Security → Enable MySQL SSL
About MySQL
MySQL is a database service that is fully managed to deploy cloud-native applications. In the Cluster Management Console (CMC), while creating a cluster, you must enter a JDBC connection string/URL to connect to the metadata database. Incorta enables you to connect to your MySQL database with or without encryption. An encrypted connection uses SSL.
To use SSL connection, you must enable the SSL option on both the MySQL database server and your Incorta hosts.
Important Terminologies
Before attempting to configure your SSL connection, you should be familiar with the following terminologies and their definitions:
Terminology | Definition |
---|---|
TrustStore | A trustStore is used to store certificates from Certified Authorities (CA) that verify the certificate presented by the server in an SSL connection. |
KeyStore | A keystore is used to store private key and identity certificates that a specific program should present to both parties (server or client) for verification. |
PKCS#12 | A PKCS #12 is an archive file format for storing many cryptography objects as a single file. |
Enable SSL Authentication
Prerequisites
To start enabling SSL authentication, you must generate and download the following .pem
authority files to your Incorta hosts:
- Host’s private key
- Host certificate
- Server certificate
Try to connect to your MySQL database using the command line interface (CLI) to test the connection using the following commands:
mysql -uroot -p -h <DB_HOST> \--ssl-ca=server-ca.pem --ssl-cert=host-cert.pem --ssl-key=host-key.pem
Where DB_HOST
is the IP address/URL of your MySQL database server, server-ca.pem
is the server certificate, host-cert.pem
is the host’s certificate, host-key.pem
is the host’s private key.
You must also have OpenSSL downloaded and installed on your machine.
Set up SSL authentication
Start setting up the SSL authentication on the database server and Incorta hosts using the following steps:
On the database server, import the
server-ca.pm
to a Java trustStore using the following command:keytool -importcert -alias MySQLCACert -file server-ca.pem \-keystore truststore -storepass mypassword
On Incorta hosts, convert the host’s private key and certificate files to a PKCS #12 archive using OpenSSL:
openssl pkcs12 -export -in host-cert.pem -inkey host-key.pem -name "mysql56_client" \-passout pass:mypassword -out client-keystore.p12
Where client-keystore.p12
is the converted file archive file.
Import the client key and certificate into a Java Keystore using the CLI:
keytool -importkeystore -srckeystore client-keystore.p12 -srcstoretype pkcs12 -srcstorepass mypassword \-destkeystore mysql56_keystore -deststoretype JKS -deststorepass mypassword
Create a JDBC connection string using the Keystore file path
To have a JDBC connection string that uses SSL, add the following required properties to the connection string you are using.
Property | Description |
---|---|
useSSL=true | A flag that indicates using the SSL authentication |
trustCertificateKeyStoreUrl | The URL to the file that contains the Java trustStore generated |
trustCertificateKeyStorePassword | The password to the Java trust store |
clientCertificateKeyStoreUrl | The URL to the file which contains the Java keyStore generated |
clientCertificateKeyStorePassword | The password to the Java keyStore file generated |
Example of a JDBC connection using SSL
jdbc:mysql://<db_ip_address>/incortadb?useUnicode=yes&characterEncoding=UTF-8&useSSL=true&clientCertificateKeyStoreUrl=file:/home/incorta/ssl-testing_56/mysql56_1_keystore&clientCertificateKeyStorePassword=mypassword&trustCertificateKeyStoreUrl=file:/home/incorta/ssl-testing_56/mysql56_trust_store&trustCertificateKeyStorePassword=mypassword
For more information about the MySQL security configurations, refer to the MySQL documents: Security and Connecting Securely Using SSL.