Can anybody please guide in detail how to connect to an AWS RDS MySql instance via Wildfly 10 application server using SSL encryption

Question

I am unable to setup SSL/TLS between wildfly 10 and Mysql. I have been trying to the following configurations for the datasource : .

<datasource jta="true" jndi-name="java:/jdbc/transit" pool-name="transit" enabled="true" use-ccm="true">
                    <connection-url>jdbc:mysql://myInstance.rds.amazonaws.com:3306/dbname?ssl=true</connection-url>
                    <driver-class>com.mysql.jdbc.Driver</driver-class>
                    <driver>mysql-connector-java-5.1.40.jar_com.mysql.jdbc.Driver_5_1</driver>
                    <security>
                        <user-name>example</user-name>
                        <password>secret</password>
                    </security>
                    <validation>
                        <valid-connection-checker class-name="org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker"/>
                        <background-validation>true</background-validation>
                        <exception-sorter class-name="org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLExceptionSorter"/>
                    </validation>
                </datasource>

Answer 1

The configuration of JDBC to use SSL is database vendor specific. The and tags of the datasource provide the needed flexibility to add the required JDBC configuration options to enable SSL database connections. Check with the database vendor what string or property can be added to connection URL or connection property and can configure it in datasource configuration at the JBoss end, this might require providing a truststore at the JBoss end to provide the trust on the database server. This can added in the following way :

JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=/path/to/db_cert.truststore In domain mode the system property javax.net.ssl.trustStore needs to be set for the server which will be using the datasource .

The JBoss Administration and Configuration Guide discusses datasource configuration in chapter 13:

https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/configuration-guide/#datasource_management

Answer 2

For anyone looking for concrete implementation of the above steps, follow the steps:

1. make sure that MySql is build with support for secure connections (OpenSSL or yaSSL)
2. make sure that ssl is enabled (-ssl option in MySql) the certificates are generated (mysql_ssl_rsa_setup)
3. import the MySQL server CA Certificate(for AWS RDS : you can download the certs from the AWS site, Link: https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem and https://s3.amazonaws.com/rds-downloads/rds-ca-2015-root.pem ) into a Java truststore or create a truststore in the current directory, and import the server's CA certificate either
4. import the client certificate that matches the CA certificate you just imported, or create a new client certificate.
5. set the system properties.

For setting up the datasource in WildFly you may set the properties in the connection url like:

jdbc:mysql://${hostname}:3306/test?autoReconnect=true&useSSL=true&verifyServerCertificate=true&trustCertificateKeyStoreUrl=file:///${pathToYourTruststore}/truststore&trustCertificateKeyStorePassword=${yourPassword}&clientCertificateKeyStoreUrl=file:///${pathToYourKeystore}/keystore&clientCertificateKeyStorePassword=${yourPassword}&requireSSL=true