Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to connect to MySQL with X509 using JDBC?

Tags:

mysql

ssl

jdbc

I've set up a MySQL (Community Server, 5.1) database server.

I've set up SSL, created certificates, etc.

I've created a user that has the REQUIRES X509 attribute.

I can connect using this user using the command line client "mysql" and the "status" command shows that SSL is active, etc.

I've followed exactly the instructions from the MySQL site about importing the certificates into Java truststore/keystore files.

I just cannot connect to the database using these.

If I use just the truststore file using a user with REQUIRES SSL then all is fine. Using the keystore file with a user with REQUIRES X509 just isn't having it.

There seems to be lots of evidence on the web of people struggling with this and not many answers. Has ANYONE actually got this working?

like image 503
Mark Matten Avatar asked Dec 13 '22 00:12

Mark Matten


1 Answers

Cracked, listed here, in my comment at the bottom of the page: http://dev.mysql.com/doc/refman/5.0/en/connector-j-reference-using-ssl.html

After LITERALLY SPENDING A WEEK DOING THIS I have finally managed to connect using a client certifiacte (REQUIRES X509 on the user defintion)!!!!

rem NOTE: these commands are run using the Java 6 (1.6) JDK as it requires the "-importkeystore" command
rem which is not available before this JDK version.

rem Import the self signed Certifacte Authority certificate into a keystore.
keytool -import -alias mysqlCACert -file ca-cert.pem -keystore truststore -storepass truststore
rem Shows only the signed certificate.
keytool -v -list -keystore truststore -storepass truststore

rem Create a PKCS12 file from an existing signed client certifcate and its private key.
rem set password to "keystore".
openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem -out client.p12 -name clientalias -CAfile ca-cert.pem -caname root
rem Import the combined certificate and private key into the keystore.
keytool -importkeystore -deststorepass keystore -destkeystore keystore -srckeystore client.p12 -srcstoretype PKCS12 -srcstorepass keystore -alias clientalias

Then specify the trusted certifcates file (the truststore) and the client certificate/key file (the keystore) in your Java application either via the connection URL, via the JVM start-up parameter arguments (-D=,...), or System.setProperty(var,val),...

It actually works!!!

like image 186
Mark Matten Avatar answered Dec 26 '22 03:12

Mark Matten