MySQL Forums
Forum List  »  Security

Keyring_OKV integration with external KMS for TDE
Posted by: Simon Thornell
Date: December 12, 2023 02:57AM

Hi there,

I'm trying to configure MySQL db to use the keyring_okv to communicate using KMIP with my external KMS when doing TDE. I have the MEK in my KMS but I get multiple errors from MySQL during the setup.

I'm using Ubuntu 20.04 and I've tried 22.04 aswell. I've installed the V1038776-01 package on Ubuntu 20.04 and V1038777-01 on 22.04.

After running through all the configuration steps online, in the /var/log/mysql/error.log I get:

2023-12-11T12:28:56.448105Z 0 [Warning] [MY-010918] [Server] 'default_authentication_plugin' is deprecated and will be removed in a future release. Please use authentication_policy instead.
2023-12-11T12:28:56.448130Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.35-commercial) starting as process 14038
2023-12-11T12:28:56.452968Z 0 [ERROR] [MY-011382] [Server] Plugin keyring_okv reported: 'Could not find entry for server in configuration file /usr/local/mysql/mysql-keyring-okv/okvclient.ora'
2023-12-11T12:28:56.452995Z 0 [ERROR] [MY-011384] [Server] Plugin keyring_okv reported: 'Could not parse the okvclient.ora file provided'
2023-12-11T12:28:56.453005Z 0 [ERROR] [MY-011377] [Server] Plugin keyring_okv reported: 'keyring_okv initialization failure. Please check that the keyring_okv_conf_dir points to a readable directory and that the directory contains Oracle Key Vault configuration file and ssl materials. Please also check that Oracle Key Vault is up and running.'
2023-12-11T12:28:56.453015Z 0 [ERROR] [MY-010202] [Server] Plugin 'keyring_okv' init function returned error.


But the config all looks ok in the okvclient.ora file (used X to keep my domain safe but see the test below using openssl with KMIP to check connectivity):

root@simon-virtual-machine:/usr/lib/mysql/plugin# cat /usr/local/mysql/mysql-keyring-okv/okvclient.ora
SERVER=XX.XXXXXXXX.XX:5696
STANDBY_SERVER=XX.XXXXXXXX.XX:5696

and my okvclient.ora looks ok:

[mysqld]
early-plugin-load=keyring_okv.so
keyring_okv_conf_dir=/usr/local/mysql/mysql-keyring-okv
ssl-ca=/var/lib/mysql/ca.pem
ssl-cert=/var/lib/mysql/server-cert.pem
ssl-key=/var/lib/mysql/server-key.pem
pid-file=/var/run/mysqld/mysqld.pid
socket=/var/run/mysqld/mysqld.sock
datadir=/var/lib/mysql
log-error=/var/log/mysql/error.log

Testing the cert, key etc. between DSM and my server hosting MySQL using KMIP also looks good:

root@simon-virtual-machine:/usr/local/mysql/mysql-keyring-okv/ssl# openssl s_client -connect XX.XXXXXXXX.XX:5696 -cert cert.pem -key key.pem -CAfile CA.pem
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = XX.XXXXXXXX.XX
verify return:1

Running MySQL enterprise:

mysql> SELECT VERSION();
+-------------------+
| VERSION() |
+-------------------+
| 8.0.35-commercial |
+-------------------+
1 row in set (0.00 sec)


Am I missing some configuration or do I need to install another package?

Options: ReplyQuote


Subject
Views
Written By
Posted
Keyring_OKV integration with external KMS for TDE
170
December 12, 2023 02:57AM


Sorry, only registered users may post in this forum.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.