Versions Compared

Version Old Version 1 New Version 2
Changes made by

Charles Bishop (Deactivated)

Charles Bishop (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Note

As of Datameer version 6.0, only versions 5.5 and above are supported for MySQL.

...

There are several ways to assign rights for users with SSL:

  • Require X509: Any valid SSL client certificate can be used.
  • Require Issuer/Require Subject: The SSL client certificate must come from a specified CA with specific issuer and/or contain a specific subject.
  • Require SSL: The connection must be established via SSL encrypted. The authentication can be done either using a password or a SSL client certificate.

In the below example, if the dap user is required to use SSL and has access to ALL PRIVILEGES for all tables in dap.*, a limitation to the localhost isn't necessary as encryption on the same server is often not required. Instead, SSL should take the IP from which encrypted access is required.

Note
iconfalse

If you have already intialized the Datameer application database and created the tables or a Datameer installation in use, than you might need to change only the granted privileges.

Initialize the application database

Create the database and the user. REQUIRE SSL forces the created user to use SSL.

Code Block
languagesql
titleInitialize database
CREATE DATABASE IF NOT EXISTS dap DEFAULT CHARACTER SET utf8;
GRANT ALL PRIVILEGES ON dap.* TO 'dap'@'%' IDENTIFIED BY 'dap' REQUIRE SSL WITH GRANT OPTION;
FLUSH PRIVILEGES;

Test configuration

Test the configuration of the MySQL service from the Datameer application server. 

Code Block
languagebash
titleTest configuration
mysql --ssl-cert etc/client-cert.pem --ssl-key etc/client-key.pem -udap -pdap dap -h<host>

Create tables

Create MySQL tables required by Datameer.

Code Block
languagebash
titleCreate tables
mysql --ssl-cert etc/client-cert.pem --ssl-key etc/client-key.pem -udap -pdap dap -h<host> < bin/create-tables.sql

Enabling SSL on Datameer Client

To create an encrypted connection from Java to the MySQL service, you need to have a trusted certificate and make the Datameer service aware of the encrypted connection. 

Trust server certificate

The JVM needs to trust the MySQL service custom certificate

Add Java truststore to environment

Include truststore in your Datameer environment to make sure that the JVM is using the correct store. To do so, edit etc/das-env.sh.

Code Block
languagebash
titleetc/das-env.sh
export JAVA_OPTIONS="$JAVA_OPTIONS -Djavax.etnet.ssl.trustStore=${JAVA_HOME}/jre/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=changeit"

Modify the connection URL

Make the Datameer service aware that the external MySQL service is using SSL. Edit the connection.url in persistence.xml and include useSSL=true

Code Block
languagebash
titlewebapps/conductor/WEB-INF/classes/META-INF/persistence.xml
<property name="hibernate.connection.url" value="jdbc:jamon:mysql://${db.host}:${db.port}/${db.name}?jamonrealdriver=com.mysql.jdbc.Driver&amp;useSSL=true"/>

Finally, start the Datameer service.

...