Help with TDE setup in Percona MySQL 8 pxc cluster

Vasavi · August 2, 2024, 7:17pm

Hello MySQL community,
I need help with the issue configuring TDE in PXC Galera 3-node cluster. Used the below configuration in my.cnf on all 3 nodes.

[mysqld]
early-plugin-load=keyring_file.so
keyring_file_data= /home/mysqladm/TDE_Key/keyring_$node0
ssl-ca=/home/mysqladm/mysql-ssl/ssl-ca-$hostname
ssl-cert=/home/mysqladm/mysql-ssl/ssl-cert-$hostname
ssl-key=/home/mysqladm/mysql-ssl/ssl-key-$hostname

[sst]
streamfmt=xbstream
encrypt=4
ssl-ca=/home/mysqladm/mysql-ssl/ssl-ca-$hostname
ssl-cert=/home/mysqladm/mysql-ssl/ssl-cert-$hostname
ssl-key=/home/mysqladm/mysql-ssl/ssl-key-$hostname

[xtrabackup]
keyring_file_data= /home/mysqladm/TDE_Key/keyring_$node0

Issue: startup fails with error:
2024-08-01T18:45:15.149622Z 0 [ERROR] [MY-000067] [Server] unknown variable ‘streamfmt=xbstream’.
2024-08-01T18:45:15.149731Z 0 [ERROR] [MY-010119] [Server] Aborting

Attempt after commenting out the parameter streamfmt=xbstream then threw the error:
2024-08-01T19:13:50.530577Z 0 [ERROR] [MY-000067] [Server] unknown variable ‘encrypt=4’.
2024-08-01T19:13:50.530653Z 0 [ERROR] [MY-010119] [Server] Aborting

Thank you,
Vasavi

matthewb · August 4, 2024, 3:44pm

Have you looked through our documentation on this?

Vasavi · August 6, 2024, 3:49pm

Thank you Matthew for the response.

We are generating keys and certificates manually using internal certificates. For TDE, we are using keyring-plugin for now.
( as in Simplified Percona XtraDB Cluster SSL Configuration).

We copied the key, cert and ca files from node 0 to rest of the 2 nodes, but named the files to reflect the respective hostname and specified the names in my.cnf on respective nodes as I posted before.
With the current setup, I can still see them valid.

ssl-cert-rn000158897: OK

Should we still name the files ( key, cert and ca files ) same as in node 0?

Reg the below error, we are planning to enable pxc_encrypt_cluster_traffic as a next step.

024-08-02T02:41:32.195319Z 0 [Warning] [MY-000000] [WSREP] You have enabled keyring plugin. SST encryption is mandatory. Please enable pxc_encrypt_cluster_traffic. Check https:
//docs.percona.com/percona-xtradb-cluster/8.0/encrypt-traffic.html#encrypt-sst-traffic for more details.

I will update how it goes.

Thank you,
Vasavi

Vasavi · August 7, 2024, 4:32pm

We are all set with the current configuration.

Enabled pxc_encrypt_cluster_traffic
Commented out streamfmt=xbstream

Thank you,
Vasavi

Topic		Replies	Views
Cluster Unable to configure SSL Percona XtraDB Cluster 8.x	5	1176	February 14, 2023
SSL question in Cluster configuration Percona XtraDB Cluster 8.x	29	2333	August 4, 2021
SSL connection error : certificate verify failed, [Galera] Handshake failed Percona XtraDB Cluster 8.x	6	1700	August 12, 2022
can't start percona cluster 8.019 for the first time. Percona XtraDB Cluster 8.x	9	1583	August 10, 2020
Can't start node 2 and 3 on ubuntu 20.04 Percona XtraDB Cluster 8.x percona	11	1533	August 26, 2022

Help with TDE setup in Percona MySQL 8 pxc cluster

Hello MySQL community, I need help with the issue configuring TDE in PXC Galera 3-node cluster. Used the below configuration in my.cnf on all 3 nodes.

[xtrabackup] keyring_file_data= /home/mysqladm/TDE_Key/keyring_$node0

Related topics

Hello MySQL community,
I need help with the issue configuring TDE in PXC Galera 3-node cluster. Used the below configuration in my.cnf on all 3 nodes.

[xtrabackup]
keyring_file_data= /home/mysqladm/TDE_Key/keyring_$node0