MariaDB SSL connection with Connector/J Setup help
I just installed MariaDB 10.1.11 on Centos 7 and enabled SSL connections. I created the root CA, Server Cert/Key, & Client Cert/Key as spelled out in the instructions from this link http://xmodulo.com/enable-ssl-mysql-server-client.html (used -sha256 instead of -sha1)
I added the variables in the [mysqld] section of the server.cnf file and restarted MariaDB I created a user and granted them privilages with a "require x509" suffix.
I have 2 users created (nossluser, ssluser) grant all on *.* to nossluser; grant all on *.* to ssluser require X509;
I can login from the command line using MySQL without any problems
MySQL -u nossluser -p <--- works fine with the user that has no ssl requirement
MySQL -u ssluser -p --ssl-cert client-cert.pem --ssl-key client-key.pem --ssl-ca ca-cert.pem <-- this works fine
I can also connect from a remote client using MySQL workbench using the same ca-cert.pem, client-cert.pem, client-key.pem as I used on the command line.
My problem is when I try to create a java client connection using the Mariadb connector/j I have tried issuing the connection using the useSSL=true, requireSSL=true, serverSslCert=server-cert.pem but it does not work. I get the: "Could not connect: Access denied for user 'ssluser'@192.168.1.9' (using password: YES)" error message
I also enabled java.net.debug and I get a message in the log that says: "Warning:no suitable certificate found - continuing without client authentication"
Now if I change the user to "require ssl" instead of "require x509" The connection works, but I still see the java net debug warning no suitable certificate found which I assume means that the SSL connection did not work but it allowed the connection anyway.
Any Ideas on the correct connection settings for the connector/j
Thanks,
Willie
Answer Answered by Diego Dupin in this comment.
Hi,
You are using the good options. Like you must have seen in documentation, serverSslCert can be used in one of 3 forms :
- sslServerCert=/path/to/cert.pem (full path to certificate)
- sslServerCert=classpath:relative/cert.pem (relative to current classpath)
- or as verbatim DER-encoded certificate string "------BEGING CERTIFICATE-----" .
So that remain 2 possible problems : - 256-bit encryption which is not supported by Java out of the box. You need to install JCE (Java Cryptography Extension). Is it installed ? - Have you try to defined the full path of certificate : sslServerCert=/path/to/cert.pem
Since 1.3.4, you can store certificate in JKS keystore using trustCertificateKeyStoreUrl options. That may be a better solution than to have certificate on server.