Transmission encryption of seekdb
The underlying communication between components such as seekdb nodes, liboblog, and obadmin is based on the Libeasy library. Therefore, the private key and certificate loading methods are the same (local file mode). Specifically, the CA certificate, user certificate, and private key are stored in the wallet folder, and they are read and loaded from this directory when the configuration is enabled.
Procedure
To enable transmission encryption for seekdb, you need to use multiple configuration items in combination.
-
Log in to seekdb as the root user.
-
Specify the method for obtaining the private key, certificate, and CA certificate.
ALTER SYSTEM SET ssl_external_kms_info = '
{
"ssl_mode":"file"
}'; -
Configure SSL communication for the MySQL port.
By default, SSL communication for the MySQL port is disabled. You need to specify the SSL protocol version and then enable SSL communication, which will take effect immediately after the modification.
-
You can specify the SSL protocol version using the
sql_protocol_min_tls_versionconfiguration item. The supported SSL protocol versions include TLSv1, TLSv1.1, TLSv1.2, and TLSv1.3. After specifying a version, the specified version and all higher versions are supported. For more information about enabling SSL connections, see sql_protocol_min_tls_version.ALTER SYSTEM SET sql_protocol_min_tls_version = 'TLSv1.1'; -
You can enable SSL connections using the
ssl_client_authenticationconfiguration item. For more information about enabling SSL connections, see ssl_client_authentication.-- After setting it to TRUE, SSL communication for MySQL is immediately enabled.
ALTER SYSTEM SET ssl_client_authentication = 'TRUE';
-
-
Configure the SSL whitelist for RPC communication. Since TCP connections between seekdb nodes are long-lived, you need to restart seekdb for the RPC SSL encryption to take effect.
-- SSL for RPC communication requires a whitelist configuration.
ALTER SYSTEM SET _ob_ssl_invited_nodes='ALL';
-- Specify an IP address.
ALTER SYSTEM SET _ob_ssl_invited_nodes='135.xxx.xx.xx';
How to verify if communication encryption is enabled
The simplest method is to capture packets on the MySQL port and RPC port to check if encryption is enabled. Alternatively, you can:
-
Log in to seekdb using a MySQL client and query the
ssl_cert_expired_timefield in theoceanbase.GV$OB_SERVERSview to confirm if encryption is enabled. -
This field records the expiration time of the SSL certificate used by seekdb when SSL is enabled, in UTC time, with the unit being microseconds.
select ssl_cert_expired_time, from_unixtime(ssl_cert_expired_time/1000000) from oceanbase.GV$OB_SERVERS;
+----------------------+---------------------------------------------+
| ssl_cert_expired_time | from_unixtime(ssl_key_expired_time/1000000) |
+----------------------+---------------------------------------------+
| 1871860075 | 2029-04-26 09:07:55 |
+----------------------+---------------------------------------------+
1 row in set (0.00 sec)
Check if SSL is enabled on the MySQL port
Log in to seekdb using a MySQL client and execute \s to view the SSL field. Here is an example:
\s
--------------
mysql Ver 15.1 Distrib 10.5.27-MariaDB, for Linux (x86_64) using readline 5.1
Connection id: 3221537922
Current database:
Current user: root@127.0.0.1
SSL: Not in use
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server: MySQL
Server version: 5.7.25 OceanBase 4.3.5.3 SeekDB (r1.0.0.0) (Built 100000262025111218-5343637512e28c346f938516af53b7879d4d5974 Nov 12 2025)
Protocol version: 10
Connection: 127.0.0.1 via TCP/IP
Server characterset: utf8mb4
Db characterset: utf8mb4
Client characterset: utf8mb4
Conn. characterset: utf8mb4
TCP port: 2881
Active --------------
Check if SSL is enabled on the RPC port
Search for the keyword "rpc connection accept" in the observer.log file to check the value of use_ssl, which indicates whether RPC SSL is enabled.
For RPC connections, the changes take effect only after seekdb is restarted, or if existing RPC connections are disconnected without restarting the cluster.