cdonat cdonat - 5 months ago 35
SQL Question

Kettle, JDBC, MySQL, SSL: Could not Connetct to database

I am trying to connect to a MySQL Database with SSL using a Client Certificate. I have created a truststore with the CA Certificate:

keytool -import -alias mysqlServerCACert -file ca.crt -keystore truststore


Then I created a keystore with my private key and my client certificate:

openssl pkcs12 -export -out bi.pfx -inkey bi.key -in bi.crt -certfile ca.crt
openssl x509 -outform DER -in bi.pem -out bi.der
keytool -importkeystore -file bi.der -keystore keystore -alias mysqlClientCertificate


I added useSSL=true and requireSSL=true to the jdbc URL and passed

-Djavax.net.ssl.keyStore=${db.keyStore}
-Djavax.net.ssl.keyStorePassword=${db.keyStore.pwd}
-Djavax.net.ssl.trustStore=${db.trustStore}
-Djavax.net.ssl.trustStorePassword=${db.keyStore.pwd}


to the kettle transformation from the surrounding job. I still get "Could not create connection to database server".

I can connect via SSL using the command line tool:

mysql --protocol=tcp -h myqlhost -P 3309 -u bi -p --ssl=on --ssl-ca=ca.crt --ssl-cert=bi.crt --ssl-key=bi.key db_name


Therefore my current guess is, that ther is an issue with the SSL Certificates.

Is there a way to make the MySQL JDBC Driver tell me more details, what went wrong?

Is my assumtion wrong, that kettle parameters can be used to set system properties? How do I do that instead then?

Answer

OK, here is the solution, that I have found now:

The start scripts for the various kettle tools pass parameters to the JVM by reading an environment-variable "OPT". So I have set

export OPT="-Djavax.net.ssl.keyStore=/path/to/keystore -Djavax.net.ssl.keyStorePassword=private -Djavax.net.ssl.trustStore=/path/to/truststore -Djavax.net.ssl.trustStorePassword=private"

Now the MySQL JDBC Driver finds its certificates and private key and can establish the connection.