How to connect to MySQL with X509 using JDBC?

2020-02-29 04:29发布

问题:

I've set up a MySQL (Community Server, 5.1) database server.

I've set up SSL, created certificates, etc.

I've created a user that has the REQUIRES X509 attribute.

I can connect using this user using the command line client "mysql" and the "status" command shows that SSL is active, etc.

I've followed exactly the instructions from the MySQL site about importing the certificates into Java truststore/keystore files.

I just cannot connect to the database using these.

If I use just the truststore file using a user with REQUIRES SSL then all is fine. Using the keystore file with a user with REQUIRES X509 just isn't having it.

There seems to be lots of evidence on the web of people struggling with this and not many answers. Has ANYONE actually got this working?

回答1:

Cracked, listed here, in my comment at the bottom of the page: http://dev.mysql.com/doc/refman/5.0/en/connector-j-reference-using-ssl.html

After LITERALLY SPENDING A WEEK DOING THIS I have finally managed to connect using a client certifiacte (REQUIRES X509 on the user defintion)!!!!

rem NOTE: these commands are run using the Java 6 (1.6) JDK as it requires the "-importkeystore" command
rem which is not available before this JDK version.

rem Import the self signed Certifacte Authority certificate into a keystore.
keytool -import -alias mysqlCACert -file ca-cert.pem -keystore truststore -storepass truststore
rem Shows only the signed certificate.
keytool -v -list -keystore truststore -storepass truststore

rem Create a PKCS12 file from an existing signed client certifcate and its private key.
rem set password to "keystore".
openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem -out client.p12 -name clientalias -CAfile ca-cert.pem -caname root
rem Import the combined certificate and private key into the keystore.
keytool -importkeystore -deststorepass keystore -destkeystore keystore -srckeystore client.p12 -srcstoretype PKCS12 -srcstorepass keystore -alias clientalias

Then specify the trusted certifcates file (the truststore) and the client certificate/key file (the keystore) in your Java application either via the connection URL, via the JVM start-up parameter arguments (-D=,...), or System.setProperty(var,val),...

It actually works!!!



标签: mysql ssl jdbc