Enabling TLS 1.2 for MySQL Database Server

TLS 1.2 encrypts the connection between the MySQL server and the Cloudera Manager server. You must enable TLS 1.2 for the MySQL database before setting up Cloudera Manager and add the MySQL root Certificate Authorities (CA) to the Cloudera Manager truststore.

SSH into the MySQL database host.
Start the MySQL server:
```
service mysqld start
```
Establish an encrypted connection with the client:
```
mysql -p --ssl-mode=required
```
Verify whether TLS 1.2 is enabled on MySQL by running the following command:
```
mysql> show global variables like '%ssl%';
```
If TLS 1.2 is enabled, you see the value of have_ssl equal to YES, as follows. Otherwise, you see the value of have_ssl equal to DISABLED:
```
+---------------+----------+
| Variable_name | Value    |
+---------------+----------+
| have_openssl  | YES      |
| have_ssl      | YES      |
| ...           | ...      | 
```
If TLS 1.2 is enabled, then you can skip the following steps and go to Importing the MySQL root certificate.

Create a certificate authority by running the following commands:

mkdir /etc/my.cnf.d/ssl/
cd /etc/my.cnf.d/ssl/  
openssl genrsa 2048 > ca-key.pem

Create a certificate for the server using the CA certificate generated earlier by running the following command:

openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem
openssl req -newkey rsa:2048 -days 365 -nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem

Create a certificate for the clients using the same CA certificate by running the following command:

openssl x509 -req -in server-req.pem -days 365 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

Add the following lines in the /etc/my.cnf.d/server.cnf file under the [mysqld] section:
```
ssl-ca=/etc/my.cnf.d/ssl/ca-cert.pem
ssl-cert=/etc/my.cnf.d/ssl/server-cert.pem
ssl-key=/etc/my.cnf.d/ssl/server-key.pem
bind-address=*
```
You can view the content of the server.cnf file by running the following command:
```
vim /etc/my.cnf.d/server.cnf
```
Restart the MySQL server:
```
service mysqld restart
```

Check the TLS 1.2 status by running the following commands:

mysql -p --ssl-mode=required
> SHOW VARIABLES LIKE '%ssl%';
> status

Sample output:

> SHOW VARIABLES LIKE '%ssl%';
+-------------------------------------+-----------------+
| Variable_name                       | Value           |
+-------------------------------------+-----------------+
| admin_ssl_ca                        |                 |
| admin_ssl_capath                    |                 |
| admin_ssl_cert                      |                 |
| admin_ssl_cipher                    |                 |
| admin_ssl_crl                       |                 |
| admin_ssl_crlpath                   |                 |
| admin_ssl_key                       |                 |
| have_openssl                        | YES             |
| have_ssl                            | YES             |
| mysqlx_ssl_ca                       |                 |
| mysqlx_ssl_capath                   |                 |
| mysqlx_ssl_cert                     |                 |
| mysqlx_ssl_cipher                   |                 |
| mysqlx_ssl_crl                      |                 |
| mysqlx_ssl_crlpath                  |                 |
| mysqlx_ssl_key                      |                 |
| performance_schema_show_processlist | OFF             |
| ssl_ca                              | ca.pem          |
| ssl_capath                          |                 |
| ssl_cert                            | server-cert.pem |
| ssl_cipher                          |                 |
| ssl_crl                             |                 |
| ssl_crlpath                         |                 |
| ssl_fips_mode                       | OFF             |
| ssl_key                             | server-key.pem  |
+-------------------------------------+-----------------+

> status
SSL:			Cipher in use is ECDHE-RSA-AES128-GCM-SHA256