I am trying to remotely connect Google Data Studio with our MySQL Database, which is hosted on an AWS instance. To allow for a secure connection, we added SSL access to the AWS's MySQL database user as recommended in the documentation:
GRANT USAGE ON *.* TO 'encrypted_user'#'%' REQUIRE SSL;
The problem here is that AWS, unlike GOOGLE CloudSQL, only generates a Server certificate, and not a Client certificate, nor a Client private key (as far as I can tell). Both the latter is needed to enable SSL for Google Data Studio & MySQL connection.
Just to add a side-note, we also white-listed Google's recommended IPs as listed here. There are a lot of users in this thread complaining that white-listing specific IPs does not work, they had to add wildcard on the subnets. So we have also added addresses of the /16 subnets for each IP:
64.18.%.%
64.233.%.%
66.102.%.%
66.249.%.%
72.14.%.%
74.125.%.%
108.177.%.%
173.194.%.%
207.126.%.%
209.85.%.%
216.58.%.%
216.239.%.%
Finally, one does not need to restart the AWS firewall after white-listing new IPs, it is immediately in-effect.
My Questions:
Is there absolutely no way to create a client certificate and a client private key on MySQL hosted on AWS ?
I would really want to use SSL between Google Data Studio (GDS) and our MySQL-DB, but the GDS-UI does not allow us to connect without filling in the client certificate and client private key. Is there any work around at the moment for me to allow this secure connection ?
Thanks in advance!
I was able to establish SSL connection between Google Data Studio and Amazon RDS PostgreSQL using Amazon server certificate and self-signed client cert + key created with OpenSSL:
openssl req -newkey rsa:2048 -nodes -keyout client.key -x509 -days 365 -out client.crt
Taken from https://stackoverflow.com/a/48994943/2789084.
Related
I am new to setting up SSL certificates on servers and would need some help to secure a MySQL database connection. I have a simple mobile app (client) which needs to connect to a remote MySQL database (server) connection. I am using AWS EC2 for the remote server and I have installed Let's Encrypt SSL certificates on a domain that I am hosting there. The machine runs on Ubuntu 18.04 and NGINX.
The same server also runs a MySQL database and I want to connect to it securely using a mobile app client. How can I encrypt the connection between the mobile app aclient and the MySQL database server?
I do have a static ip address for the database server but I am unable to install SSL certificates on the ip address directly. Only the domain name has an associated SSL certificate.
I did some digging around but was unable to find anything that serves my purpose. Any suggestion or reference to an article would greatly help.
This article provides a detailed step by step procedure for securing the connection between a remote MySQL database server and a client.
Securing a remote MySQL database server connection
I have a MySLQ running on a CentOS server with SSL enabled and it require SSL in order to connect to the databases. I created the certificates and keys using OpenSSL, getting this files:
ca.pem
ca-key.pem
client-cert-pem
client-key-pem
server-cert.pem
server-key.pem
Setup MySQL with this:
ssl-ca=/etc/certs/ca.pem
ssl-cert=/etc/certs/server-cert.pem
ssl-key=/etc/certs/server-key.pem
bind-address=*
require_secure_transport=ON
I created a user that require X509 on the MySLQ by using:
CREATE USER 'user'#'%' IDENTIFIED BY '<password>' REQUIRE X509;
Testing with the MySQL client console and MySQL Workbench providing the client certs and it works fine. Also works on a Java App that writes/reads the databases by importing certifitates to the keytores/trustores.
However, I cannot set up Power Bi Desktop version to connect to the MySQL server. I imported the certificates to the Trusted Root Autenticathion Authorities and a PKCS12 keystore and trustore (used also by the Java App). This image shows the certificate. It is in Spanish, but it says it has also the key and it is verified by the ca.pem.
This is according to the documentation, but the documentation about this is very old and very limited. Some of the process and/or tools are out of date.
This are the sources I could find:
https://github.com/Microsoft/PowerBI-visuals/blob/master/tools/CreateCertificate.md#generate-certificate-manually
https://github.com/Microsoft/PowerBI-visuals/blob/master/tools/CertificateAddWindows.md
https://powerbi.microsoft.com/es-es/blog/ssl-security-error-with-data-source/
However there is not much more info about how to properly connect (or I cannot find it).
The message I get on Power Bi is "We were unable to authenticate you with the credentials provided. Try again."
I must add that disabling SSL allows me to connect to the databases using Power Bi, without any issue, it is the SSL what doesn't work as I don't know how to properly provide the certificates and I cannot find anything that decribes the process.
I have a Node.JS Express API App that's hosted on Heroku in the cloud. I'd like to query a MySQL DB.
The problem is that this DB is hosted on a secure LAN with proprietary info. We don't want to expose this DB to the public. What's the desired pattern for things like this?
I have a static proxy IP that I was thinking of maybe whitelisting in MySQL Server if possible. I think introducing another layer like VPN or SSH isn't going to work.
I have a static proxy IP that I was thinking of maybe whitelisting in MySQL Server if possible
MySQL does allow whitelisting of IPs. It is possible.
However, you can create an SSH tunnel from the local system to the server. The SSH tunnel can give you an encrypted SSH connection. And instead of using an SSH based on password, the better method is to use a key based encryption
What you need to do is to generate a public authentication key and append it to the remote hosts ~/.ssh/authorized_keys file. And preferably, disable password based authentication and only permit key based ssh connections.
If you need some steps on how to achieve this, I can list down too.
I have my MySQL instance configured to use TLS. I have verified this by intentionally using untrusted certificates and watching the clients fail to connect (with an appropriate error message) and then restarting the MySQL service with trusted certificates configured and having the clients connect successfully.
I wanted to do a final check using openssl's s_client but I can't get it to work. When I execute the command below, I get an error saying "SSL23_GET_SERVER_Hello:unknown protocol" followed by "no peer certificate available" followed by some more text. However, when I use the same command against a TLS-enabled Tomcat instance and against the Remote Desktop port, I am able to establish the connection and view the server's certificate. What am I doing wrong? Does MySQL do some extra pre-negotiation before the TLS handshake starts?
openssl s_client -showcerts -connect host:port
While MySQL may use TLS, it isn't the total outside layer. There is a small amount of preamble that occurs before TLS starts. The openssl command line isn't aware of this.
Use the mysql client with its TLS options to test the client certificate.
I marked the response from #danblack correct as he did answer the question. However, I want to provide more information in case it helps anyone else. The
small amount of preamble that occurs before TLS starts
that he refers to can be found on GitHub here.
I've found that if you connect to a Cloud SQL instance over SSL the CommonName provided in the server's certificate is my-project-123456:myinstance which renders the certificate un-validatable, as the client expects that the CN to be either the hostname or IP.
Every solution to this problem seems to amount to "just disable validation", which is not acceptable to me because:
Why has GCP decided to do everything else correctly, providing a CA cert and client certificates, only to drop the ball on identity validation? By disabling validation you're basically saying "I'm OK with being MITMed at some point".
What about projects where we can't play fast and loose with validation because of PIPA/HIPAA?
What about mySQL clients that don't support turning validation off? eg: All PHP 5.6 mysql libs using mysqlnd prior to the upcoming 5.6.16 release.
Is there any way to make SSL work correctly on Cloud SQL?
One of the reasons for not having the IP address of the instance in the common name of the server certificate is because these IPs can change. What is the IP address of instance A today can be the IP address of instance B tomorrow, because A was deleted, or A decided that it doesn't want the IP address anymore. So, the instance name was decided as being a more unique identification of the instance.
Also, the mysql client libraries by default have hostname verification disabled. http://dev.mysql.com/doc/refman/5.7/en/ssl-options.html
With regards to MITM attacks, it is not possible to MITM attack a Cloud SQL instance because the server certificate and the each of the client certificates are signed by unique self-signed CAs which are never used to sign more than one cert. The server only ever trusts certificates signed by one of these CAs. The reason for using unique CAs per client cert was because MySQL 5.5 did not support certificate revocation lists, and we also did not want to deal CRLs, but wanted to support deletion of client certs.
We will look into ways of supporting SSL for clients which cannot turn off hostname validation. But I cannot promise an ETA on this.
Cloud SQL Team.