Configure Wildfly to use SSL connection for MariaDB - java

I want to configure Wildfly 14 to use encrypted JDBC connection. I tried this:
MariaDB:
mysql -u root -p
CREATE USER 'wildfly' IDENTIFIED BY 'qwerty';
CREATE DATABASE production_gateway;
GRANT ALL PRIVILEGES ON production_gateway.* TO 'wildfly'#'%' REQUIRE SSL;
FLUSH PRIVILEGES;
Create certificate:
mkdir -p /etc/mysql/ssl
cd /etc/mysql/ssl
sudo openssl genrsa 4096 > ca-key.pem
sudo openssl req -new -x509 -nodes -days 36500 -key ca-key.pem -out cacert.pem
sudo openssl req -newkey rsa:4096 -days 36500 -nodes -keyout server-key.pem -out server-req.pem
sudo openssl rsa -in server-key.pem -out server-key.pem
sudo openssl x509 -req -in server-req.pem -days 36500 -CA cacert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
sudo openssl req -newkey rsa:2048 -days 36500 -nodes -keyout client-key.pem -out client-req.pem
sudo openssl rsa -in client-key.pem -out client-key.pem
sudo openssl x509 -req -in client-req.pem -days 36500 -CA cacert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
openssl verify -CAfile cacert.pem server-cert.pem client-cert.pem
Add certificate in MariDB under my.cnf
ssl-ca=/etc/mysql/ssl/cacert.pem
ssl-cert=/etc/mysql/ssl/server-cert.pem
ssl-key=/etc/mysql/ssl/server-key.pem
systemctl restart mysql
Import certificate in Java keystone:
cd /usr/lib/jvm/java-11-openjdk-amd64/lib/security/
openssl x509 -outform der -in /etc/mysql/ssl/client-cert.pem -out certificate.der
keytool -import -alias client -keystore /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts -file certificate.der -srcstorepass changeit
Export keystone configuration:
export JAVA_OPTS="-Djavax.net.ssl.keyStore=/usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts -Djavax.net.ssl.keyStorePassword=changeit"
When I use this connection link:
jdbc:mariadb://localhost:3306/production_gateway - it's working
But when I use: jdbc:mariadb://localhost:3306/production_gateway?useSSL=true&requireSSL=true
I get:
17:40:30,454 WARN [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (External Management Request Threads -- 1) IJ000604: Throwable while attempting to get a new connection: null: javax.resource.ResourceException: IJ031084: Unable to create connection
17:40:30,472 ERROR [org.jboss.as.controller.management-operation] (External Management Request Threads -- 1) WFLYCTL0013: Operation ("test-connection-in-pool") failed - address: ([
("subsystem" => "datasources"),
("data-source" => "MariaDB")
]) - failure description: "WFLYJCA0040: failed to invoke operation: WFLYJCA0047: Connection is not valid"
Can you advice how I can fix this issue?
I use JDBC driver mariadb-java-client-2.3.0.jar

As per my knowledge,you just need to provide requireSSL field to true.
Try with below line :
jdbc:mariadb://localhost:3306/production_gateway?requireSSL=true
Let us know whether it's working or not.
For more clarification you can check this answer .

Related

How to generate Java certificates (keystore and truststore) for two way SSL starting from X509 certificates

I have generated with OpenSSL self signed certificates:
Root CA: cacert.crt (the root CA certificate), and root_key.pem (for
root private key).
Client: client_cert.crt (the client certificate), and client_key.pem (for private key).
Server: server_cert.crt (the server certificate), and server_key.pem (for private key).
Both client and server certificates are signed with the root key.
As I understand it, for two way SSL the server truststore should include the client certificate and the client truststore should include the server certificate.
My question is how to generate with keytool, the two pair of client/server trusstore/keystore starting from these certificates/keys
After some research, I found the following steps:
For client keystore:
openssl pkcs12 -export -out client.pfx -inkey client_key.pem -in client_cert.crt
For client truststore:
keytool -import -file cacert.crt -alias cacert -keystore ClientTruststore
keytool -import -file client_cert.crt -alias servercert -keystore ClientTruststore
For server keystore:
openssl pkcs12 -export -out server_key.p12 -inkey server_key.pem -in server_cert.crt
SET PASSWORD=MyPassword
keytool -genkey -alias server -keyalg RSA -validity 3650 -keystore server.keystore -storepass %PASSWORD% -keypass %PASSWORD%
keytool -importcert -alias rootCA -keystore server.keystore -storepass %PASSWORD% -keypass %PASSWORD% -file cacert.crt
keytool -v -importkeystore -srckeystore server_key.p12 -srcstoretype PKCS12 -destkeystore server.keystore -deststoretype JKS -deststorepass %PASSWORD%
For server truststore:
keytool -import -file cacert.crt -alias cacert -keystore ServerTruststore
keytool -import -file client_cert.crt -alias client -keystore ServerTruststore
I tested it with a very simple SSL Client/Server by running the program:
java -Djavax.net.ssl.keyStore=server.keystore -Djavax.net.ssl.keyStorePassword=MyPassword -Djavax.net.ssl.trustStore=ServerTruststore -Djavax.net.ssl.trustStorePassword=MyPassword -jar HelloServer.jar
java -Djavax.net.ssl.keyStore=client.pfx -Djavax.net.ssl.keyStorePassword=MyPassword -Djavax.net.ssl.trustStore=ClientTruststore -Djavax.net.ssl.trustStorePassword=MyPassword -jar HelloClient.jar
It is working fine.
Any suggestions of improvements are welcomed.

ssl keystore generated from certbot (standalone) does not work with spring-boot

I am trying to add a ssl certificate generated from certbot, converted into pkcs12 format into my spring-boot application.
Those are the steps I made to make the certificate:
certbot certonly -a standalone -d api.example.com
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out pkcs.p12 -name tomcat -passout pass:aaaaaa
keytool -importkeystore -deststorepass aaaaaa -destkeypass aaaaaa -destkeystore .keystore -srckeystore pkcs.p12 -srcstoretype PKCS12 -srcstorepass aaaaaa -alias tomcat
source
The content of application.yml :
spring:
datasource:
url: jdbc:mariadb://localhost:3306/api?useSSL=false
username: spring
password: w7wqD6hd78HfYHLP
driver-class-name: org.mariadb.jdbc.Driver
jpa:
hibernate:
ddl-auto: update
database-platform: org.hibernate.dialect.MariaDB103Dialect
generate-ddl: true
show-sql: true
server:
port: 12345
ssl:
enabled: true
key-alias: tomcat
key-store-type: PKCS12
key-password: aaaaaa
key-store: /etc/letsencrypt/live/api.example.ovh/pkcs.p12
This is the most nested error I obtain :
Caused by: java.lang.IllegalArgumentException: Private key must be accompanied by certificate chain
at java.base/java.security.KeyStore.setKeyEntry(KeyStore.java:1170) ~[na:na]
at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:365) ~[tomcat-embed-core-9.0.39.jar:9.0.39]
at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:246) ~[tomcat-embed-core-9.0.39.jar:9.0.39]
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97) ~[tomcat-embed-core-9.0.39.jar:9.0.39]
... 26 common frames omitted
The pkcs12 has been created with the fullchain and the key, so there should be no problem in the resulting p12 certificate. They are various answers on the wonderful internet that directed me in the same direction for the steps to make the certificate.
I would like to know if anyone has a solution for this, to simply use ssl as intended. If the answer is obvious, I am sorry, I am not savvy enough on java applications.
Add key-store-password property as follows:
server:
ssl:
key-store-password: aaaaaa

openssl/keytool error: java.lang.Exception: Input not an X.509 certificate

I have created certificate through Openssl
Openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/O=nginxsvc"
and then created a PKCS#12 file using OpenSSL:
openssl pkcs12 -export -in tls.crt -inkey tls.key -out tls.p12
and after that convert it to JKS using
keytool -importkeystore -srckeystore tls.p12 -srcstoretype PKCS12 -destkeystore tls.jks -deststoretype JKS
now when importing this jks file through keytool like this
keytool -import -noprompt -trustcacerts -alias "nginxsvc" -file tls.jks -keystore "C:\Program Files\Java\jdk1.8.0_152\jre\lib\security\cacerts"
I am getting
keytool error: java.lang.Exception: Input not an X.509 certificate
The -import needs a certificate file, not a JKS.
Try :
keytool -import -noprompt -trustcacerts -alias "nginxsvc" -file tls.crt -keystore "C:\Program Files\Java\jdk1.8.0_152\jre\lib\security\cacerts"

Difference between keytool and openssl?

We can generate certificate through keytool like this
keytool -genkey -alias initcert -keyalg RSA -keystore keycloak.jks -validity 365 -keysize 2048
and through openssl also like this
Openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/O=nginxsvc"
What is the difference between these two technique and which we should use?

How do I import a certificate chain and it's certificate into a java keystore?

I have a wilcard certificate along with a certificate chain and private key.
How do I import that into my java keystore?
certificate chain
*.whatever.com - certificate
private key
I found the answer here -
You have to convert your to a PKCS12 certificate to import it with a command similar to the following.
keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore my-keystore.jks -srckeystore cert-and-key.p12 -srcstoretype PKCS12 -srcstorepass cert-and-key-password -alias 1
To convert from PEM to PKCS12 use the following command.
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

Categories

Resources