The keyring_okv
plugin is an extension included in MySQL Enterprise Edition, a commercial product. To learn more about commercial products, see https://www.mysql.com/products/.keyring_okv
插件是商业产品MySQL企业版中包含的扩展。要了解有关商业产品的更多信息,请参阅https://www.mysql.com/products/。
The Key Management Interoperability Protocol (KMIP) enables communication of cryptographic keys between a key management server and its clients. 密钥管理互操作性协议(KMIP)实现了密钥管理服务器与其客户端之间的加密密钥通信。The keyring_okv
keyring plugin uses the KMIP 1.1 protocol to communicate securely as a client of a KMIP back end. keyring_okv
密钥环插件使用KMIP 1.1协议作为KMIP后端的客户端进行安全通信。Keyring material is generated exclusively by the back end, not by 钥匙圈材料仅由后端生成,而不是由keyring_okv
. Keyring_okv
生成。The plugin works with these KMIP-compatible products:该插件适用于以下KMIP兼容产品:
Oracle Key VaultOracle密钥库
Gemalto SafeNet KeySecure Appliance金雅拓SafeNet密钥安全设备
Townsend Alliance Key Manager汤森联盟关键经理
The keyring_okv
plugin supports the functions that comprise the standard MySQL Keyring service interface. Keyring operations performed by those functions are accessible at two levels:keyring_okv
插件支持构成标准MySQL keyring服务接口的功能。这些功能执行的钥匙扣操作可在两个级别访问:
SQL interface: In SQL statements, call the functions described in Section 6.4.4.14, “General-Purpose Keyring Key-Management Functions”.SQL接口:在SQL语句中,调用第6.4.4.14节,“通用密钥管理函数”中描述的函数。
C interface: In C-language code, call the keyring service functions described in Section 5.6.9.2, “The Keyring Service”.C接口:在C语言代码中,调用第5.6.9.2节,“钥匙圈服务”中描述的钥匙圈服务函数。
Example (using the SQL interface):示例(使用SQL接口):
SELECT keyring_key_generate('MyKey', 'AES', 32); SELECT keyring_key_remove('MyKey');
For information about the characteristics of key values permitted by 或有关keyring_okv
, Section 6.4.4.12, “Supported Keyring Key Types and Lengths”.keyring_okv
第6.4.4.12节,“支持的钥匙圈钥匙类型和长度”允许的钥匙值特征的信息。
To install 要安装keyring_okv
, use the general instructions found in Section 6.4.4.3, “Keyring Plugin Installation”, together with the configuration information specific to keyring_okv
found here.keyring_okv
,请使用第6.4.4.3节,“keyring插件安装”中的一般说明,以及此处提供的特定于keyring_okv的配置信息。
Configuring keyring_okv for Oracle Key Vault为Oracle密钥库配置keyring_okv
Configuring keyring_okv for Gemalto SafeNet KeySecure Appliance为金雅拓SafeNet KeySecure设备配置keyring_okv
Configuring keyring_okv for Townsend Alliance Key Manager为汤森联盟密钥管理器配置keyring_okv
Password-Protecting the keyring_okv Key Filekeyring_okv密钥文件的密码保护
Regardless of which KMIP back end the 无论keyring_okv
plugin uses for keyring storage, the keyring_okv_conf_dir
system variable configures the location of the directory used by keyring_okv
for its support files. keyring_okv
插件使用哪个KMIP后端进行密钥环存储,keyring_okv_conf_dir
系统变量都会配置keyring_okv
用于其支持文件的目录的位置。The default value is empty, so you must set the variable to name a properly configured directory before the plugin can communicate with the KMIP back end. Unless you do so, 默认值为空,因此您必须将变量设置为命名一个配置正确的目录,然后插件才能与KMIP后端通信。除非您这样做,否则keyring_okv
writes a message to the error log during server startup that it cannot communicate:keyring_okv
会在服务器启动期间向错误日志中写入一条无法通信的消息:
[Warning] Plugin keyring_okv reported: 'For keyring_okv to be initialized, please point the keyring_okv_conf_dir variable to a directory containing Oracle Key Vault configuration file and ssl materials'
The keyring_okv_conf_dir
variable must name a directory that contains the following items:keyring_okv_conf_dir
变量必须命名一个包含以下项的目录:
okvclient.ora
: A file that contains details of the KMIP back end with which :一个包含与keyring_okv
communicates.keyring_okv
通信的KMIP后端详细信息的文件。
ssl
: A directory that contains the certificate and key files required to establish a secure connection with the KMIP back end: :一个目录,其中包含与KMIP后端建立安全连接所需的证书和密钥文件:CA.pem
, cert.pem
, and key.pem
. CA.pem
、cert.pem
和key.pem
。If the key file is password-protected, the 如果密钥文件受密码保护,则ssl
directory can contain a single-line text file named password.txt
containing the password needed to decrypt the key file.ssl
目录可以包含一个名为password.txt
的单行文本文件,其中包含解密密钥文件所需的密码。
Both the okvclient.ora
file and ssl
directory with the certificate and key files are required for keyring_okv
to work properly. keyring_okv
正常工作需要okvclient.ora
文件和带有证书和密钥文件的ssl
目录。The procedure used to populate the configuration directory with these files depends on the KMIP back end used with 用这些文件填充配置目录的过程取决于与keyring_okv
, as described elsewhere.keyring_okv
一起使用的KMIP后端,如别处所述。
The configuration directory used by keyring_okv
as the location for its support files should have a restrictive mode and be accessible only to the account used to run the MySQL server. keyring_okv
用作其支持文件位置的配置目录应具有限制模式,并且只能由用于运行MySQL服务器的帐户访问。For example, on Unix and Unix-like systems, to use the 例如,在Unix和类Unix系统上,要使用/usr/local/mysql/mysql-keyring-okv
directory, the following commands (executed as root
) create the directory and set its mode and ownership:/usr/local/mysql/mysql-keyring-okv
目录,以下命令(以root
身份执行)创建该目录并设置其模式和所有权:
cd /usr/local/mysql mkdir mysql-keyring-okv chmod 750 mysql-keyring-okv chown mysql mysql-keyring-okv chgrp mysql mysql-keyring-okv
To be usable during the server startup process, 为了在服务器启动过程中使用,必须使用keyring_okv
must be loaded using the --early-plugin-load
option. --early-plugin-load
选项加载keyring_okv
。Also, set the 此外,设置keyring_okv_conf_dir
system variable to tell keyring_okv
where to find its configuration directory. keyring_okv_conf_dir
系统变量,告诉keyring_okv
在哪里可以找到其配置目录。For example, use these lines in the server 例如,在服务器my.cnf
file, adjusting the .so
suffix and directory location for your platform as necessary:my.cnf
文件中使用以下行,根据需要调整.so
后缀和平台的目录位置:
[mysqld] early-plugin-load=keyring_okv.so keyring_okv_conf_dir=/usr/local/mysql/mysql-keyring-okv
For additional information about 有关keyring_okv_conf_dir
, see Section 6.4.4.18, “Keyring System Variables”.keyring_okv_conf_dir
的更多信息,请参阅第6.4.4.18节,“keyring系统变量”。
The discussion here assumes that you are familiar with Oracle Key Vault. Some pertinent information sources:这里的讨论假设您熟悉Oracle密钥库。一些相关信息来源:
In Oracle Key Vault terminology, clients that use Oracle Key Vault to store and retrieve security objects are called endpoints. To communicate with Oracle Key Vault, it is necessary to register as an endpoint and enroll by downloading and installing endpoint support files.在Oracle Key Vault术语中,使用Oracle Key Vault存储和检索安全对象的客户端称为端点。要与Oracle Key Vault通信,必须注册为端点,并通过下载和安装端点支持文件进行注册。
The following procedure briefly summarizes the process of setting up 以下过程简要总结了设置keyring_okv
for use with Oracle Key Vault:keyring_okv
以与Oracle密钥库一起使用的过程:
Create the configuration directory for the 为keyring_okv
plugin to use.keyring_okv
插件创建要使用的配置目录。
Register an endpoint with Oracle Key Vault to obtain an enrollment token.在Oracle密钥库中注册端点以获取注册令牌。
Use the enrollment token to obtain the 使用注册令牌获取okvclient.jar
client software download.okvclient.jar
客户端软件下载。
Install the client software to populate the 安装客户端软件以填充包含Oracle Key Vault支持文件的keyring_okv
configuration directory that contains the Oracle Key Vault support files.keyring_okv
配置目录。
Use the following procedure to configure 使用以下过程配置keyring_okv
and Oracle Key Vault to work together. This description only summarizes how to interact with Oracle Key Vault. keyring_okv
和Oracle密钥库以协同工作。本说明仅总结了如何与Oracle密钥库交互。For details, visit the Oracle Key Vault site and consult the Oracle Key Vault Administrator's Guide.有关详细信息,请访问Oracle密钥库网站并参阅《Oracle密钥库管理员指南》。
Create the configuration directory that contains the Oracle Key Vault support files, and make sure that the 创建包含Oracle Key Vault支持文件的配置目录,并确保将keyring_okv_conf_dir
system variable is set to name that directory (for details, see General keyring_okv Configuration).keyring_okv_conf_dir
系统变量设置为该目录的名称(有关详细信息,请参阅通用keyring_okv配置)。
Log in to the Oracle Key Vault management console as a user who has the System Administrator role.以具有系统管理员角色的用户身份登录Oracle Key Vault管理控制台。
Select the Endpoints tab to arrive at the Endpoints page. On the Endpoints page, click Add.选择“端点”选项卡以到达“端点”页面。在“端点”页面上,单击“添加”。
Provide the required endpoint information and click Register. The endpoint type should be Other. Successful registration results in an enrollment token.提供所需的端点信息,然后单击注册。端点类型应为“其他”。成功注册将生成注册令牌。
Log out from the Oracle Key Vault server.从Oracle Key Vault服务器注销。
Connect again to the Oracle Key Vault server, this time without logging in. Use the endpoint enrollment token to enroll and request the 再次连接到Oracle Key Vault服务器,这次不登录。使用端点注册令牌注册并请求okvclient.jar
software download. Save this file to your system.okvclient.jar
软件下载。将此文件保存到您的系统。
Install the 使用以下命令安装okvclient.jar
file using the following command (you must have JDK 1.4 or higher):okvclient.jar
文件(您必须拥有JDK 1.4或更高版本):
java -jar okvclient.jar -d dir_name
[-v]
The directory name following the -d
option is the location in which to install extracted files. -d
选项后面的目录名是安装提取文件的位置。The 如果给出-v
option, if given, causes log information to be produced that may be useful if the command fails.-v
选项,则会生成日志信息,如果命令失败,这些信息可能会很有用。
When the command asks for an Oracle Key Vault endpoint password, do not provide one. Instead, press Enter. (The result is that no password is required when the endpoint connects to Oracle Key Vault.)当命令要求输入Oracle Key Vault端点密码时,请不要提供。相反,请按Enter键。(结果是,当端点连接到Oracle密钥库时,不需要密码。)
The preceding command produces an 前面的命令生成一个okvclient.ora
file, which should be in this location under the directory named by the -d
option in the preceding java -jar command:okvclient.ora
文件,该文件应位于前面java -jar
命令中-d
选项指定的目录下的以下位置:
install_dir/conf/okvclient.ora
The file contents include lines that look something like this:文件内容包括看起来像这样的行:
SERVER=host_ip
:port_num
STANDBY_SERVER=host_ip
:port_num
The keyring_okv
plugin attempts to communicate with the server running on the host named by the SERVER
variable and falls back to STANDBY_SERVER
if that fails:keyring_okv
插件尝试与在server变量命名的主机上运行的服务器通信,如果失败,则回退到STANDBY_SERVER
:
For the 对于SERVER
variable, a setting in the okvclient.ora
file is mandatory.SERVER
变量,okvclient.ora
文件中的设置是必需的。
For the 对于STANDBY_SERVER变量,STANDBY_SERVER
variable, a setting in the okvclient.ora
file is optional.okvclient.ora
文件中的设置是可选的。
Go to the Oracle Key Vault installer directory and test the setup by running this command:转到Oracle Key Vault安装程序目录,并通过运行以下命令测试设置:
okvutil/bin/okvutil list
The output should look something like this:输出应该看起来像这样:
Unique ID Type Identifier 255AB8DE-C97F-482C-E053-0100007F28B9 Symmetric Key - 264BF6E0-A20E-7C42-E053-0100007FB29C Symmetric Key -
For a fresh Oracle Key Vault server (a server without any key in it), the output looks like this instead, to indicate that there are no keys in the vault:对于新的Oracle Key Vault服务器(其中没有任何密钥的服务器),输出看起来像这样,表示Vault中没有密钥:
no objects found
Use this command to extract the 使用此命令从ssl
directory containing SSL materials from the okvclient.jar
file:okvclient.jar
文件中提取包含ssl
材料的ssl
目录:
jar xf okvclient.jar ssl
Copy the Oracle Key Vault support files (the 将Oracle Key Vault支持文件(okvclient.ora
file and the ssl
directory) into the configuration directory.okvclient.ora
文件和ssl
目录)复制到配置目录中。
(Optional) If you wish to password-protect the key file, use the instructions in Password-Protecting the keyring_okv Key File.(可选)如果您希望对密钥文件进行密码保护,请使用密码保护keyring_okv密钥文件中的说明。
After completing the preceding procedure, restart the MySQL server. It loads the 完成上述过程后,重新启动MySQL服务器。它加载keyring_okv
plugin and keyring_okv
uses the files in its configuration directory to communicate with Oracle Key Vault.keyring_okv
插件,keyring_okv
使用其配置目录中的文件与Oracle密钥库通信。
Gemalto SafeNet KeySecure Appliance uses the KMIP protocol (version 1.1 or 1.2). The 金雅拓SafeNet KeySecure设备使用KMIP协议(版本1.1或1.2)。keyring_okv
keyring plugin (which supports KMIP 1.1) can use KeySecure as its KMIP back end for keyring storage.keyring_okv
密钥环插件(支持KMIP 1.1)可以使用KeySecure作为其用于密钥环存储的KMIP后端。
Use the following procedure to configure 使用以下过程配置keyring_okv
and KeySecure to work together. keyring_okv
和KeySecure以协同工作。The description only summarizes how to interact with KeySecure. 本说明仅总结了如何与KeySecure交互。For details, consult the section named Add a KMIP Server in the KeySecure User Guide.有关详细信息,请参阅《KeySecure用户指南》中名为“添加KMIP服务器”的部分。
Create the configuration directory that contains the KeySecure support files, and make sure that the 创建包含KeySecure支持文件的配置目录,并确保将keyring_okv_conf_dir
system variable is set to name that directory (for details, see General keyring_okv Configuration).keyring_okv_conf_dir
系统变量设置为该目录的名称(有关详细信息,请参阅常规keyring_okv
配置)。
In the configuration directory, create a subdirectory named 在配置目录中,创建一个名为ssl
to use for storing the required SSL certificate and key files.ssl
的子目录,用于存储所需的ssl
证书和密钥文件。
In the configuration directory, create a file named 在配置目录中,创建一个名为okvclient.ora
. It should have following format:okvclient.ora
的文件。它应该具有以下格式:
SERVER=host_ip
:port_num
STANDBY_SERVER=host_ip
:port_num
For example, if KeySecure is running on host 198.51.100.20 and listening on port 9002, the 例如,如果KeySecure在主机198.51.100.20上运行,并在端口9002上侦听,okvclient.ora
file looks like this:okvclient.ora
文件如下:
SERVER=198.51.100.20:9002 STANDBY_SERVER=198.51.100.20:9002
Connect to the KeySecure Management Console as an administrator with credentials for Certificate Authorities access.使用证书颁发机构访问凭据以管理员身份连接到KeySecure管理控制台。
Navigate to Security >> Local CAs and create a local certificate authority (CA).导航到“安全”>>“本地CA”并创建本地证书颁发机构(CA)。
Go to Trusted CA Lists. Select Default and click on Properties. Then select Edit for Trusted Certificate Authority List and add the CA just created.转到受信任的CA列表。选择默认值,然后单击属性。然后选择“编辑”作为“受信任的证书颁发机构列表”,并添加刚刚创建的CA。
Download the CA and save it in the 下载CA并将其作为名为ssl
directory as a file named CA.pem
.CA.pem
的文件保存在ssl
目录中。
Navigate to Security >> Certificate Requests and create a certificate. Then you can download a compressed tar file containing certificate PEM files.导航到安全>>证书请求并创建证书。然后,您可以下载包含证书PEM文件的压缩tar
文件。
Extract the PEM files from in the downloaded file. 从下载的文件中提取PEM文件。For example, if the file name is 例如,如果文件名为csr_w_pk_pkcs8.gz
, decompress and unpack it using this command:csr_w_pk_pkcs8gz
,请使用以下命令解压缩并解包:
tar zxvf csr_w_pk_pkcs8.gz
Two files result from the extraction operation: 提取操作产生两个文件:certificate_request.pem
and private_key_pkcs8.pem
.certificate_request.pem
和private_key_pkcs8pemprivate_key_pkcs8.pem。
Use this openssl command to decrypt the private key and create a file named 使用此key.pem
:openssl
命令解密私钥并创建一个名为key.pem
的文件:
openssl pkcs8 -in private_key_pkcs8.pem -out key.pem
Copy the 将key.pem
file into the ssl
directory.key.pem
文件复制到ssl
目录中。
Copy the certificate request in 将certificate_request.pem
into the clipboard.certificate_request.pem
中的证书请求复制到剪贴板中。
Navigate to Security >> Local CAs. 导航到“安全”>>“本地CA”。选择您之前创建的相同CA(您下载以创建CApem文件的CA),然后单击“签名请求”。从剪贴板粘贴证书请求,Select
the same CA that you created earlier (the one you downloaded to create the CA.pem
file), and click Sign Request. Paste the Certificate Request from the clipboard, choose a certificate purpose of Client (the keyring is a client of KeySecure), and click Sign Request. The result is a certificate signed with the selected CA in a new page.<选择客户端的证书用途(密钥环是KeySecure的客户端),然后单击签名请求。结果是在新页面中使用所选CA签名的证书</p>
Copy the signed certificate to the clipboard, then save the clipboard contents as a file named 将签名的证书复制到剪贴板,然后将剪贴板内容另存为ssl目录中名为cert.pem
in the ssl
directory.cert.pem
的文件。
(Optional) If you wish to password-protect the key file, use the instructions in Password-Protecting the keyring_okv Key File.(可选)如果您希望对密钥文件进行密码保护,请使用密码保护keyring_okv密钥文件中的说明。
After completing the preceding procedure, restart the MySQL server. 完成上述过程后,重新启动MySQL服务器。It loads the 它加载keyring_okv
plugin and keyring_okv
uses the files in its configuration directory to communicate with KeySecure.keyring_okv
插件,keyring_okv
使用其配置目录中的文件与KeySecure
通信。
Townsend Alliance Key Manager uses the KMIP protocol. 汤森联盟密钥管理器使用KMIP协议。The keyring_okv
keyring plugin can use Alliance Key Manager as its KMIP back end for keyring storage. keyring_okv
密钥环插件可以使用Alliance Key Manager作为其KMIP后端来存储密钥环。For additional information, see Alliance Key Manager for MySQL.有关更多信息,请参阅MySQL联盟密钥管理器。
You can optionally protect the key file with a password and supply a file containing the password to enable the key file to be decrypted. To so do, change location to the 您可以选择使用密码保护密钥文件,并提供包含密码的文件以使密钥文件能够解密。为此,请将位置更改为ssl
directory and perform these steps:ssl
目录并执行以下步骤:
Encrypt the 加key.pem
key file. For example, use a command like this, and enter the encryption password at the prompts:key.pem
密钥文件。例如,使用这样的命令,并在提示处输入加密密码:
shell> openssl rsa -des3 -in key.pem -out key.pem.new
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Save the encryption password in a single-line text file named 将加密密码保存在password.txt
in the ssl
directory.ssl
目录中名为password.txt
的单行文本文件中。
Verify that the encrypted key file can be decrypted using the following command. The decrypted file should display on the console:验证是否可以使用以下命令解密加密密钥文件。解密后的文件应显示在控制台上:
shell> openssl rsa -in key.pem.new -passin file:password.txt
Remove the original 删除原始密钥文件并将key.pem
file and rename key.pem.new
to key.pem
.key.pem.new
重命名为key.pem
。
Change the ownership and access mode of new 根据需要更改新key.pem
file and password.txt
file as necessary to ensure that they have the same restrictions as other files in the ssl
directory.key.pem
密钥文件和password.txt
文件的所有权和访问模式,以确保它们与ssl目录中的其他文件具有相同的限制。