Connect to a JDBC Repo Over SSL

This procedure assumes that you have already set up your JDBC repository, as described in the previous sections. The exact steps to connect to a JDBC repository over SSL depend on your repository. This procedure describes the steps for a MySQL 8 repository. If you are using a different JDBC repository, use the corresponding documentation for that repository, and adjust the steps accordingly.

  1. Change the jdbcUrl property in your repository connection configuration file (conf/datasource.jdbc-default.json ).

    The exact value of the jdbcUrl property will depend on your JDBC database, and on the version of your JDBC driver:

    "jdbcUrl" : "jdbc:mysql://&{openidm.repo.host}:&{openidm.repo.port}/openidm?allowMultiQueries=true&characterEncoding=utf8&useSSL=true&verifyServerCertificate=true&requireSSL=true"
    "jdbcUrl" : "jdbc:mysql://&{openidm.repo.host}:&{openidm.repo.port}/openidm?allowMultiQueries=true&characterEncoding=utf8&sslMode=VERIFY_CA&requireSSL=true"
  2. Create and verify the SSL certificate and key files required to support encrypted connections to the JDBC repository.

    For MySQL 8, use one of the procedures in the MySQL docs.

  3. Configure the JDBC repository to use encrypted connections.

    For MySQL 8, follow the MySQL docs.

  4. Check that the connection to the database is over SSL by running a command similar to the following:

    mysql -u root -P 3306 -p
    mysql>show variables like "%have_ssl%";
    
    +---------------+-------+
    | Variable_name | Value |
    +---------------+-------+
    | have_ssl      | YES   |
    +---------------+-------+
    1 row in set (0.00 sec)
  5. Convert your MySQL client key and certificate files to a PKCS #12 archive. For example:

    openssl pkcs12 -export \
    -in client-cert.pem \
    -inkey client-key.pem \
    -name "mysqlclient" \
    -passout pass:changeit \
    -out client-keystore.p12
  6. Import the client-keystore.p12 into the IDM keystore:

    keytool \
    -importkeystore \
    -srckeystore client-keystore.p12 \
    -srcstoretype pkcs12 \
    -srcstorepass changeit \
    -destkeystore /path/to/openidm/security/keystore.jceks \
    -deststoretype jceks \
    -deststorepass changeit

    Important

    For AWS RDS MySQL, no client certificates are provided. In this case, you must create an empty keystore for client certificates, and add the following to the jdbcUrl property in your repository connection configuration file (conf/datasource.jdbc-default.json ):

    &clientCertificateKeyStoreUrl=file:/opt/idm/security/empty.jks&clientCertificateKeyStorePassword=changeit
  7. Import your MySQL CA certificate into the IDM truststore.

    keytool \
    -importcert \
    -trustcacerts \
    -file ca-cert.pem \
    -alias "DB cert" \
    -keystore /path/to/openidm/security/truststore

    You are prompted for a keystore password. You must use the same password as is shown in your resolver/boot.properties file. The default truststore password is:

    openidm.truststore.password=changeit

    After entering a keystore password, you are prompted with the following question. Assuming you have included an appropriate ca-cert.pem file, enter yes.

    Trust this certificate? [no]: 
  8. Open your project's conf/system.properties file. Add the following line to that file. If appropriate, substitute the path to your own truststore:

    # Set the truststore
    javax.net.ssl.trustStore=&{idm.install.dir}/security/truststore

    Even if you are setting up this instance of IDM as part of a cluster, you must configure this initial truststore. After this instance joins a cluster, the SSL keys in this particular truststore are replaced.

Read a different version of :