文章目录
- 一、开启ssl证书
- 1、msysql部署时默认开启ssl证书
- 2、配置文件
- 3、创建用户并指定ssl
- 二、添加Java信任库
- 1、使用 keytool 导入证书
- 2、验证证书是否已导入
- 三、修改连接配置
一、开启ssl证书
1、msysql部署时默认开启ssl证书
可通过命令查看:
SHOW VARIABLES LIKE '%have_ssl%';
查询结果如下:
2、配置文件
配置my.cnf文件:
vi my.cnf
[mysql]
ssl-ca = /opt/mysqldata/data/ca.pem
ssl-cert = /opt/mysqldata/data/client-cert.pem
ssl-key = /opt/mysqldata/data/client-key.pem
[mysqld]
require_secure_transport = ON
ssl-ca = /opt/mysqldata/data/ca.pem
ssl-cert = /opt/mysqldata/data/server-cert.pem
ssl-key = /opt/mysqldata/data/server-key.pem
文件说明:
ca.pem # 自签的CA证书,客户端连接也需要提供
client-cert.pem # 客户端连接服务器端需要提供的证书文件
client-key.pem # 客户端连接服务器端需要提供的私钥文件
server-cert.pem # 服务器端证书文件
server-key.pem # 服务器端私钥文件
3、创建用户并指定ssl
create user jk_dev@'%' identified with mysql_native_password by '密码';
alter user 'jk_dev'@'%' require ssl;
grant all privileges on *.* to 'jk_dev'@'%';
flush privileges;
二、添加Java信任库
1、使用 keytool 导入证书
运行以下命令将 CA 证书导入到 Java 信任库:
keytool -import -alias mysql_ca -file /opt/mysqldata/data/ca.pem -keystore $JAVA_HOME/jre/lib/security/cacerts
执行时需要输入信任库密码(默认为changeit)。
2、验证证书是否已导入
运行以下命令验证是否已导入:
keytool -list -alias mysql_ca -keystore $JAVA_HOME/jre/lib/security/cacerts
如果证书未导入,Java无法将 MySQL 服务器提供的证书链追溯到它信任的根证书,连接时会报错:
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchorsat com.mysql.cj.protocol.ExportControlled$X509TrustManagerWrapper.checkServerTrusted(ExportControlled.java:379)at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1255)at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:630)... 81 common frames omitted
Caused by: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchorsat sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:159)at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:85)at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)at com.mysql.cj.protocol.ExportControlled$X509TrustManagerWrapper.checkServerTrusted(ExportControlled.java:373)... 83 common frames omitted
三、修改连接配置
修改配置文件,数据库连接指向client-key.pem和client-cert.pem:
spring.datasource.url=jdbc:mysql://xxxx:3306/jkfunds_dev?useSSL=true&requireSSL=true&verifyServerCertificate=true&clientCertificateKeyFile=file:/opt/mysqldata/data/client-key.pem&clientCertificateFile=file:/opt/mysqldata/data/client-cert.pem&useUnicode=true&characterEncoding=utf-8&allowMultiQueries=true&autoReconnect=true&serverTimezone=Asia/Shanghai
)
)
)
)
