April 29, 2011

Secure JDBC connection to MySQL from GlassFish

Introduction

Following up my article on Secure JDBC connection to MySQL from Java, It is often the case you Java code will not be connecting to the database directly but instead will lookup a connection from a container managed connection pool.  This article describes how to configure a GlassFish connection pool to connect to MySQL securely using keystore/truststore SSL keys.  Thanks much to Thomas Schaefer for this information.

GlassFish Connection Pool

Using the GlassFish administrator, creating a Connection Pool of MySQL database connections is easy.  To secure the communication, go to the "Additional Properties" tab and add these additional properties, of course replace the values between the [] with your own.


Name                               Value
requireSSL                         true
useSSL                             true
trustCertificateKeyStorePassword   [password_to_truststore]
clientCertificateKeyStoreUrl       file:/c:/temp/keystore.jks
clientCertificateKeyStoreType      JKS
clientCertificateKeyStorePassword  [password_to_keystore]
trustCertificateKeyStoreType       JKS
password                           [database_user_password]
trustCertificateKeyStoreUrl        file:/c:/temp/cacerts.jks  
user                               [databse_user_name]
url                                jdbc:mysql://[server_name]

The keystore.jks and cacerts.jks files are the tricky part of this configuration.  How you use them will depend on your situation but in general, cacerts.jks will have your certificate authority added to it and keystore.jks will have a certificate added to it signed by your certificate authority.  When the JDBC driver attempts to connect to the database, the certificate from keystore.jks is presented to the database server and the database server accepts it since the certificate was signed by your certificate authority.  In the same way, the database server will present a certificate to the GlassFish server and GlassFish will accept it because your certificate authority is in cacerts.jks.