-
标题
How to configure an encrypted SSL connection for the MySQL agent? -
说明
The below instructions cover common steps used to configure an encrypted SSL connection from the MySQL Agent client. -
解决办法
In order to use SSL, your MySQL server must be built with OpenSSL or yaSSL. To check whether SSL is enabled, run this query:
SHOW VARIABLES LIKE 'have_ssl';
If the query returns YES, your server can use SSL. If it returns DISABLED, the server must be started with the SSL options listed in the above mentioned section. SSL and RSA certificates and keys must also be generated in order to use SSL. Information on generating those can be found here.
The client requires a client certificate and certificate authority (CA) certificate. These are named clientcert.pem and ca.pem respectively if generated by the MySQL server and should be located in the data directory. First, the client certificate needs to be converted into DER format. This can be performed by downloading OpenSSL and running the following command:
openssl x509 -outform DER -in client-cert.pem -out client.cert
Then, the certificates must be imported into the FglAM keystore. You can use the bundled keytool, which will be located in the Foglight Agent Manager\jre\1.8.0.72\jre\bin directory, or the equivalent on your system, with these commands:
keytool.exe -import -file ca.pem -keystore truststore -alias mysqlServerCACert
keytool.exe -import -file client.cert -keystore keystore -alias mysqlClientCertificate
If you have not changed the password for the keystore, the default password will be “changeit”. Next, edit the baseline.jvmargs.config file in the Foglight Agent Manager\state\default\config directory and add the following parameters with file paths and passwords appropriate for your system. Escape any quotes with a ‘\’.
vmparameter.0 = "-Djavax.net.ssl.keyStore=\"C:/Foglight Agent Manager/jre/1.8.0.72/jre/bin/keystore\"";
vmparameter.1 = "-Djavax.net.ssl.keyStorePassword=changeit";
vmparameter.2 = "-Djavax.net.ssl.trustStore=\"C:/Foglight Agent Manager/jre/1.8.0.72/jre/bin/truststore\"";
vmparameter.3 = "-Djavax.net.ssl.trustStorePassword=changeit";
Then, restart the FglAM and continue with the agent configuration, setting the “Use SSL” option in the Agent Properties to true
-
其他信息
For full information on secure connections and server-side configuration, refer to the Using Secure Connections section of the MySQL documentation for your version.