Scenario: Authenticating MySQL Server

We recommend that you use a TLS certificate to authenticate the MySQL server. You can use a certificate from a trusted certification authority (CA) or a self-signed certificate.

Administration Server supports both one-way and two-way SSL authentication for MySQL.

Enable one-way SSL authentication

Follow these steps to configure one-way SSL authentication for MySQL:

  1. Generate a self-signed TLS certificate for the MySQL server

    In PowerShell, change directory to the folder where you want to store certificates. Execute the following commands:

    $CertCA = New-SelfSignedCertificate `

    -Subject "CN=CertCA" `

    -CertStoreLocation "Cert:\CurrentUser\My" `

    -HashAlgorithm "SHA256" `

    -NotAfter (Get-Date).AddDays(365)

    $CertCABase64 = [System.Convert]::ToBase64String($CertCA.RawData, [System.Base64FormattingOptions]::InsertLineBreaks)

    $CertLeaf = New-SelfSignedCertificate `

    -Subject "CN=CertLeaf" `

    –Signer $CertCA `

    -CertStoreLocation "Cert:\CurrentUser\My" `

    -HashAlgorithm "SHA256" `

    -KeyExportPolicy Exportable `

    -NotAfter (Get-Date).AddDays(365)

    $CertLeafBase64 = [System.Convert]::ToBase64String($CertLeaf.RawData, [System.Base64FormattingOptions]::InsertLineBreaks)

    $CertLeafRSACng = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($CertLeaf)

    $CertLeafKeyBytes = $CertLeafRSACng.Key.Export([System.Security.Cryptography.CngKeyBlobFormat]::Pkcs8PrivateBlob)

    $CertLeafKeyBase64 = [System.Convert]::ToBase64String($CertLeafKeyBytes, [System.Base64FormattingOptions]::InsertLineBreaks)

    $CertCAPemCert = @"

    -----BEGIN CERTIFICATE-----

    $CertCABase64

    -----END CERTIFICATE-----

    "@

    $CertLeafPemKey = @"

    -----BEGIN PRIVATE KEY-----

    $CertLeafKeyBase64

    -----END PRIVATE KEY-----

    "@

    $CertLeafPemCert = @"

    -----BEGIN CERTIFICATE-----

    $CertLeafBase64

    -----END CERTIFICATE-----

    "@

    # Output to file

    $CertCAPemCert | Out-File -FilePath ca-cert.pem -Encoding Ascii

    $CertLeafPemKey | Out-File -FilePath server-key.pem -Encoding Ascii

    $CertLeafPemCert | Out-File -FilePath server-cert.pem -Encoding Ascii

    These commands create certificates for the current user and export the certificates to the PEM format. You only need the exported PEM files to authenticate the server. To remove the created certificates from Windows, execute the following command in PowerShell:

    certmgr.msc

    Locate the created certificates in the Personal → Certificates folder and delete them.

  2. Create a server flag file

    Run the Windows command prompt by using administrator rights, and then change your current directory to the directory with the klscflag utility. The klscflag utility is located in the folder where Administration Server is installed. The default installation path is <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center.

    Use the klscflag utility to create the KLSRV_MYSQL_OPT_SSL_CA server flag and specify the path to the certificate as its value.

    klscflag -fset -pv klserver -n KLSRV_MYSQL_OPT_SSL_CA -v <path to ca-cert.pem> -t d

  3. Configure the database

    Specify the certificates in the my.cnf file. Open the my.cnf file in a text editor and add the following lines into the [mysqld] section:

    [mysqld]

    ssl-ca=".../mysqlcerts/ca-cert.pem"

    ssl-cert=".../mysqlcerts/server-cert.pem"

    ssl-key=".../mysqlcerts/server-key.pem"

Enable two-way SSL authentication

Follow these steps to configure two-way SSL authentication for MySQL:

  1. Create server flag files

    Run the Windows command prompt by using administrator rights, and then change your current directory to the directory with the klscflag utility. The klscflag utility is located in the folder where Administration Server is installed. The default installation path is <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center.

    Use the klscflag utility to create the server flags and specify the path to the certificate files as their values:

    klscflag -fset -pv klserver -n KLSRV_MYSQL_OPT_SSL_CA -v <path to ca-cert.pem> -t s

    klscflag -fset -pv klserver -n KLSRV_MYSQL_OPT_SSL_CERT -v <path to server-cert.pem> -t s

    klscflag -fset -pv klserver -n KLSRV_MYSQL_OPT_SSL_KEY -v <path to server-key.pem> -t s

  2. Specify the passphrase (optional)

    If the server-key.pem requires a passphrase, create a KLSRV_MARIADB_OPT_TLS_PASPHRASE flag and specify the passphrase as its value:

    klscflag -fset -pv klserver -n KLSRV_MARIADB_OPT_TLS_PASPHRASE -v <passphrase> -t s

  3. Configure the database

    Specify the certificates in the my.cnf file. Open the my.cnf file in a text editor and add the following lines into the [mysqld] section:

    [mysqld]

    ssl-ca="...\ca-cert.pem"

    ssl-cert="...\server-cert.pem"

    ssl-key="...\server-key.pem"

Page top