3.2.4 Installing SSL Certificates

These instructions guide you through the process of installing SSL certificates for your MySQL Enterprise Monitor installation. The $INSTALL_ROOT represents the root path of your installation, which defaults to:

Table 3.3 Default Root Path ($INSTALL_ROOT)

Operating SystemDefault Path
Microsoft WindowsC:\Program Files\MySQL\Enterprise\Monitor\
Linux / Solaris/opt/mysql/enterprise/monitor/
Mac OS X/Applications/mysql/enterprise/monitor/

MySQL Enterprise Service Manager

To install an SSL certificate for the MySQL Enterprise Service Manager:

First, take the certificate and private key, both in PEM format, and place them in:


$INSTALL_ROOT/apache-tomcat/conf/ssl/tomcat.cert.pem
$INSTALL_ROOT/apache-tomcat/conf/ssl/tomcat.key.pem

Next, restart the service manager. For more information about stopping and starting the service manager, see the instructions for Unix/Mac OS X and Microsoft Windows.

MySQL Enterprise Monitor Agent

To configure SSL-related options for the Agent, the following values may be placed in $INSTALL_ROOT/etc/bootstrap.properties:

Table 3.4 SSL Configuration Options For The Agent's bootstrap.properties

bootstrap.properties OptionConfiguration ValuesDescription
ssl-verify-hostnamestrue or falseVerify that the hostname of the service manager that the Agent is connected to matches what is in the SSL certificate, Default is false, as we are only using SSL for confidentiality
ssl-verify-host-certstrue or falseDefault false, but to support self-signed certificates, a commercial certificate, or if the CA certificate has been imported into a keystore, then set to true
ssl-ca-keystore-pathString, the pathPath to keystore with CA cert(s), if ssl-verify-host-certs is true
ssl-ca-keystore-passwordString, the passwordPassword for the CA keystore, if ssl-verify-host-certs is true

An example bootstrap.properties SSL certification section:


ssl-verify-hostname=false
ssl-verify-host-certs=true
ssl-ca-keystore-path=/path/to/keystore
ssl-ca-keystore-password=password123

To import a CA certificate in PEM format to a new keystore on the Agent, execute the following:


$INSTALL_ROOT/java/bin/keytool -import -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $INSTALL_ROOT/etc/cacerts


The tool will then respond with:


Enter keystore password:  (the keystore will require at least a 6 character password)
Re-enter new password:

Owner: CN=localhost, O=MySQL AB, ST=Uppsala, C=SE
Issuer: O=MySQL AB, L=Uppsala, ST=Uppsala, C=SE
Serial number: 100002
Valid from: Fri Jan 29 12:56:49 CET 2010 until: Wed Jan 28 12:56:49 CET 2015
Certificate fingerprints:
     MD5:  E5:FB:56:76:78:B1:0C:D7:B0:80:9F:65:06:3E:48:3E
     SHA1: 87:59:80:28:CE:15:EF:7E:F1:75:4B:76:77:5E:64:EA:B7:1D:D1:18
     SHA256: F4:0B:79:52:CF:F3:A1:A4:7F:B2:D7:C1:65:60:F0:80:93:87:D2:68:9A:A1:84:F4:06:6E:8E:CF:C1:F6:1B:52
     Signature algorithm name: MD5withRSA
     Version: 1
Trust this certificate? [no]: (type yes + enter)
Certificate was added to keystore

Now, your bootstrap.properties will need the ssl-ca-* configuration values adjusted accordingly, to use the path to the keystore and password.