Berkeley DB's 18.1 release provides SSL support for the replication manager to enable secure communication among replication manager group members. This mainly prevents:
Snooping of data being exchanged between replication nodes by encrypting it
Spoofing in a replication group by means of certificate-based authentication
Berkeley DB uses openssl-library to provide this support. SSL support
is enabled by default in the replication manager. It can be disabled by
setting the replication manager flag (DB_REPMGR_CONF_DISABLE_SSL) before starting the
replication manager.
Note that Berkeley DB supports openssl-library versions greater than
or equal to 1.0.1 (as TLSv1_2_method() was introduced between version 1.0.0h and 1.0.1).
Note that SSL support exists on POSIX/UNIX and windows platforms.
The methods below are used by the replication manager to provide secure communication.
DB_ENV->repmgr_set_ssl_cert()
This method configures the SSL support for Berkeley DB Replication
Manager Messaging. The SSL support for Replication Manager may
also be configured using the environment's DB_CONFIG file. This
method is used to set the value of one of the following SSL
configuration options:
DB_REPMGR_SSL_CA_CERT
Location of CA certificate or CA chain certificate for verification.
DB_REPMGR_SSL_CA_DIR
Location of directory containing all CA /Intermediate CA certificates for verification.
DB_REPMGR_SSL_REPNODE_CERT
Location of certificate presented by this node to peers for authentication.
DB_REPMGR_SSL_REPNODE_PRIVATE_KEY
Location of Private Key corresponding to the RepNode certificate.
DB_REPMGR_SSL_REPNODE_KEY_PASSWD
Password protecting the aforementioned Private Key.
DB_REPMGR_SSL_VERIFY_DEPTH
Number of levels of verification allowed for peer certificate verification.
DB_REPMGR_CONF_DISABLE_SSL
This flag can be enabled via DB_ENV->rep_set_config()
method. When enabled, this flag disables SSL for the Replication Manager.
DB_VERB_REPMGR_SSL_ALL
A new which parameter value for the
DB_ENV->set_verbose()
method to display detailed diagnostic information about all
Replication Manager SSL processing.
DB_VERB_REPMGR_SSL_CONN
A new which parameter value for the
DB_ENV->set_verbose()
method to display detailed diagnostic information about Replication Manager
SSL connection setup (connect and accept) and shutdown processing.
DB_VERB_REPMGR_SSL_IO
A new which parameter value for the
DB_ENV->set_verbose()
method to display detailed diagnostic information about Replication Manager
SSL connection IO (reads and writes).