Java use SSL for database connection

Asked 20/12, 2012 at 20:4 Answered 12/5, 2016 at 14:24

I am currently making a connection to my database without using SSL. I now would like to utilize SSL. The way I have it set up, is my database source is in config.

DB_SOURCE=jdbc:mysql://myDatabaseInfo:3306/DB_NAME?
DB_USER=dbUser
DB_PW=dbPw

I can get the SSL connection to work by calling my program with the following arguments

-Djavax.net.ssl.trustStore=path\to\truststore
-Djavax.net.ssl.trustStorePassword=myPassword

I can also get it to work by changing the env variables in the code itself

dbSource += "?useSSL=true";
System.setProperty("javax.net.ssl.trustStore", "path\to\truststore");  
System.setProperty("javax.net.ssl.trustStorePassword", "myPassword");  
Class.forName("com.mysql.jdbc.Driver");
Connection con = DriverManager.getConnection(dbSource, dbUser, dbPw);

However, my goal is to make the SSL connection without making any changes to my code and without having to change the VM arguments I use. Is there a way I can set my source to include this information?

Something like:

jdbc:mysql://myDatabaseInfo:3306/DB_NAME?useSSL=true&trustCertificateKeyStoreUrl=path\to\truststore&trustCertificateKeyStorePassword=myPassword

I tried this exactly and it doesn't work, ideally I could just add the info to the config I already have so that I don't have to make changes in more than one place. Any ideas?

Epicrisis answered 20/12, 2012 at 20:4 Comment(0)

Suggestion 1: put your trust store instead of the java's trust store, or import your certificate into the java's trust store: ${java.home}/lib/security/cacerts

Suggestion 2: Write your own driver extending com.mysql.jdbc.Driver. Put the SSL configuration into the new code. Although you need to code, but not in the main application. Not sure if it's acceptable for you.

Pirogue answered 20/12, 2012 at 20:55 Comment(2)

Regarding #1, that only covers the location of the trust store, I would still need the VM argument to set the password, no? – Epicrisis 20/12, 2012 at 21:2

If you import the certificates to the java's default trust store, you don't need to set the password. It's 'changeit' :) – Pirogue 21/12, 2012 at 8:30

According to the security section of the MySQLConnector documentation, the trustCertificateKeyStoreUrl takes as input an URL.

That is, you have to prefix it with file: in order to make it work for local files. In other words, you need to set the path to your truststore as file:path\to\truststore.

The same goes for clientCertificateKeyStoreUrl, if you're using that parameter too.

Flagging answered 12/5, 2016 at 14:24 Comment(0)

Recommended topics

Hot tags