来自Compute Engine和/或外部网络的带有SSL的Google Cloud SQL
[英]Google Cloud SQL with SSL from Compute Engine and/or External Network
问题描述
I'm trying to connect to an Google Cloud SQL (mysql) instance using SSL. 
我正在尝试使用SSL连接到Google Cloud SQL(mysql)实例。 I've enabled two IP addresses and a user with remote access permissions from those IP addresses. 我已经启用了两个IP地址,并为一个具有来自这些IP地址的远程访问权限的用户启用了这些IP地址。 I have also generated the certificate files from Google's Developer Console. 我还从Google的开发人员控制台生成了证书文件。
client-key.pem client-cert.pem server-ca.pem
Using this command from each of the two enabled IP addresses I successfully make a connection. 使用来自两个启用IP地址中的每个IP地址的此命令,我成功建立了连接。
mysql --ssl-ca=server-ca.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem --host=xxx.xxx.xxx.xxx --user=username --password
Since the mysql client works I know my firewall settings, users, certs, etc. are set up correctly. 由于mysql客户端正常工作,我知道我的防火墙设置,用户,证书等均已正确设置。
Now I'd like to make a similar connection with java from within an executable jar file. 现在,我想从可执行的jar文件中与java建立类似的连接。
Following the steps outlined here: http://dev.mysql.com/doc/connector-j/en/connector-j-reference-using-ssl.html 按照此处概述的步骤进行操作: http : //dev.mysql.com/doc/connector-j/en/connector-j-reference-using-ssl.html
Step 1: keytool -import -alias mysqlServerCACert -file cacert.pem -keystore truststore
NOTE: I substitute server-ca.pem for cacert.pem used in the instructions 注意:我将server-ca.pem替换为说明中使用的cacert.pem
Step 2: openssl x509 -outform DER -in client-cert.pem -out client.cert
Step 3: keytool -import -file client.cert -keystore keystore -alias mysqlClientCertificate
These steps create my keystore and truststore files. 这些步骤将创建我的密钥库和信任库文件。 I associate distinct passwords for each of these two files as they are generated. 在生成这两个文件时,我分别为这两个文件关联了不同的密码。
Here is the relevant Java code: 以下是相关的Java代码:
public void testConnection() throws ClassNotFoundException, SQLException,
IllegalAccessException, InstantiationException {
String path = "/home/user/dir/"; // path to keystore and truststore file
System.setProperty("javax.net.ssl.keyStore",path + "keystore");
System.setProperty("javax.net.ssl.keyStorePassword",keyStorePassword);
System.setProperty("javax.net.ssl.trustStore",path + "truststore");
System.setProperty("javax.net.ssl.trustStorePassword",trustStorePassword);
String user = "dbuser";
String password = "dbUserPassword";
Connection conn = null;
int i = 0;
try {
String url = "jdbc:mysql://<databaseip>:3306/<databaseName>"
+ "?verifyServerCertificate=true"
+ "&useSSL=true"
+ "&requireSSL=true";
Class dbDriver = Class.forName("com.mysql.jdbc.Driver");
conn = DriverManager.getConnection(url, user, password);
ResultSet rs = conn.createStatement().executeQuery(
"SELECT 1 + 1 as val");
while (rs.next()) {
i = rs.getInt(1);
}
} catch (Exception ex) {
ex.printStackTrace();
} finally {
if (conn != null) {
try {
conn.close();
} catch (Exception e) {
e.printStackTrace();
}
}
}
System.out.println("The MySQL value is: " + i);
}
Again, from both enabled IP addresses I am able to connect with the MySQL command line client with the same user and password being used in the java code. 同样,从这两个启用的IP地址中,我都可以使用java代码中使用的相同用户名和密码连接MySQL命令行客户端。
I receive the following connection exception with the java. 我收到以下与Java的连接异常。 Given that the mysql client works with the same user/passwd credential I am a bit suspect of the error message. 鉴于mysql客户端使用相同的用户/密码凭据,我有点怀疑该错误消息。 Any insights much appreciated. 任何见解非常感谢。 Has anyone else got SSL up and working with Google SQL? 是否还有其他人建立了SSL并使用Google SQL? Thoughts, advice, tricks and tips appreciated. 的想法,建议,技巧和窍门表示赞赏。 Thanks! 谢谢!
java.sql.SQLException: Access denied for user 'dbuser'@'xxx.xxx.xxx.xxx' (using password: YES)
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:946)
at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:2985)
at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:885)
at com.mysql.jdbc.MysqlIO.secureAuth411(MysqlIO.java:3421)
at com.mysql.jdbc.MysqlIO.negotiateSSLConnection(MysqlIO.java:3988)
at com.mysql.jdbc.MysqlIO.doHandshake(MysqlIO.java:1293)
at com.mysql.jdbc.Connection.createNewIO(Connection.java:2775)
at com.mysql.jdbc.Connection.<init>(Connection.java:1555)
at com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:285)
at java.sql.DriverManager.getConnection(DriverManager.java:571)
at java.sql.DriverManager.getConnection(DriverManager.java:215)
at com.test.UserData.getConnection(UserData.java:81)
at com.test.UserData.testConnection(UserData.java:52)
1 个解决方案
解决方案1
4 已采纳 2015-10-20 13:39:46
mba12 I had the same problem, thanks for the answer! mba12我遇到了同样的问题,谢谢您的回答!
So, the solution is here (as you pointed out): How to connect to MySQL with X509 using JDBC? 因此,解决方案就在这里(如您所指出的那样): 如何使用JDBC使用X509连接到MySQL?
I also found this one: importing an existing x509 certificate and private key in Java keystore to use in ssl 我也发现了这一点: 在Java密钥库中导入现有的x509证书和私钥以在ssl中使用
Just for clarification 只是为了澄清
javax.net.ssl.keyStore must be client cert + key combined, not just client cert as described in MySQL guide. javax.net.ssl.keyStore必须是客户端证书+密钥的组合,而不仅仅是MySQL指南中描述的客户端证书。
To summarize 总结一下
- We have: 我们有:
server-ca.pem - MySQL CA certificate, can be downloaded from "SSL Configuration -> View Server CA Certificate" server-ca.pem -MySQL CA证书,可以从“ SSL配置->查看服务器CA证书”下载
client-cert.pem - client public key, can be downloaded from "Client Certificates -> newly created certificate" client-cert.pem客户端公共密钥,可以从“客户端证书->新创建的证书”中下载
client-key.pem - client private key, can be downloaded only from "New SSL Certificate created dialog box" client-key.pem客户端私钥,只能从“新建SSL证书创建对话框”中下载
Described here: https://cloud.google.com/sql/docs/configure-ssl-instance 在此处描述: https : //cloud.google.com/sql/docs/configure-ssl-instance
Let's save them in server-instance/ folder and create jks/ folder for generated files in step 2. 让我们将它们保存在server-instance /文件夹中,并在步骤2中为生成的文件创建jks /文件夹。
Create
truststorefile创建truststore文件2.1.
2.1。 Copy original JAVA's cacertstojks/truststore.jks:将原始JAVA的cacerts复制到jks/truststore.jks:cp $JAVA_HOME/jre/lib/security/cacerts jks/truststore.jks2.2.
2.2。 Add MySQL Server CA Certificate / Google Cloud SQL Server CA server-ca.pemto JAVA's default truststorecacertswhich we've copied in step 2.1.:将MySQL Server CA证书/ Google Cloud SQL Server CA server-ca.pem到我们在步骤2.1中复制的JAVA的默认信任库cacerts中:keytool -importcert -noprompt -trustcacerts -keystore jks/truststore.jks -storepass changeit -alias googlecloudsqlservercacert -file server-instance/server-ca.pemCreate
keystorefile创建keystore文件3.1.
3.1。 Convert x509 certificate and private key to a pkcs12 file: 将x509证书和私钥转换为pkcs12文件: openssl pkcs12 -export -in server-instance/client-cert.pem -inkey server-instance/client-key.pem -out jks/client.p12(enter mandatory password), for example:
p4ssw0rd(输入必填密码),例如: p4ssw0rd3.2.
3.2。 Convert the pkcs12 file to a java keystore: 将pkcs12文件转换为Java密钥库: keytool -importkeystore -srckeystore jks/client.p12 -srcstoretype PKCS12 -destkeystore jks/keystore.jks -deststoretype JKS(enter same passwords), for example:
p4ssw0rd(输入相同的密码),例如: p4ssw0rd
About conversion: http://blog.ejbca.org/2008/02/converting-keystores-between-jks-and.html 关于转换: http : //blog.ejbca.org/2008/02/converting-keystores-between-jks-and.html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.