How to enable Data Encryption (SSL) for a JDBC driver

Posted on Posted in Mysql, seguridad

In previous posts I explained how enable Mysql Server for support SSL connections, now I’ll explain how configure a Tomcat application for using Mysql encrypt connections.

Certificates

If we don’t have the client certificate, we create a new one, signed by the same CA that mysql server certificates.

Creation

Create client certificate, remove passphrase, and sign it. All of it in the certs directory /root/certs

openssl req -newkey rsa:2048 -days 1000 \
-nodes -keyout client-key.pem -out client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 1000 \
-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

 Key Store

The tomcat applications need to store the certifications in a Key store, for creating a new one:

Client Packet

Create the client packet with the client certificate and the client key:

openssl pkcs12 -export -inkey client-key.pem -in client-cert.pem -out client.packet

MyKS.jks

Create a new key store “MyKS.jks” thats contains the client packet + CA certificate. I put the same password for everything.

keytool -importkeystore -deststorepass password -destkeypass password -destkeystore myKS.jks -srckeystore client.packet -srcstoretype PKCS12 -srcstorepass password -alias 1
keytool -importcert -alias mysqlCA -trustcacerts -file /root/ca-cert.pem -keystore myKS.jks

Force Client SSL

In the mysql server be sure that the client use SSL connection

grant all privileges on database.* to 'username'@'hostaddress' identified by 'password' require SSL;

Configure Tomcat

JAVA_OPTS

Defined the ssl and the password to unlock this keystore, normally export this properties in the catalina.sh binary file.

export JAVA_OPTS="-Djavax.net.ssl.keyStore=/usr/local/etc/tomcat/certs/myKS.jks -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStore=/usr/local/etc/tomcat/certs/myKS.jks -Djavax.net.ssl.trustStorePassword=password"

The same:

-Djavax.net.ssl.keyStore=path_to_keystore_file
-Djavax.net.ssl.keyStorePassword=password
-Djavax.net.ssl.trustStore=path_to_truststore_file
-Djavax.net.ssl.trustStorePassword=password

Or you can set the values directly within the application:

System.setProperty("javax.net.ssl.keyStore","path_to_keystore_file");
System.setProperty("javax.net.ssl.keyStorePassword","password");
System.setProperty("javax.net.ssl.trustStore","path_to_truststore_file");
System.setProperty("javax.net.ssl.trustStorePassword","password");

JDBC URL

You will also need to set useSSL to true in your connection parameters for MySQL Connector/J, either by adding useSSL=true to your URL, or by setting the propertyuseSSL to true in the java.util.Properties instance you pass to DriverManager.getConnection().

Depends the type of jdbc url the URL definition is different “&” or “;” or “&

<property name="hibernate.connection.url">jdbc:mysql://mysql.server.com/database?verifyServerCertificate=false&amp;useSSL=true&amp;requireSSL=true</property>

CHECK

Now check if the connection is being made encrypted

tcpdump -vv -X host mysql.server.com

10:23:00.248022 IP (tos 0x8, ttl 63, id 54119, offset 0, flags [DF], proto: TCP (6), length: 185) mysql.server.com.mysql > tomcat.server.com.47583: P 10579:10712(133) ack 1841 win 84 <nop,nop,timestamp 689316411 688094600>
0x0000: 4508 00b9 d367 4000 3f06 97a1 8123 f83e E....g@.?....#.>
0x0010: 8123 d5a8 0cea b9df 415c 1bf3 c367 64d4 .#......A\...gd.
0x0020: 8018 0054 0f33 0000 0101 080a 2916 223b ...T.3......).";
0x0030: 2903 7d88 1703 0100 80a7 a20d c3f6 8d30 ).}............0
0x0040: 5ef2 2d66 26ed 478b 9c0b 0c16 b895 4f5a ^.-f&.G.......OZ
0x0050: 0932 .2
10:23:00.285660 IP (tos 0x0, ttl 64, id 39934, offset 0, flags [DF], proto: TCP (6), length: 52) tomcat.server.com.47584 > mysql.server.com.mysql: ., cksum 0x4a19 (correct), 1841:1841(0) ack 10712 win 204 <nop,nop,timestamp 688094639 689316409>
0x0000: 4500 0034 9bfe 4000 4006 ce97 8123 d5a8 E..4..@.@....#..
0x0010: 8123 f83e b9e0 0cea 9672 ee08 943d 8a24 .#.>.....r...=.$
0x0020: 8010 00cc 4a19 0000 0101 080a 2903 7daf ....J.......).}.
0x0030: 2916 2239 )."9
10:23:00.287650 IP (tos 0x0, ttl 64, id 8370, offset 0, flags [DF], proto: TCP (6), length: 52) tomcat.server.com.47583 > mysql.server.com.mysql: ., cksum 0x66f9 (correct), 1841:1841(0) ack 10712 win 182 <nop,nop,timestamp 688094641 689316411>
0x0000: 4500 0034 20b2 4000 4006 49e4 8123 d5a8 E..4..@.@.I..#..
0x0010: 8123 f83e b9df 0cea c367 64d4 415c 1c78 .#.>.....gd.A\.x
0x0020: 8010 00b6 66f9 0000 0101 080a 2903 7db1 ....f.......).}.
0x0030: 2916 223b

Leave a Reply

Your email address will not be published. Required fields are marked *