Using SSL with command-line Flywaydb ( flyway ) to deploy DB changes - mysql

I'm working on a proof of concept to deploy using flyway's command-line tool from a centralized server to deploy to multiple database platforms. (MySQL, Postgres, and SQL Server)
I'm able to deploy successfully without SSL, however it is using unencrypted host information such as logins/passwords/ports to the destination Database Server. My concern is there's a chance the un-encrypted traffic could be seen.
Does anyone have experience with the flyway command line tool using SSL to deploy to:
MySQL
SQL Server
I did not see any information in the documentation unless I missed it.
Thanks for any help and suggestions!

In the flyway examples in flyway.conf it shows how to add additional values to the jdbc url for example
# MySQL : jdbc:mysql://<host>:<port>/<database>?<key1>=<value1>&<key2>=<value2>...
# PostgreSQL : jdbc:postgresql://<host>:<port>/<database>?<key1>=<value1>&<key2>=<value2>...
# Redshift : jdbc:postgresql://<host>:<port>/<database>?<key1>=<value1>&<key2>=<value2>...
So for Redshift/Postgres for example you can include the ssl=true flag
flyway.url=jdbc:postgresql://yourserver:5439/dbname?ssl=true
You need to add the public key that the DB server key was signed with to your hosts trust store (for Redshift see http://docs.aws.amazon.com/redshift/latest/mgmt/connecting-ssl-support.html for details on that), e.g
${JAVA_HOME}/bin/keytool -keystore ${JAVA_HOME}/lib/security/cacerts -import -alias <alias> -file <certificate_filename>
I then had to hack the flyway startup script /flyway to include the truststore and password in the JAVA_ARGS (it probably should have these as variables) e.g
JAVA_ARGS="-Djava.security.egd=file:/dev/../dev/urandom -Djavax.net.ssl.trustStore=/etc/pki/java/cacerts -Djavax.net.ssl.trustStorePassword=changeit"

For MySQL I used the following URL to connect using SSL.
jdbc:mysql://hostname:3306/wpastudy?useSSL=true
Note the useSSL=true parameter.

Related

MySQL and Keycloak setup

Hello I am trying to add mysql database in my Keycloak server.
I've added module.xml and mysql-connector-java-5.1.42-bin.jar under /modules/system/layers/base/com/mysql/main.
When I am running the command to add mysql module,
./jboss-cli.sh, it errors out with
Exception in thread "CLI Terminal Connection (uninterruptable)"
java.lang.ArithmeticException: / by zero
And when i am trying to start Keycloak, I am also notified that there is a missing service.
service jboss.jdbc-driver.mysql (missing)
Please help!!
When I am running the command to add mysql module, ./jboss-cli.sh, it errors out with
Can you post your Command? You dont't have to do this with the cli. It's also possible to modify the config in a editor. At least for testing you should try this.
Keycloak docs have a pretty good part about database setup: https://www.keycloak.org/docs/latest/server_installation/index.html#_database
The basic steps are:
Locate and download a JDBC driver for your database
Package the driver JAR into a module and install this module into the server (module.xml)
Declare the JDBC driver in the configuration profile of the server (standalone.xml)
Modify the datasource configuration to use your database’s JDBC driver
Modify the datasource configuration to define the connection parameters to your database
There is an error in the Keycloak documentation. Driver should be in the
modules/system/layers/base/com/mysql/driver/main
folder.
The full valid instruction is here
https://github.com/v-ladynev/keycloak-nodejs-example#keycloak-configuration
Also you can use docker images to experiment
https://github.com/v-ladynev/keycloak-nodejs-example#keycloak-docker-image

Connecting to MySQL on AWS RDS with SSL pem keys

I set up a new MySQL instance on AWS RDS (Aurora). I added a user that requires SSL, and downloaded the combined ca bundle as described here and here: SSL Connection error, and I can connect via command line and confirm that the user is securely connected. I also turned off the SSL requirement for the user temporarily and was able to connect with MySQL Workbench with SSL turned off.
The problem is that both MySQL Workbench and my Rails app expect three separate files: SSL CA, SSL Cert, and SSL Key.
I'm sure there has to be an easy solution to it, but much Googling is not finding the answer, including this unanswered one on the AWS forums. I appreciate the help.
You don't need any other files. When it comes to the MySQL Workbench you need to provide "SSL CA File" and "Use SSL" ("Require" or "Require and Verify CA").
After that you can verify your connection by using the following command:
SHOW SESSION STATUS LIKE 'Ssl_cipher';

Google Cloud SQL SSL fails peer certificate validation

I have an issue using MySQL on PHP 5.6, and after three days of debugging PHP, OpenSSL, MySQLnd Drivers on PHP and trying out the mysql_client on an Ubuntu 14.04 machine, I have come to a conclusion: Google Cloud SQL SSL certificates will not work on PHP 5.6 and above.
For a start, the Google Cloud is a great service, and modern cryptography is enforced throughout the Google ecosystem. However, I couldn't use it because of one little problem: Google Cloud SQL SSL Server certificates have impossible common names.
Google Cloud SQL Server (or peer) certificates have a Common Name (CN) that looks something like:
CN=project-name:instance-id
To make matters worse, starting from PHP 5.6, all encrypted client streams will go through mandatory peer certificate validation. (Link: OpenSSL changes in PHP 5.6.x). I use the PHP Data Objects (PDO) extension, which uses the native driver MySQLnd to handle all the MySQL business. This uses the native PHP streams to handle those connections.
I have been looking through the MySQLnd source code on PHP (Link: MYSQLnd Driver Code on GitHub), MySQLnd configuration options to try and disable the SSL peer verification code on this particular MySQLND. To no avail.
Therefore, what should I do if I need to use SSL for MySQL connections on PHP 5.6?
Your response is greatly appreciated!
Try connecting through the proxy if you have second generation sql, you might be able to connect pdo via the proxy with 127.0.0.1: https://cloud.google.com/sql/docs/compute-engine-access#gce-connect-proxy
Assuming you can convince MySQL that the hostname is should verify is in fact project-name:instance-id then I would have thought the hostname validation ought to succeed (though I agree that cert doesn't look great).
I tried the following from my Mac OS X workstation and it appeared to succeed, at least when using the mysql binary (I didn't try via PHP).
First I added a hosts entry on my machine included the colon as part of the name:
1.2.3.4 project-name:instance-id
After doing so I was able to connect successfully with the mysql (5.6.32) installed on my machine:
mysql -uroot -h "project-name:instance-id" --password \
--ssl \
--ssl-ca ~/Downloads/server-ca.pem \
--ssl-cert ~/Downloads/client-cert.pem \
--ssl-key ~/Downloads/client-key.pem \
--ssl-verify-server-cert
(When I ran that same command with the IP address instead, I received ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure)

Access MySQL server from Grails

I like to setup a dedicated MySQL server in a LAN accessible from other computers of this network. How can I setup the database server and the clients?
How can a Grails application can access the MySQL from the same LAN?
If your MySQL server is going to run on Windows then you can configure it with the installation program. For example, I downloaded the install file mysql-installer-community-5.6.20.0.msi (versions change quickly) and it offers the option of installing just the server:
Just follow the screen prompts and take all the default values (strongly recommended). The main values to remember are:
The default network port number 3306.
The server's ip address.
The username(s) and password(s) that you created that have access to
MySQL.
Then I suggest you download HeidiSQL and configure a connection to your new MySQL server, that way you can manage your database server remotely:
Hope that helps.
You are asking 2 differents questions.
To set up mysql connection in your grails app, did you at least try to read the doc ?
http://grails.org/doc/latest/guide/single.html#dataSource
It's just a jdbc connection string :
https://www.google.fr/?gws_rd=ssl#q=jdbc+mysql+connection+string+example
It's more than just the JDBC connect string. You won't get far without a driver, so uncomment the sample entry in BuildConfig.groovy in the dependencies section and update the version to the most recent:
dependencies {
...
runtime 'mysql:mysql-connector-java:5.1.34'
}
Set the driverClassName in DataSource.groovy, along with the correct JDBC url for your database. Replace <server> with the server name or IP address, and <dbname> with the correct database name. You will likely also want to add parameters at the end of the url in the querystring. And if the port is non-standard (3306 is the default) then add that in also. To ensure that you use INNODB tables (older versions of MySQL default to MyISAM), specify the MySQL5InnoDBDialect (or a subclass):
dataSource {
...
driverClassName = 'com.mysql.jdbc.Driver'
dialect = org.hibernate.dialect.MySQL5InnoDBDialect
url = 'jdbc:mysql://<server>/<dbname>'
}
Run grails compile to download the driver jar and setup the classpath.

CloverETL mySQL Database SSL secure connection & Parameters

I am trying to make the connection to a remote mysql database in CloverETL Designer (Community Version)
Documentation with examples on this subject seem fragmented so I have tried to piece the bits together but I'm not use if they are correct. I would be grateful for any suggestions or further clarification on this subject.
Here is what I have so far:
The SSL Certificate
As an alternative VPN connection the server guys passed me the raw CA certificate, which I saved as a .crt file in the conn folder of the CloverETL workspace.
CloverETL Connections
I created a new DB connection and tested it was working without SSL
In the graph window I created a simple graph
Switching to Source View I added the parameter attribute to the connection code like this:
<Connection database="MYSQL" dbURL="jdbc:mysql://hostname/database_name" id="JDBC0" jdbcSpecific="MYSQL" name="CPM" parameters="ssl=${WORKSPACE}/conn/mysql_cpm_cert.crt" password="password" type="JDBC" user="username"/>
Then I tested the connection to the database by creating new metadata from a DB table
The problem is that I don't know if the connect is now secure or not.
Here's the list of resources that I used to piece together the information:
components:bulkloaders:mysql_data_writer [CloverETL wiki]
MySQL :: MySQL 5.0 Reference Manual :: 6.3.6.3 SSL Command Options
Thanks
CPM
Your setup almost certainly does not use ssl. Both links you posted are not usable - first describes bulk loader and second connection via command line client. But what you need is to configure JDBC. So I would use http://dev.mysql.com/doc/refman/5.0/en/connector-j-reference-configuration-properties.html section "Security."
I would set:
useSSL=true
requireSSL=true
You will do that by adding items in table (Custom JDBC properties) on second tab (Advanced) of Connection Wizard. In source it should appear like "jdbc.useSSL=true jdbc.requireSSL=true" not "parameters=".
Then connection should fail, because in your default java key store is missing your certificate. It can be imported via http://docs.oracle.com/javase/1.4.2/docs/tooldocs/windows/keytool.html section "Importing Certificates"
I hope this helps.