如何使用JDBC使用X509连接到MySQL?
我已经设置了一个MySQL(Community Server,5.1)数据库服务器.
I've set up a MySQL (Community Server, 5.1) database server.
我已经设置了SSL,创建了证书等.
I've set up SSL, created certificates, etc.
我创建了一个具有REQUIRES X509属性的用户.
I've created a user that has the REQUIRES X509 attribute.
我可以使用此用户通过命令行客户端"mysql"进行连接,并且"status"命令显示SSL处于活动状态,等等.
I can connect using this user using the command line client "mysql" and the "status" command shows that SSL is active, etc.
我完全按照MySQL站点上的说明将证书导入到Java truststore/keystore文件中.
I've followed exactly the instructions from the MySQL site about importing the certificates into Java truststore/keystore files.
我只是无法使用这些连接到数据库.
I just cannot connect to the database using these.
如果我仅使用具有REQUIRES SSL的用户使用信任库文件,那么一切都很好.对具有REQUIRES X509的用户使用密钥库文件只是没有它.
If I use just the truststore file using a user with REQUIRES SSL then all is fine. Using the keystore file with a user with REQUIRES X509 just isn't having it.
挣扎于此的人们网络上似乎有很多证据,而答案却不多.有人真的可以正常工作吗?
There seems to be lots of evidence on the web of people struggling with this and not many answers. Has ANYONE actually got this working?
在页面底部的我的评论中列出的此处破裂: http://dev.mysql.com /doc/refman/5.0/en/connector-j-reference-using-ssl.html
Cracked, listed here, in my comment at the bottom of the page: http://dev.mysql.com/doc/refman/5.0/en/connector-j-reference-using-ssl.html
在花了一周的时间之后,我终于设法使用客户端证书(用户定义上要求X509)进行连接!!!
After LITERALLY SPENDING A WEEK DOING THIS I have finally managed to connect using a client certifiacte (REQUIRES X509 on the user defintion)!!!!
rem NOTE: these commands are run using the Java 6 (1.6) JDK as it requires the "-importkeystore" command
rem which is not available before this JDK version.
rem Import the self signed Certifacte Authority certificate into a keystore.
keytool -import -alias mysqlCACert -file ca-cert.pem -keystore truststore -storepass truststore
rem Shows only the signed certificate.
keytool -v -list -keystore truststore -storepass truststore
rem Create a PKCS12 file from an existing signed client certifcate and its private key.
rem set password to "keystore".
openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem -out client.p12 -name clientalias -CAfile ca-cert.pem -caname root
rem Import the combined certificate and private key into the keystore.
keytool -importkeystore -deststorepass keystore -destkeystore keystore -srckeystore client.p12 -srcstoretype PKCS12 -srcstorepass keystore -alias clientalias
然后通过连接URL,JVM启动参数自变量(-D =,...)在Java应用程序中指定受信任的证书文件(信任库)和客户机证书/密钥文件(密钥库). )或System.setProperty(var,val),...
Then specify the trusted certifcates file (the truststore) and the client certificate/key file (the keystore) in your Java application either via the connection URL, via the JVM start-up parameter arguments (-D=,...), or System.setProperty(var,val),...
它实际上有效!!