Reference: Mysql5.7 opens SSL and supports Springboot client authentication
https://blog.csdn.net/weixin_42911645/article/details/127070812
Premise: The database has been installed, here take mysql5.7 as an example
1. Configure the mysql server
- To confirm the location of the database directory, you can enter the following command to view:
show variables like 'datadir';
After the database is installed, there are certificate files generated by default in the database directory:
ca.pem
, ca-key.pem
, client-cert.pem
, client-key.pem
, server-cert.pem
, server-key.pem
if there are no above files, they need to be generated manually, -> [Create Certificate]
- Modify the mysql configuration file and add ssl call configuration
[client]
ssl-cert = "C:/ProgramData/MySQL/MySQL Server 5.7/Data/client-cert.pem"
ssl-key = "C:/ProgramData/MySQL/MySQL Server 5.7/Data/client-key.pem"
注意:如果是做了主从,需要把主的证书拷贝到从
[mysqld]
ssl-ca="C:/ProgramData/MySQL/MySQL Server 5.7/Data/ca.pem"
ssl-cert="C:/ProgramData/MySQL/MySQL Server 5.7/Data/server-cert.pem"
ssl-key="C:/ProgramData/MySQL/MySQL Server 5.7/Data/server-key.pem"
- Restart the mysql service, check whether the database ssl is enabled, have_openssl and have_ssl values are both YES, indicating that ssl is successfully enabled
show variables like '%ssl%';
show variables like 'have%ssl%';
- Through the client key and certificate ssl+password connection test, and view the properties
Specify the location of the certificate fileclient-cert.pem
,client-key.pem
.
mysql -uroot -proot -h 127.0.0.1 -P 13306 --ssl-cert=D:/server/config/client-cert.pem --ssl-key=D:/server/config/client-key.pem
To determine whether the current connection to the server uses encryption, check the session value of the Ssl_cipher state variable. If the value is empty, the connection is not encrypted. Otherwise, the connection is encrypted and the value indicates the encryption password. For example:
mysql> SHOW SESSION STATUS LIKE 'Ssl_cipher';
+---------------+---------------------------+
| Variable_name | Value |
+---------------+---------------------------+
| Ssl_cipher | DHE-RSA-AES128-GCM-SHA256 |
+---------------+---------------------------+
For the mysql client, another way is to use the STATUSor\s command and check this SSL line:
# 1.未使用
mysql> \s
...
SSL: Not in use
...
# 2.已使用
mysql> \s
...
SSL: Cipher in use is DHE-RSA-AES128-GCM-SHA256
...
2. The JAVA client connects to the database
- Find the server to provide three original files.
In the original file directory, execute the following instructions in order to generatekeystoremysql
andtruststoremysql
file.
You can modify the password by yourself, the default is123456
1. 生成truststore文件
keytool -importcert -alias Cacert -file ca.pem -keystore truststoremysql -storepass 123456
2. 生成中间文件
openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem -name "mysqlclient" -passout pass:123456 -out client-keystore.p12
3. 生成keystore文件
keytool -importkeystore -srckeystore client-keystore.p12 -srcstoretype pkcs12 -srcstorepass 123456 -destkeystore keystoremysql -deststoretype JKS -deststorepass 123456
以上两个文件生成的参数可以自己修改,windows环境中没有openssl,在linux环境中执行。密码注意自行更改为统一的值,后续配置要用到
Generated results:
Another:
For convenience, the above instructions have been packaged as scripts:
create.sh:
#!/bin/bash
passwd=$1
outpath=$(pwd)/out
echo "outpath: ${outpath}"
if [ -z "$passwd" ];then
echo '密码不能为空,使用示例:./create 123456'
exit 0
fi
rm -rf $outpath
if [ ! -d $outpath ];then
mkdir $outpath
fi
echo '1【生成truststore文件...】'
keytool -importcert -alias Cacert -file ca.pem -keystore ${outpath}/truststoremysql -storepass ${passwd}
echo '2【生成中间文件...】'
openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem -name "mysqlclient" -passout pass:${passwd} -out ${outpath}/client-keystore.p12
echo '3【生成keystore文件...】'
keytool -importkeystore -srckeystore ${outpath}/client-keystore.p12 -srcstoretype pkcs12 -srcstorepass ${passwd} -destkeystore ${outpath}/keystoremysql -deststoretype JKS -deststorepass ${passwd}
echo " "
echo "=======文件生成成功======"
echo "请拷贝目录${outpath}下的 truststoremysql 和 keystoremysql 文件"
echo "========================="
- Use target files
keystoremysql
,truststoremysql
and passwords123456
for client links
The following is an example of the spring configuration file application.properties:
# 目标文件目录(keystoremysql、truststoremysql)
ssl.cert.path=C:\\Users\\cmc\\Desktop
# 生成目标文件时填写的密码
ssl.password=123456
ssl.config=useSSL=true&verifyServerCertificate=true&requireSSL=true&clientCertificateKeyStoreUrl=file:${ssl.cert.path}/keystoremysql&clientCertificateKeyStorePassword=${ssl.password}&trustCertificateKeyStoreUrl=file:${ssl.cert.path}/truststoremysql&trustCertificateKeyStorePassword=${ssl.password}
# datasource配置:
spring.datasource.master.url=jdbc:mysql://127.0.0.1:13306/db1?nullCatalogMeansCurrent=true&useUnicode=true&characterEncoding=utf8&zeroDateTimeBehavior=convertToNull&serverTimezone=GMT%2B8&${ssl.config}