Following up my article on Secure JDBC connection to MySQL from Java, It is often the case you Java code will not be connecting to the database directly but instead will lookup a connection from a container managed connection pool. This article describes how to configure a GlassFish connection pool to connect to MySQL securely using keystore/truststore SSL keys. Thanks much to Thomas Schaefer for this information.
GlassFish Connection Pool
Using the GlassFish administrator, creating a Connection Pool of MySQL database connections is easy. To secure the communication, go to the "Additional Properties" tab and add these additional properties, of course replace the values between the [] with your own.
Name Value
requireSSL true
useSSL true
trustCertificateKeyStorePassword [password_to_truststore]
clientCertificateKeyStoreUrl file:/c:/temp/keystore.jks
clientCertificateKeyStoreType JKS
clientCertificateKeyStorePassword [password_to_keystore]
trustCertificateKeyStoreType JKS
password [database_user_password]
trustCertificateKeyStoreUrl file:/c:/temp/cacerts.jks
user [databse_user_name]
url jdbc:mysql://[server_name]The keystore.jks and cacerts.jks files are the tricky part of this configuration. How you use them will depend on your situation but in general, cacerts.jks will have your certificate authority added to it and keystore.jks will have a certificate added to it signed by your certificate authority. When the JDBC driver attempts to connect to the database, the certificate from keystore.jks is presented to the database server and the database server accepts it since the certificate was signed by your certificate authority. In the same way, the database server will present a certificate to the GlassFish server and GlassFish will accept it because your certificate authority is in cacerts.jks.
thanks very much for the post, I have been searching for these properties for several days, which are not documented anywhere on GlassFish docs. thanks again, very great post.
ReplyDelete