MySQL MariaDB SSL Connector (双向证书配置)
一、MySQL驱动配置(双向)
1、制作java证书库
- ca.pem:MySQL安装data目录下ca.pem、ca-key.pem、client-cert.pem、client-key.pem、server-cert.pem、server-key.pem等
- truststoremysql:将ca.pem导入后的证书库
- 123456:truststoremysql证书库密码
2、CA证书
keytool -importcert -alias Cacert -file ca.pem -keystore truststoremysql -storepass 123456
3、客户端证书
openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem -name "mysqlclient" -passout pass:123456 -out client-keystore.p12
keytool -importkeystore -srckeystore client-keystore.p12 -srcstoretype pkcs12 -srcstorepass 123456 -destkeystore keystoremysql -deststoretype JKS -deststorepass 123456
4、JDBC CONFIG
username: root
password: 123456
driverClassName: com.mysql.cj.jdbc.Driver
url: jdbc:mysql://127.0.0.1:3306/test?useSSL=true&verifyServerCertificate=true&requireSSL=true&clientCertificateKeyStoreUrl=file:${ssl.cert.path}/keystoremysql&clientCertificateKeyStorePassword=123456&trustCertificateKeyStoreUrl=file:${ssl.cert.path}/truststoremysql&trustCertificateKeyStorePassword=123456&useUnicode=true&characterEncoding=utf8&autoReconnect=true&serverTimezone=Asia/Shanghai
二、MariaDB驱动配置(双向)
1、POM依赖
<dependency>
<groupId>org.mariadb.jdbc</groupId>
<artifactId>mariadb-java-client</artifactId>
</dependency>
2、参考文章
- https://mariadb.com/kb/en/about-mariadb-connector-j/
- https://mariadb.com/kb/en/using-tls-ssl-with-mariadb-java-connector/#mutual-2-way-authentication
3、制作java证书库(同上)
4、JDBC CONFIG
ssl:
cert:
path: ${SSL_PATH:/data1/mysql_data3}
config: autoReconnect=true&sslMode=verify-ca&serverSslCert=${ssl.cert.path}/ca.pem&keyStore=${ssl.cert.path}/keystoremysql&keyStorePassword=123456
spring:
main:
allow-bean-definition-overriding: true
datasource:
driverClassName: org.mariadb.jdbc.Driver
password: ${MASTER_PD}
slave1:
driverClassName: org.mariadb.jdbc.Driver
password: ${EDB_PD}
type: com.alibaba.druid.pool.DruidDataSource
url: jdbc:mariadb://127.0.0.1:${EDB_PORT}/${EDB_DATA_BASE}?${ssl.config}
username: ${MYSQL_USER:nvxdb_user}
type: com.alibaba.druid.pool.DruidDataSource
druid:
maxActive: 100
initialSize: 10
minIdle: 10
maxWait: 60000
testOnBorrow: false
testWhileIdle: true
minEvictableIdleTimeMillis: 1800000
validationQuery: select 1
removeAbandonedTimeout: 30
removeAbandoned: true
timeBetweenConnectErrorMillis: 30000
url: jdbc:mariadb://127.0.0.1:${MASTER_PORT}/${MASTER_DATA_BASE}?${ssl.config}
username: ${MYSQL_USER:nvxdb_user}
三、my.cnf配置
[client]
port=3306
[mysqld]
# 开启SSL(重点)
require_secure_transport=ON
ssl-ca=/var/lib/mysql/ca.pem
ssl-cert=/var/lib/mysql/server-cert.pem
ssl-key=/var/lib/mysql/server-key.pem
[mysql]
default-character-set=utf8