Changing the SST auth mechanism from plaintext to SSL encryption without downtime

Hi all,

I want to upgrade my 5.7 to 8.0 and for now the sst auth on the 5.7 nodes using plaintext authentication (wsrep_sst_auth) but maybe for the initial step i will disable the pxc-encrypt-cluster-traffic and i will enable it again later when the node already uses version 8.0.

So is that possible to changing the SST auth mechanism from plaintext to SSL without downtime? Is there any way to do that?

thankyou.

This option no longer exists in PXC 8. You should remove it from your config before upgrading to 8. SST authentication is handled automatically by the wsrep_sst process. A new, temporary user, is automatically created for the duration of the SST.

ah yeah i’m actually aware of that, so let say i already used pxc 8 without ssl encryption. So, it is possible if i enable the encryption later without downtime?

If you want to enable node-to-node SSL encryption (internal galera traffic), you will have to restart the cluster.

SST will be encrypted always because that process is external and has nothing to do with node-node communications.

ah i see, thanks for the answer. Really appreciate that.