Using SSL with command-line Flywaydb ( flyway ) to deploy DB changes

Question

I'm working on a proof of concept to deploy using flyway's command-line tool from a centralized server to deploy to multiple database platforms. (MySQL, Postgres, and SQL Server)

I'm able to deploy successfully without SSL, however it is using unencrypted host information such as logins/passwords/ports to the destination Database Server. My concern is there's a chance the un-encrypted traffic could be seen.

Does anyone have experience with the flyway command line tool using SSL to deploy to: MySQL SQL Server

I did not see any information in the documentation unless I missed it.

Thanks for any help and suggestions!

Answer 1

In the flyway examples in flyway.conf it shows how to add additional values to the jdbc url for example

# MySQL             : jdbc:mysql://<host>:<port>/<database>?<key1>=<value1>&<key2>=<value2>...
# PostgreSQL        : jdbc:postgresql://<host>:<port>/<database>?<key1>=<value1>&<key2>=<value2>...
# Redshift          : jdbc:postgresql://<host>:<port>/<database>?<key1>=<value1>&<key2>=<value2>...  

So for Redshift/Postgres for example you can include the ssl=true flag

flyway.url=jdbc:postgresql://yourserver:5439/dbname?ssl=true

You need to add the public key that the DB server key was signed with to your hosts trust store (for Redshift see http://docs.aws.amazon.com/redshift/latest/mgmt/connecting-ssl-support.html for details on that), e.g

${JAVA_HOME}/bin/keytool -keystore ${JAVA_HOME}/lib/security/cacerts -import -alias <alias> -file <certificate_filename>

I then had to hack the flyway startup script /flyway to include the truststore and password in the JAVA_ARGS (it probably should have these as variables) e.g

JAVA_ARGS="-Djava.security.egd=file:/dev/../dev/urandom -Djavax.net.ssl.trustStore=/etc/pki/java/cacerts -Djavax.net.ssl.trustStorePassword=changeit"

Answer 2

For MySQL I used the following URL to connect using SSL.

jdbc:mysql://hostname:3306/wpastudy?useSSL=true

Note the useSSL=true parameter.