Connect to a JDBC Repo Over SSL
This procedure assumes that you have already set up your JDBC repository, as described in the previous sections. The exact steps to connect to a JDBC repository over SSL depend on your repository. This procedure describes the steps for a MySQL 8 repository. If you are using a different JDBC repository, use the corresponding documentation for that repository, and adjust the steps accordingly.
Change the
jdbcUrl
property in your repository connection configuration file (conf/datasource.jdbc-default.json
).The exact value of the
jdbcUrl
property will depend on your JDBC database, and on the version of your JDBC driver:"jdbcUrl" : "jdbc:mysql://&{openidm.repo.host}:&{openidm.repo.port}/openidm?allowMultiQueries=true&characterEncoding=utf8&useSSL=true&verifyServerCertificate=true&requireSSL=true"
"jdbcUrl" : "jdbc:mysql://&{openidm.repo.host}:&{openidm.repo.port}/openidm?allowMultiQueries=true&characterEncoding=utf8&sslMode=VERIFY_CA&requireSSL=true"
Note
For Azure MySQL, JDBC Driver Version 8.0.17+ is required.
Create and verify the SSL certificate and key files required to support encrypted connections to the JDBC repository.
For MySQL 8, use one of the procedures in the MySQL docs.
Configure the JDBC repository to use encrypted connections.
For MySQL 8, follow the MySQL docs.
Check that the connection to the database is over SSL by running a command similar to the following:
mysql -u root -P 3306 -p
mysql>show variables like "%have_ssl%";
+---------------+-------+ | Variable_name | Value | +---------------+-------+ | have_ssl | YES | +---------------+-------+ 1 row in set (0.00 sec)
Convert your MySQL client key and certificate files to a PKCS #12 archive. For example:
openssl pkcs12 -export \ -in client-cert.pem \ -inkey client-key.pem \ -name "mysqlclient" \ -passout pass:changeit \ -out client-keystore.p12
Import the
client-keystore.p12
into the IDM keystore:keytool \ -importkeystore \ -srckeystore client-keystore.p12 \ -srcstoretype pkcs12 \ -srcstorepass changeit \ -destkeystore /path/to/openidm/security/keystore.jceks \ -deststoretype jceks \ -deststorepass changeit
Important
For AWS RDS MySQL and Azure MySQL, no client certificates are provided. In this case, you must create an empty keystore for client certificates, and add the following to the
jdbcUrl
property in your repository connection configuration file (conf/datasource.jdbc-default.json
):&clientCertificateKeyStoreUrl=file:/opt/idm/security/empty.jks&clientCertificateKeyStorePassword=changeit
Import your MySQL CA certificate into the IDM truststore.
keytool \ -importcert \ -trustcacerts \ -file ca-cert.pem \ -alias "DB cert" \ -keystore /path/to/openidm/security/truststore
You are prompted for a keystore password. You must use the same password as is shown in your
resolver/boot.properties
file. The default truststore password is:openidm.truststore.password=changeit
After entering a keystore password, you are prompted with the following question. Assuming you have included an appropriate
ca-cert.pem
file, enteryes
.Trust this certificate? [no]:
Open your project's
conf/system.properties
file. Add the following line to that file. If appropriate, substitute the path to your own truststore:# Set the truststore javax.net.ssl.trustStore=&{idm.install.dir}/security/truststore
Even if you are setting up this instance of IDM as part of a cluster, you must configure this initial truststore. After this instance joins a cluster, the SSL keys in this particular truststore are replaced.