Reputation: 201
Certificate and KeyStore Configuration When Securing JDBC Connection
I've managed to properly configure my java application to securely connect to my mysql, but I wonder: Is that is the proper way to configure the required certificate?
I've created a custom truststore and a custom keystore:
1 Imported the server CA certificate into my custom truststore file
keytool -import -alias mysqlServerCACert -file server-ca.pem -keystore truststore
2 Bundled the client cert and client key together into a pkcs12 file, and imported it to my custom keystore file
openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem -out client.p12 -name clientalias -CAfile server-ca.pem
keytool -importkeystore -destkeystore keystore -srckeystore client.p12 -srcstoretype PKCS12 -alias clientalias
I've configured my jdbcUrl to use a secured connection:
mysql://[my_host]:3306/[my_db]?useUnicode=yes&characterEncoding=UTF-8&useSSL=true&requireSSL=true&verifyServerCertificate=true
I've set my application with the following JVM environment options:
JAVA_OPTS="
-Djavax.net.ssl.keyStore=/path_to_my_custom_keystore
-Djavax.net.ssl.keyStorePassword=mykeyStorePassword
-Djavax.net.ssl.trustStore=/path_to_my_custom_truststore
-Djavax.net.ssl.trustStorePassword=mytrustStorePasswordPassword"
But that way, I've actually altered the default keystore/truststore, which is normally located at: $JAVA_HOME/jre/lib/security/cacerts
And by doing that, some of the client-side libraries had started throwing errors when looking for their ssl certificates in the truststore
So, I've exported the entire default ca-certs to my custom truststore file (apparently there is no need to import it to my keystore, just to my truststore):
keytool -importkeystore -srckeystore /etc/ssl/certs/java/cacerts -destkeystore /path_to_my_custom_truststore
Now, everything seems to be working as expected, by my main concern is that I'm now detached from the original default JVM cert store (keystore/truststore) at /etc/ssl/certs/java/cacerts, and therefore vulnerable to a future change in this file.
And to be more precise, what will happen when the JVM gets updated and new certificate aliases gets added?
Upvotes: 2
Views: 4589
Answers (1)
Reputation: 39291
It is a good practice to define your own truststore including the CA root certificates you accept instead of using the default set of trusted root CAs of the JVM.
This way you do not depend on the eventual updates of the JVM, that could add an undesired CA or remove a needed one. Modifiyng cacerts would also affect others applications using the same JVM.
It is not needed to add CA certificates to the keystore.
Upvotes: 1
Related Questions
- Java MySQL SSL connection with specified cert
- How to connect to MySQL server using SSL JDBC
- Java: SSL Connection to MySQL
- Java use SSL for database connection
- Set custom SSL truststore only for mysql jdbc
- Keystore and Certificate concepts
- SSL connection to MySQL server with Java
- JDBC parameter verifyServerCertificate=false connects without the need for a clientkeystore and truststore
- JDBC+SSL: Bundling a CA cert, client cert and client into a single keystore file
- ssl jdbc connection keystore not found