Security → Enable MySQL SSL

About MySQL

MySQL is a database service that is fully managed to deploy cloud-native applications. In the Cluster Management Console (CMC), while creating a cluster, you must enter a JDBC connection string/URL to connect to the metadata database. Incorta enables you to connect to your MySQL database with or without encryption. An encrypted connection uses SSL.

To use SSL connection, you must enable the SSL option on both the MySQL database server and your Incorta hosts.

Important Terminologies

Before attempting to configure your SSL connection, you should be familiar with the following terminologies and their definitions:

TerminologyDefinition
TrustStoreA trustStore is used to store certificates from Certified Authorities (CA) that verify the certificate presented by the server in an SSL connection.
KeyStoreA keystore is used to store private key and identity certificates that a specific program should present to both parties (server or client) for verification.
PKCS#12A PKCS #12 is an archive file format for storing many cryptography objects as a single file.

Enable SSL Authentication

Prerequisites

To start enabling SSL authentication, you must generate and download the following .pem authority files to your Incorta hosts:

  • Host’s private key
  • Host certificate
  • Server certificate

Try to connect to your MySQL database using the command line interface (CLI) to test the connection using the following commands:

mysql -uroot -p -h <DB_HOST> \
--ssl-ca=server-ca.pem --ssl-cert=host-cert.pem --ssl-key=host-key.pem

Where DB_HOST is the IP address/URL of your MySQL database server, server-ca.pem is the server certificate, host-cert.pem is the host’s certificate, host-key.pem is the host’s private key.

You must also have OpenSSL downloaded and installed on your machine.

Set up SSL authentication

Start setting up the SSL authentication on the database server and Incorta hosts using the following steps:

  • On the database server, import the server-ca.pm to a Java trustStore using the following command:

    keytool -importcert -alias MySQLCACert -file server-ca.pem \
    -keystore truststore -storepass mypassword
  • On Incorta hosts, convert the host’s private key and certificate files to a PKCS #12 archive using OpenSSL:

    openssl pkcs12 -export -in host-cert.pem -inkey host-key.pem -name "mysql56_client" \
    -passout pass:mypassword -out client-keystore.p12

Where client-keystore.p12 is the converted file archive file.

  • Import the client key and certificate into a Java Keystore using the CLI:

    keytool -importkeystore -srckeystore client-keystore.p12 -srcstoretype pkcs12 -srcstorepass mypassword \
    -destkeystore mysql56_keystore -deststoretype JKS -deststorepass mypassword

Create a JDBC connection string using the Keystore file path

To have a JDBC connection string that uses SSL, add the following required properties to the connection string you are using.

PropertyDescription
useSSL=trueA flag that indicates using the SSL authentication
trustCertificateKeyStoreUrlThe URL to the file that contains the Java trustStore generated
trustCertificateKeyStorePasswordThe password to the Java trust store
clientCertificateKeyStoreUrlThe URL to the file which contains the Java keyStore generated
clientCertificateKeyStorePasswordThe password to the Java keyStore file generated

Example of a JDBC connection using SSL

jdbc:mysql://<db_ip_address>/incortadb?useUnicode=yes&characterEncoding=UTF-8&useSSL=true&clientCertificateKeyStoreUrl=file:/home/incorta/ssl-testing_56/mysql56_1_keystore&clientCertificateKeyStorePassword=mypassword&trustCertificateKeyStoreUrl=file:/home/incorta/ssl-testing_56/mysql56_trust_store&trustCertificateKeyStorePassword=mypassword

For more information about the MySQL security configurations, refer to the MySQL documents: Security and Connecting Securely Using SSL.