Table of Contents
Advertisement
SSL in MySQL Connector/J encrypts all data (other than the initial handshake) between the JDBC
driver and the server. The performance penalty for enabling SSL is an increase in query processing
time between 35% and 50%, depending on the size of the query, and the amount of data it returns.
For SSL support to work, you must have the following:
• A JDK that includes JSSE (Java Secure Sockets Extension), like JDK-1.4.1 or newer. SSL does not
currently work with a JDK that you can add JSSE to, like JDK-1.2.x or JDK-1.3.x due to the following
JSSE bug:
http://developer.java.sun.com/developer/bugParade/bugs/4273544.html
• A MySQL server that supports SSL and has been compiled and configured to do so, which is MySQL
4.0.4 or later. For more information, see
• A client certificate (covered later in this section)
The system works through two Java truststore files, one file contains the certificate information for
the server
(truststore
(keystore
in the examples below). All Java truststore files are password protected by supplying a
suitable password to the
passwords to create an SSL connection.
You will first need to import the MySQL server CA Certificate into a Java truststore. A sample MySQL
server CA Certificate is located in the
SSL will use to determine if you are communicating with a secure MySQL server. Alternatively, use the
CA Certificate that you have generated or been provided with by your SSL provider.
To use Java's
keytool
certificate (cacert.pem), you can do the following (assuming that
is typically located in the
keytool
shell> keytool -import -alias mysqlServerCACert \
-file cacert.pem -keystore truststore
Enter the password when prompted for the keystore file. Interaction with
Enter keystore password:
Owner: EMAILADDRESS=walrus@example.com, CN=Walrus,
O=MySQL AB, L=Orenburg, ST=Some-State, C=RU
Issuer: EMAILADDRESS=walrus@example.com, CN=Walrus,
O=MySQL AB, L=Orenburg, ST=Some-State, C=RU
Serial number: 0
Valid from:
Fri Aug 02 16:55:53 CDT 2002 until: Sat Aug 02 16:55:53 CDT 2003
Certificate fingerprints:
MD5:
61:91:A0:F2:03:07:61:7A:81:38:66:DA:19:C4:8D:AB
SHA1: 25:77:41:05:D5:AD:99:8C:14:8C:CA:68:9C:2F:B8:89:C3:34:4D:6C
Trust this certificate? [no]:
Certificate was added to keystore
You then have two options: either import the client certificate that matches the CA certificate you just
imported, or create a new client certificate.
Importing an existing certificate requires the certificate to be in DER format. You can use
convert an existing certificate into the new format. For example:
shell> openssl x509 -outform DER -in client-cert.pem -out client.cert
Now import the converted certificate into your keystore using keytool:
shell> keytool -import -file client.cert -keystore keystore -alias mysqlClientCertificate
To generate your own client certificate, use
file:
keystore
shell> keytool -genkey -keyalg rsa \
-alias mysqlClientCertificate -keystore keystore
Connector/J (JDBC) Reference
Section 6.3.6.2, "Configuring MySQL for
in the examples below). The other file contains the certificate for the client
when you create the files. You need the file names and associated
keytool
subdirectory of the MySQL source distribution. This is what
SSL
to create a truststore in the current directory , and import the server's CA
subdirectory of your JDK or JRE):
bin
*********
yes
keytool
2080
keytool
keytool
to create a suitable certificate and add it to the
SSL".
is in your path. The
looks like this:
to
openssl
Advertisement
Chapters
Table of Contents
Troubleshooting
