10.1 Ensure All Group Replication Traffic is Secured

Information

MySQL Group communication connections and distributed recovery connections can be secured using SSL.

Rationale:

SSL encryption ensures data cannot be seen over the network for Group Replication.

Solution

Edit my.cnf and set group_replication_ssl_mode, for example:

group_replication_ssl_mode=REQUIRED

Acceptable values are:

REQUIRED - Establish a secure connection if the server supports secure connections.

VERIFY_CA - Like REQUIRED, but additionally verify the server TLS certificate against the configured Certificate Authority (CA) certificates.

VERIFY_IDENTITY - Like VERIFY_CA, but additionally verify that the server certificate matches the host to which the connection is being established.

See Also

https://workbench.cisecurity.org/benchmarks/10139

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: MySQLDB

Control ID: c24bd86d46d3e828f2f7d3ff52e119bb149e3b72d34ea9f25d922d0bcd40d952