0

G'day folks

trying to use certs for securing connections between Tomcat 8.x and mysql/mariadb. I'm going to use a self-signed cert. What follows is what i think i should be going and appreciate you to jump in and correct me.

Create Backend(DB) certs

-sudo openssl genrsa 4096 > ca-key.pem

-sudo openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca-cert.pem

-sudo openssl req -newkey rsa:4096 -days 3600 -nodes -keyout server-key.pem -out server-req.pem

-sudo openssl rsa -in server-key.pem -out server-key.pem

-sudo openssl x509 -req -in server-req.pem -days 3600 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

update the mysql cnf

ca-key.pem
server-key.pem
server-cert.pem

Ok, here's where i don't know how to proceed. I think i have to use the JAVA keytool .

Where do i go from here ?

ta OSP

user2967267
  • 147
  • 1
  • 1
  • 10
  • [self-signed certificates are insecure](http://stackoverflow.com/a/292769/351861). Use free certificates, there are plenty of them available, some even last a whole year and they're pretty easy to acquire. – specializt Apr 27 '16 at 11:00
  • @specializt OP wants to secure a connection between fixed, known endpoints, for which self-signed certs are absolutely fine. – f_puras Apr 27 '16 at 11:05
  • no, they arent. Read the linked answer. Self-signed certs are **never** fine, they only serve development and testing purposes ... at best. – specializt Apr 27 '16 at 11:08

1 Answers1

0

Assume you are looking for a one way SSL where MySQL is the server and Tomacat is the client which needs JDBC over ssl.

  1. In MySQL environment set the path of CA and server certificates in the configuration file my.cnf

    ssl-ca=<PATH>/ca-cert.pem
ssl-cert=<PATH>server-cert.pem
ssl-key=<PATH>server-key.pem

  2. In Tomcat environment import your MySQL CA certificate.

    keytool -import -alias mysqlcacert -file ca-cert.pem -keystore truststore

  3. If not already done , set truststore path in catalina.sh/bat

     JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStore=<PATH>keystore"
 JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStorePassword=<password>"

  4. JDBC url 

    url="jdbc:mysql://host:port/db?autoReconnect=true&verifyServerCertificate=true&useSSL=true&requireSSL=true";
Roshith
  • 2,116
  • 13
  • 21
  • Thanks, how does this work with the csr and the key ? – user2967267 Apr 27 '16 at 11:37
  • CSR is just certificate signing request , you need proper signed certificates for establishing SSL connections. You have already created CA and server certificates which can be used to set up an SSL channel. Why are asking about CSR ? – Roshith Apr 27 '16 at 11:46
  • my understanding was that we need to give the csr, ca and the key into the keytool. – user2967267 Apr 27 '16 at 11:52
  • CSR is for a CA to sign to give a certificate. You need signed certificates for SSL. You already have self signed CA , ca-key.pem and a server certificate ,server-key.pem , signed by the CA. You can try the steps suggested in the answer and see if it helps. – Roshith Apr 28 '16 at 04:39