8.6 Connecting Oracle GoldenGate Veridata to SSL-Enabled MySQL Database

Setting up Agent Authentication via server certificate

  1. Copy ca.pem file from MySQL database server to veridata agent machine.
  2. Run the keytool command in the veridata agent machine to import the ca.pem file: $> keytool -importcert -alias <Set_Your_Alias> -file ca.pem -keystore truststore -storepass <Set_Your_Password>

    Note:

    If the truststore file does not already exist, then a new one is created; else the certificate gets added to the existing file.
  3. Append the following connection parameters to MySQL JDBC URL in the <AGENT_DEPLOY_LOCATION>/agent.properties file.
    • For MySQL version 8.0.12 and earlier: database.url=jdbc:mysql://abc.com:3306?useSSL=true&verifyServerCertificate=true.
    • For MySQL version 8.0.13 and later: database.url=jdbc:mysql://abc.com:3306?sslMode=<VERIFY_CA or VERIFY_IDENTITY>.

      Note:

      The VERIFY_IDENTITY option does not work with the default, self-signed certificate ca.pem from mysql.
  4. Export Java parameters to read the truststore you just created or modified. Export JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=<path_to_truststore_file> -Djavax.net.ssl.trustStorePassword=<your_truststore_password>"

Setting up Client Authentication via client certificate

  1. Copy client-cert.pem and client-key.pem two files from MySQL database server to veridata agent machine.
  2. Run the openssl command in the veridata agent machine to convert the client key and certificate files to a PKCS #12 archive: $> openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem -name "<Set_Your_name>" -passout pass:<Set_Your_Password> -out client-keystore.p12
  3. Run the keytool command in the veridata agent machine to import the PKCS file: $> keytool -importkeystore -srckeystore client-keystore.p12 -srcstoretype pkcs12 -srcstorepass <Set_Your_Password> -destkeystore keystore -deststoretype JKS -deststorepass <Set_Your_Password>.

    Note:

    If the keystore file does not already exist, then new one is created; else, the certificate is added to the existing file.
    After the step, you can delete the PKCS #12 archive (client-keystore.p12 in the example).
  4. Export java parameters to read the keystore you just created or modified: export JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStore=<path_to_keystore_file> -Djavax.net.ssl.keyStorePassword=<your_keystore_password>" .
  5. Authentication via client certificate does not require connection parameters in MySQL JDBC URL as opposed to via server certificate.

2-Way Authentication

Apply the steps outlined in both Setting up Server Authentication via server certificate and Setting up Client Authentication via client certificate topics.

Export Java parameters to enable both authentication schemas for server and client at the same time:

export JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=<path_to_truststore_file> -Djavax.net.ssl.trustStorePassword=<your_truststore_password> -Djavax.net.ssl.keyStore=<path_to_keystore_file> -Djavax.net.ssl.keyStorePassword=<your_keystore_password>"

Parent topic: Secure