How to configure spring boot application to use SSL/TLS over MySQL?

Question

I set up SSL on my MySQL server.

I generated few certicates for CA (ca.pem, ca-key.pem), for client (client-cert.pem, client-key.pem) and server (server-cert.pem and server-key.pem).

In spring boot configuration file, here is the link to MySQL defined in application.yml file : jdbc:mysql://host:3306/bdd_name?useUnicode=true&characterEncoding=utf8&useSSL=true&requireSSL=true

I verify that my certicates are with openssl verify and I verify also by using a mysql client to set up a connection.

How to set the link Spring Boot application to my certificates (I have *.pem files) to finish my configuration ?

Can you explain what you are trying to get Spring Boot to achieve ? — PaulNUK, Apr 26 '17 at 13:25
My Spring Boot application needs to connect to the database in secure mode to do operation (select, insert, update, ...) on data used in the application. My question is how to configure the certifcates to allow mysql server to accept the request of the spring applciation ? — Youssouf Maiga, Apr 26 '17 at 13:28
It works well without ssl The datasrouce is correctly sed in spring configuration file and NOW MY GOAL IS TO ADD SSL — Youssouf Maiga, Apr 26 '17 at 13:45
http://stackoverflow.com/questions/14265115/configure-spring-to-connect-to-mysql-over-ssl — PaulNUK, Apr 26 '17 at 14:25

score 13 · Answer 1 · answered Aug 16 '18 at 14:13

13

Check my answer: https://stackoverflow.com/a/51879119/173149

I don't like to pollute java options or system properties, which are useless in application containers in any case...

You can set SSL certificate for MySQL connection programmically with:

jdbc:mysql://example.com:3306/MYDB?verifyServerCertificate=true&useSSL=true&requireSSL=true&clientCertificateKeyStoreUrl=file:cert/keystore.jks&clientCertificateKeyStorePassword=123456&trustCertificateKeyStoreUrl=file:cert/truststore.jks&trustCertificateKeyStorePassword=123456

It is documented:

answered Aug 16 '18 at 14:13

gavenkoa

45,285
19
251
303

1

This is more ideal answer that can be used in a production application, without changing the whole JVM's truststore. – vijay Jul 08 '19 at 20:33
Is there a way to encrypt the trust store password using jasypt when provided like this – stackMan10 Jan 18 '22 at 14:52
@stackMan10 You can construct jdbc link programmatic supplying the password from decrypted value, Spring YAML configs & Cloud Config have integration with `jasypt` in form of the placeholder syntax `ENC()`: `client-secret: ENC(S/KaF.....)` Search for it, – gavenkoa Jan 18 '22 at 16:06

score 8 · Accepted Answer · answered Apr 27 '17 at 08:27

You need to add the "*.pem" files (cert and key) in a keystore and the CA in a "truststore".

This link explains well how to create your own keystore and truststore [link] http://roopindersingh.com/programming/converting-pem-certificates-and-private-keys-to-jks/

After you have to add in JVM paramaters

-Djavax.net.ssl.keyStore=/path/to/keystore/keystore.jks
-Djavax.net.ssl.keyStorePassword=password
-Djavax.net.ssl.trustStore=/path/to/keystore/truststore.jks
-Djavax.net.ssl.trustStorePassword=password

Is there any way to do this programmatically? – alexmherrmann Jul 24 '18 at 18:39 — alexmherrmann, Jul 24 '18 at 18:39

How to configure spring boot application to use SSL/TLS over MySQL?

2 Answers2

Linked