FLUSH HOSTNAMES

The FLUSH HOSTNAMES command is used to renew IP addresses associated with agent host names. If you want to always query the DNS for getting the host name IP, you can use the hostname_lookup directive.

mysql> FLUSH HOSTNAMES;
Query OK, 5 rows affected (0.01 sec)

In many cases, you might want to encrypt traffic between your client and the server. To do that, you can specify that the server should use the HTTPS protocol rather than HTTP.

ssl_ca = ca-cert.pem
ssl_cert = server-cert.pem
ssl_key = server-key.pem

ssl_cert = server-cert.pem
ssl_key = server-key.pem

These steps will help you generate the SSL certificates using the 'openssl' tool.

The server can use a Certificate Authority to verify the signature of certificates, but it can also work with just a private key and certificate (without the CA certificate).

openssl genrsa 2048 > ca-key.pem

To generate a self-signed CA (root) certificate from the private key (make sure to fill in at least the "Common Name"), use the following command:

openssl req -new -x509 -nodes -days 365 -key ca-key.pem -out ca-cert.pem

The server uses the server certificate to secure communication with the client. To generate the certificate request and server private key (ensure that you fill in at least the "Common Name" and that it is different from the root certificate's common name), execute the following commands:

openssl req -newkey rsa:2048 -days 365 -nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 365 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

Once completed, you can verify that the key and certificate files were generated correctly by running:

openssl verify -CAfile ca-cert.pem server-cert.pem

When your SSL configuration is valid, the following features are available:

• You can connect to the multi-protocol port (when no listener type is specified) over HTTPS and run queries. Both the request and response will be SSL encrypted.
• You can connect to the dedicated https port with HTTP and run queries. The connection will be secured (attempting to connect to this port via plain HTTP will be rejected with a 400 error code).
• You can connect to the MySQL port with a MySQL client using a secured connection. The session will be secured. Note that the Linux mysql client tries to use SSL by default, so a typical connection to Manticore with a valid SSL configuration will most likely be secured. You can check this by running the SQL 'status' command after connecting.

If your SSL configuration is not valid for any reason (which the daemon detects by the fact that a secured connection cannot be established), apart from an invalid configuration there may be other reasons, such as the inability to load the appropriate SSL library at all. In this case, the following things will not work or will work in a non-secured manner:

• You cannot connect to the multi-protocol port with HTTPS. The connection will be dropped.
• You cannot connect to the dedicated https port. The HTTPS connections will be dropped
• Connection to the mysql port via a MySQL client will not support SSL securing. If the client requires SSL, the connection will fail. If SSL is not required, it will use plain MySQL or compressed connections.

• Binary API connections (such as connections from old clients or inter-daemons master-agent communication) are not secured.
• SSL for replication needs to be set up separately. However, since the SST stage of the replication is done through the binary API connection, it is not secured either.
• You can still use any external proxies (e.g., SSH tunneling) to secure your connections.