I found MySQL easy to setup. I suspect MariaDB would be setup similar, here a small example:
Generate keys / certificate's: http://dev.mysql.com/doc/refman/5.5/en/creating-ssl-certs.html Import to keystore (for tomcat): https://dev.mysql.com/doc/connector-j/en/connector-j-reference-using-ssl.html Enable in mysql config [mysqld] ssl-ca=/etc/mysql-ssl/ca-cert.pem ssl-cert=/etc/mysql-ssl/server-cert.pem ssl-key=/etc/mysql-ssl/server-key.pem To enable SSL for JSSE, we need to load trust & keystore, we can do this right into Tomcat: -Djavax.net.ssl.keyStore=path_to_keystore_file -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStore=path_to_truststore_file -Djavax.net.ssl.trustStorePassword=password Or load trough application: System.setProperty("javax.net.ssl.keyStore","path_to_keystore_file"); System.setProperty("javax.net.ssl.keyStorePassword","password"); System.setProperty("javax.net.ssl.trustStore","path_to_truststore_file"); System.setProperty("javax.net.ssl.trustStorePassword","password"); Add to JDBC connectionstring the following: connectionURL="jdbc:mysql://example.com:3306/equsers?useSSL=true&requireSSL=true& connectionURL="jdbc:mysql://example.com:3306/equsers?useSSL=true&requireSSL=true& And you are done for mysql. Regards, Harrie -----Original Message----- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: donderdag 7 april 2016 22:35 To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: Encrypted jdbc Mark, On 4/7/16 12:30 PM, Mark Eggers wrote: > OSP, > > On 4/7/2016 8:28 AM, Christopher Schultz wrote: >> OSP, >> >> On 4/7/16 10:08 AM, Linux Support wrote: >>> Greetings all, >>> >>> ===== Server number: 8.0.28.0 OS Name: Linux OS Version: >>> 2.6.32-573.8.1.el6.x86_64 JVM Version: 1.8.0_66-b17 ===== >>> >>> Back end database is mariadb residing on a another remote linux >>> instance. I have downloaded and copied the Mariadb jdbc driver to >>> the lib directory of the TC server. >>> >>> Can you let me know how to encrypt the database connectivity from >>> the TC instance to the DB instance. >> >> Just to confirm: you want to encrypt the communication channel >> between your application (really the JDBC driver) and the database? >> >> -chris > > > There appears to be at least two ways of doing this. > > 1. Build an SSH tunnel between your Tomcat server and DB server > > This requires ssh and remote access to the DB server. You'll also want > to configure a tunnel to come up when your Tomcat server is restarted > and resume if the tunnel disconnects. You'll probably want to use a > certificate-based authentication for the SSH tunnel so user names and > passwords don't have to be entered. You can also use stunnel which is slightly simpler and IMO more reliable, since stunnel has a daemon which can can auto-connect, etc. > 2. Use SSL at the JDBC level > > MariaDB can be configured to use SSL, and the client can be configured > to use a certificate. I've not done this, but it appears that the > connection parameters are useSSL=true, requireSSL=true, > serverSslCert=certpath. certpath appears to be an absolute file path, > a path relative to the current classpath, or a DER-encoded certificate string. > > You may (most probably) have to install JCE for the version of Java > that you are using. > > Please note that I've not tried any of this. Hopefully, the above > pointers will get you started. IIRC, *MySQL* is a giant pain in the neck to get going with SSL. I'm not sure if MariaDB is any easier. Your existing Java version should be sufficient to make outgoing SSL connections; there's no need to add JCE or anything else, unless you want to add the unlimited-strength policy files to allow for ciphers with larger keys. -chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
