MySQL configure SSL, and modify the JDBC connection configuration
- SSL connection in Mysql
- Mysql uses SSL connection
- Mysql enables SSL and JDBC connection Mysql configuration
- JDBC connect to MySQL through SSL
1. Use OpenSSL to create an SSL certificate and private key
- Download Win(xx)OpenSSL installation according to your own operating system
- Create a new directory to store the generated certificate and private key
//生成一个 CA 私钥
openssl genrsa 2048 > cert/ca-key.pem
//使用私钥生成一个新的数字证书,执行这个命令时, 会需要填写一些问题, 随便填写就可以了
openssl req -sha1 -new -x509 -nodes -days 3650 -key ./cert/ca-key.pem > cert/ca-cert.pem
//创建服务器端RSA 私钥和数字证书,这个命令会生成一个新的私钥(server-key.pem), 同时会使用这个新私钥来生成一个证书请求文件(server-req.pem).
//这个命令同样需要回答几个问题, 随便填写即可. 不过需要注意的是, A challenge password 这一项需要为空
openssl req -sha1 -newkey rsa:2048 -days 3650 -nodes -keyout cert/server-key.pem > cert/server-req.pem
//将生成的私钥转换为 RSA 私钥文件格式
openssl rsa -in cert/server-key.pem -out cert/server-key.pem
//使用原先生成的 CA 证书来生成一个服务器端的数字证书
openssl x509 -sha1 -req -in cert/server-req.pem -days 3650 -CA cert/ca-cert.pem -CAkey cert/ca-key.pem -set_serial 01 > cert/server-cert.pem
//创建客户端的 RSA 私钥和数字证书
openssl req -sha1 -newkey rsa:2048 -days 3650 -nodes -keyout cert/client-key.pem > cert/client-req.pem
//将生成的私钥转换为 RSA 私钥文件格式
openssl rsa -in cert/client-key.pem -out cert/client-key.pem
//为客户端创建一个数字证书
openssl x509 -sha1 -req -in cert/client-req.pem -days 3650 -CA cert/ca-cert.pem -CAkey cert/ca-key.pem -set_serial 01 > cert/client-cert.pem
1.1 SSL configuration
In the previous steps, we have generated 8 files, which are:
- ca-cert.pem: CA certificate, used to generate server/client digital certificate.
- ca-key.pem: CA private key, used to generate server/client digital certificate.
- server-key.pem: RSA private key of the server
- server-req.pem: server-side certificate request file, used to generate server-side digital certificate.
- server-cert.pem: The digital certificate of the server.
- client-key.pem: RSA private key of the client
- client-req.pem: The client's certificate request file, used to generate the client's digital certificate.
- client-cert.pem: The digital certificate of the client.
2. Check whether the database supports SSL
First execute the following command on MySQL to check whether MySQL supports SSL:
mysql> SHOW VARIABLES LIKE 'have_ssl';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_ssl | YES |
+---------------+-------+
1 row in set (0.02 sec)
When have_ssl is YES, it means that the MySQL service already supports SSL. If it is DESABLE, you need to enable the SSL function when starting the MySQL service.
2.1 Set the MySQL configuration file and enable SSL authentication
vi my.cnf
# 在mysqld下面添加如下配置
[mysqld]
require_secure_transport = ON
2.2 Configure SSL for MySQL
Next we need to configure the server and client separately:
- Server-side configuration The
server-side needs three files, which are: CA certificate, server-side RSA private key, server-side digital certificate, we need to add the following content under the [mysqld] configuration domain:
[mysqld]
ssl-ca=/etc/mysql/ca-cert.pem
ssl-cert=/etc/mysql/server-cert.pem
ssl-key=/etc/mysql/server-key.pem
Then we can also change the bind-address so that the MySQL service can receive clients from all ip addresses, namely:
bind-address = *
When the configuration is complete, we need to restart the MySQL service. In the
final step, we add an account that requires SSL to log in to verify whether the SSL configuration we have configured takes effect:
GRANT ALL PRIVILEGES ON *.* TO 'ssl_test'@'%' IDENTIFIED BY 'ssl_test' REQUIRE SSL;
FLUSH PRIVILEGES;
- Check if the user is using ssl
SELECT ssl_type From mysql.user Where user="ssler"
ssl_type is an empty string, indicating that the user is not required to use ssl connection.
- Configure users to use ssl to connect
ALTER USER 'ssler'@'%' REQUIRE SSL;
FLUSH PRIVILEGES
Executing at this time SELECT ssl_type From mysql.user Where user="ssler"
ANYmeans that you must use an ssl connection.
When configured, use root to log in to MySQL
mysql --ssl-ca="D:/Program Files/OpenSSL-Win64/bin/cert/ca-cert.pem" --ssl-cert="D:/Program Files/OpenSSL-Win64/bin/cert/client-cert.pem" --ssl-key="D:/Program Files/OpenSSL-Win64/bin/cert/client-key.pem" -u coisini -p
When the connection is successful, when we execute the show variables like'%ssl%' statement, the following output will be displayed:
mysql> show variables like '%ssl%';
+---------------+-----------------+
| Variable_name | Value |
+---------------+-----------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | ca.pem |
| ssl_capath | |
| ssl_cert | server-cert.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | server-key.pem |
+---------------+-----------------+
9 rows in set (0.01 sec)
Three, JAVA-JDBC configuration
Use the keytool that comes with jdk to import the mysql client certificate to the key store, and generate a key file.
According to the ca.pem found above, copy it to the target host, and then execute the following command
- Use this command to generate the files required for java to use SSL connection:
keytool -importcert -alias MySQLCACert -file "D:\Program Files\OpenSSL-Win64\bin\cert\ca-cert.pem" -keystore truststore -storepass 密码
- Verify that the certificate is imported through instructions
$ keytool -list -keystore mysql.ks
输入密钥库口令:
密钥库类型: jks
密钥库提供方: SUN
您的密钥库包含 1 个条目
mysql, 2020-6-9, trustedCertEntry,
证书指纹 (SHA1): 6B:EE:FE:B4:74:89:A3:88:6C:49:22:44:6D:FB:88:DE:18:6A:7A:F6
- Configure system environment variables for the generated files
名:JAVA_OPTS
值:-Djavax.net.ssl.trustStore="上一步中生成文件的本地路径" -Djavax.net.ssl.trustStorePassword="密码"
- JDBC configuration connection
##jdbc.properties:
yxaq.dz=jdbc:mysql://127.0.0.1:3306/yxaqgl?verifyServerCertificate=true&useSSL=true&requireSSL=true