How to configure an encrypted SSL connection for the MySQL agent? (4232477)

How to configure an encrypted SSL connection for the MySQL agent?

In order to use SSL, your MySQL server must be built with OpenSSL or yaSSL. To check whether SSL is enabled, run this query:

SHOW VARIABLES LIKE 'have_ssl';

If the query returns YES, your server can use SSL. If it returns DISABLED, the server must be started with the SSL options listed in the above mentioned section. SSL and RSA certificates and keys must also be generated in order to use SSL. Information on generating those can be found here.

The client requires a client certificate and certificate authority (CA) certificate. These are named clientcert.pem and ca.pem respectively if generated by the MySQL server and should be located in the data directory. First, the client certificate needs to be converted into DER format. This can be performed by downloading OpenSSL and running the following command:

openssl x509 -outform DER -in client-cert.pem -out client.cert

Then, the certificates must be imported into the FglAM keystore. You can use the bundled keytool, which will be located in the Foglight Agent Manager\jre\1.8.0.72\jre\bin directory, or the equivalent on your system, with these commands:

keytool.exe -import -file client.cert -keystore ..\..\..\..\keystore -alias mysqlClientCertificate

keytool.exe -import -file ca.pem -keystore ..\lib\security\cacerts -alias mysqlServerCACert

If you have not changed the password for the keystore, the default password will be “changeit”.

Since the previous command imports the certificate into the JRE default truststore, this can be lost after an upgrade. To preserve this truststore, make a copy of the cacerts file and save it somewhere else in the FglAM installation directory, e.g. [FGLAM_HOME]\truststore

Next, edit the baseline.jvmargs.config file in the [FGLAM_HOME]\state\default\config directory and add the following parameters with file paths and passwords appropriate for your system. Escape any quotes with a ‘\’.
 

vmparameter.0 = "-Djavax.net.ssl.keyStore=\"C:/Foglight Agent Manager/keystore\"";

vmparameter.1 = "-Djavax.net.ssl.keyStorePassword=changeit";

vmparameter.2 = "-Djavax.net.ssl.trustStore=\"C:/Foglight Agent Manager/truststore/cacerts\"";

vmparameter.3 = "-Djavax.net.ssl.trustStorePassword=changeit";

Then, restart the FglAM and continue with the agent configuration, setting the “Use SSL” option in the Agent Properties to true

For full information on secure connections and server-side configuration, refer to the Using Secure Connections section of the MySQL documentation for your version. The default truststore (cacerts) ships with multiple well known 3rd party CA certificates for convenience but using the -Djavax.net.ssl.trustStore parameter overrides the default trust store for the JRE that runs the FglAM. If additional CA certificates are required, use the default cacerts as a starting point; import the additional CA certificates into cacerts and make a copy of this file as the custom trust store to take advantage of the existing CA certificates.