文章目錄
- 一、開啟ssl證書
- 1、msysql部署時默認開啟ssl證書
- 2、配置文件
- 3、創建用戶并指定ssl
- 二、添加Java信任庫
- 1、使用 keytool 導入證書
- 2、驗證證書是否已導入
- 三、修改連接配置
一、開啟ssl證書
1、msysql部署時默認開啟ssl證書
可通過命令查看:
SHOW VARIABLES LIKE '%have_ssl%';
查詢結果如下:
2、配置文件
配置my.cnf文件:
vi my.cnf
[mysql]
ssl-ca = /opt/mysqldata/data/ca.pem
ssl-cert = /opt/mysqldata/data/client-cert.pem
ssl-key = /opt/mysqldata/data/client-key.pem
[mysqld]
require_secure_transport = ON
ssl-ca = /opt/mysqldata/data/ca.pem
ssl-cert = /opt/mysqldata/data/server-cert.pem
ssl-key = /opt/mysqldata/data/server-key.pem
文件說明:
ca.pem # 自簽的CA證書,客戶端連接也需要提供
client-cert.pem # 客戶端連接服務器端需要提供的證書文件
client-key.pem # 客戶端連接服務器端需要提供的私鑰文件
server-cert.pem # 服務器端證書文件
server-key.pem # 服務器端私鑰文件
3、創建用戶并指定ssl
create user jk_dev@'%' identified with mysql_native_password by '密碼';
alter user 'jk_dev'@'%' require ssl;
grant all privileges on *.* to 'jk_dev'@'%';
flush privileges;
二、添加Java信任庫
1、使用 keytool 導入證書
運行以下命令將 CA 證書導入到 Java 信任庫:
keytool -import -alias mysql_ca -file /opt/mysqldata/data/ca.pem -keystore $JAVA_HOME/jre/lib/security/cacerts
執行時需要輸入信任庫密碼(默認為changeit)。
2、驗證證書是否已導入
運行以下命令驗證是否已導入:
keytool -list -alias mysql_ca -keystore $JAVA_HOME/jre/lib/security/cacerts
如果證書未導入,Java無法將 MySQL 服務器提供的證書鏈追溯到它信任的根證書,連接時會報錯:
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchorsat com.mysql.cj.protocol.ExportControlled$X509TrustManagerWrapper.checkServerTrusted(ExportControlled.java:379)at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1255)at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:630)... 81 common frames omitted
Caused by: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchorsat sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:159)at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:85)at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)at com.mysql.cj.protocol.ExportControlled$X509TrustManagerWrapper.checkServerTrusted(ExportControlled.java:373)... 83 common frames omitted
三、修改連接配置
修改配置文件,數據庫連接指向client-key.pem和client-cert.pem:
spring.datasource.url=jdbc:mysql://xxxx:3306/jkfunds_dev?useSSL=true&requireSSL=true&verifyServerCertificate=true&clientCertificateKeyFile=file:/opt/mysqldata/data/client-key.pem&clientCertificateFile=file:/opt/mysqldata/data/client-cert.pem&useUnicode=true&characterEncoding=utf-8&allowMultiQueries=true&autoReconnect=true&serverTimezone=Asia/Shanghai
)
)
)
)
