Page MenuHomePhabricator

Followup for TLS MariaDB server roll-out
Open, NormalPublic

Description

This is more of a "decisions" ticket, specific actions decided should have its own subticket:

  • Pending, non-critical, to be decomm'ed hosts: T111654#3010354
  • Enforce TLS by all clients
  • Once it is enforced, which is the preferred cipher? size?
  • Renewal policy
  • Enforce TLS by MySQL as a client (replication user) and make sure it is verified
    • Do we have a plan in case of disaster?
  • Plans in case of a) 1 server/client private's key compromised b) CA gets fully compromised
  • Check validity/expiration of certificates on icinga
  • Add other names other than the public dns to the certs (s1-master, s1-replica, ip address, etc.)

Related Objects

StatusAssignedTask
OpenNone
Openaaron
StalledNone
OpenNone
Resolvedjcrespo
OpenNone
OpenNone
OpenNone
OpenNone
Resolvedjcrespo
ResolvedCmjohnson
ResolvedCmjohnson
ResolvedCmjohnson
Resolvedjcrespo
ResolvedMarostegui
ResolvedRobH
ResolvedAndrew
ResolvedCmjohnson
Resolvedjcrespo
ResolvedCmjohnson
ResolvedCmjohnson
Resolvedjcrespo
ResolvedCmjohnson
Resolvedjcrespo
ResolvedPapaul
ResolvedMarostegui
ResolvedRobH
ResolvedRobH

Event Timeline

jcrespo created this task.Feb 9 2017, 5:31 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 9 2017, 5:31 PM

Change 337018 had a related patch set uploaded (by Jcrespo):
Install wmf-mariadb-client for client-only installs

https://gerrit.wikimedia.org/r/337018

Change 337018 merged by Jcrespo:
Install wmf-mariadb-client for client-only installs

https://gerrit.wikimedia.org/r/337018

Change 337022 had a related patch set uploaded (by Jcrespo):
Apply a3ded1b40909f9351 (mariadb client install) to production

https://gerrit.wikimedia.org/r/337022

Change 337022 merged by Jcrespo:
Apply a3ded1b40909f9351 (mariadb client install) to production

https://gerrit.wikimedia.org/r/337022

jcrespo moved this task from Triage to Backlog on the DBA board.Feb 14 2017, 3:04 PM

Change 338988 had a related patch set uploaded (by Jcrespo):
Remove old CA (ssl='on') and add a new option "socket"

https://gerrit.wikimedia.org/r/338988

m1 slave db1001 has been restarted and TLS enabled.

Change 338988 merged by jenkins-bot:
[operations/puppet/mariadb] Remove old CA (ssl='on') and add a new option "socket"

https://gerrit.wikimedia.org/r/338988

jcrespo updated the task description. (Show Details)
jcrespo updated the task description. (Show Details)Jun 26 2018, 4:50 PM
jcrespo added a subscriber: Vgutierrez.

CC @Vgutierrez pending work regarding TLS rollout FYI