keyring storage. keyring_okv密钥环插件可以使用Alliance Key Manager作为其KMIP后端来存储密钥环。For additional information, see Alliance Key Manager for MySQL.有关更多信息,请参阅MySQL联盟密钥管理器

Password-Protecting the keyring_okv Key Filekeyring_okv密钥文件的密码保护

You can optionally protect the key file with a password and supply a file containing the password to enable the key file to be decrypted. To so do, change location to the ssl directory and perform these steps:您可以选择使用密码保护密钥文件,并提供包含密码的文件以使密钥文件能够解密。为此,请将位置更改为ssl目录并执行以下步骤:

  1. Encrypt the key.pem key file. For example, use a command like this, and enter the encryption password at the prompts:key.pem密钥文件。例如,使用这样的命令,并在提示处输入加密密码:

    shell> openssl rsa -des3 -in key.pem -out key.pem.new
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

  2. Save the encryption password in a single-line text file named password.txt in the ssl directory.将加密密码保存在ssl目录中名为password.txt的单行文本文件中。

  3. Verify that the encrypted key file can be decrypted using the following command. The decrypted file should display on the console:验证是否可以使用以下命令解密加密密钥文件。解密后的文件应显示在控制台上:

    shell> openssl rsa -in key.pem.new -passin file:password.txt

  4. Remove the original key.pem file and rename key.pem.new to key.pem.删除原始密钥文件并将key.pem.new重命名为key.pem

  5. Change the ownership and access mode of new key.pem file and password.txt file as necessary to ensure that they have the same restrictions as other files in the ssl directory.根据需要更改新key.pem密钥文件和password.txt文件的所有权和访问模式,以确保它们与ssl目录中的其他文件具有相同的限制。