Oracle 5.0, Reference Manual

Page: 2100 / 3232

Connector/J (JDBC) Reference
2080
SSL in MySQL Connector/J encrypts all data (other than the initial handshake) between the JDBC
driver and the server. The performance penalty for enabling SSL is an increase in query processing
time between 35% and 50%, depending on the size of the query, and the amount of data it returns.
For SSL support to work, you must have the following:
• A JDK that includes JSSE (Java Secure Sockets Extension), like JDK-1.4.1 or newer. SSL does not
currently work with a JDK that you can add JSSE to, like JDK-1.2.x or JDK-1.3.x due to the following
JSSE bug:
http://developer.java.sun.com/developer/bugParade/bugs/4273544.html
• A MySQL server that supports SSL and has been compiled and configured to do so, which is MySQL
4.0.4 or later. For more information, see Section 6.3.6.2, “Configuring MySQL for SSL” .
• A client certificate (covered later in this section)
The system works through two Java truststore files, one file contains the certificate information for
the server (
truststore
in the examples below). The other file contains the certificate for the client
(
keystore
in the examples below). All Java truststore files are password protected by supplying a
suitable password to the
keytool
when you create the files. You need the file names and associated
passwords to create an SSL connection.
You will first need to import the MySQL server CA Certificate into a Java truststore. A sample MySQL
server CA Certificate is located in the
SSL
subdirectory of the MySQL source distribution. This is what
SSL will use to determine if you are communicating with a secure MySQL server. Alternatively, use the
CA Certificate that you have generated or been provided with by your SSL provider.
To use Java's
keytool
to create a truststore in the current directory , and import the server's CA
certificate (
cacert.pem
), you can do the following (assuming that
keytool
is in your path. The
keytool
is typically located in the
bin
subdirectory of your JDK or JRE):
shell> keytool -import -alias mysqlServerCACert \
-file cacert.pem -keystore truststore
Enter the password when prompted for the keystore file. Interaction with
keytool
looks like this:
Enter keystore password: *********
Owner: EMAILADDRESS=walrus@example.com, CN=Walrus,
O=MySQL AB, L=Orenburg, ST=Some-State, C=RU
Issuer: EMAILADDRESS=walrus@example.com, CN=Walrus,
O=MySQL AB, L=Orenburg, ST=Some-State, C=RU
Serial number: 0
Valid from:
Fri Aug 02 16:55:53 CDT 2002 until: Sat Aug 02 16:55:53 CDT 2003
Certificate fingerprints:
MD5: 61:91:A0:F2:03:07:61:7A:81:38:66:DA:19:C4:8D:AB
SHA1: 25:77:41:05:D5:AD:99:8C:14:8C:CA:68:9C:2F:B8:89:C3:34:4D:6C
Trust this certificate? [no]: yes
Certificate was added to keystore
You then have two options: either import the client certificate that matches the CA certificate you just
imported, or create a new client certificate.
Importing an existing certificate requires the certificate to be in DER format. You can use
openssl
to
convert an existing certificate into the new format. For example:
shell> openssl x509 -outform DER -in client-cert.pem -out client.cert
Now import the converted certificate into your keystore using
keytool
:
shell> keytool -import -file client.cert -keystore keystore -alias mysqlClientCertificate
To generate your own client certificate, use
keytool
to create a suitable certificate and add it to the
keystore
file:
shell> keytool -genkey -keyalg rsa \
-alias mysqlClientCertificate -keystore keystore