We recommend that you use a TLS certificate to authenticate the MySQL server. You can use a certificate from a trusted certification authority (CA) or a self-signed certificate.
Administration Server supports both one-way and two-way SSL authentication for MySQL.
Enable one-way SSL authentication
Follow these steps to configure one-way SSL authentication for MySQL:
In PowerShell, change directory to the folder where you want to store certificates. Execute the following commands:
$CertCA = New-SelfSignedCertificate `
-Subject "CN=CertCA" `
-CertStoreLocation "Cert:\CurrentUser\My" `
-HashAlgorithm "SHA256" `
-NotAfter (Get-Date).AddDays(365)
$CertCABase64 = [System.Convert]::ToBase64String($CertCA.RawData, [System.Base64FormattingOptions]::InsertLineBreaks)
$CertLeaf = New-SelfSignedCertificate `
-Subject "CN=CertLeaf" `
–Signer $CertCA `
-CertStoreLocation "Cert:\CurrentUser\My" `
-HashAlgorithm "SHA256" `
-KeyExportPolicy Exportable `
-NotAfter (Get-Date).AddDays(365)
$CertLeafBase64 = [System.Convert]::ToBase64String($CertLeaf.RawData, [System.Base64FormattingOptions]::InsertLineBreaks)
$CertLeafRSACng = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($CertLeaf)
$CertLeafKeyBytes = $CertLeafRSACng.Key.Export([System.Security.Cryptography.CngKeyBlobFormat]::Pkcs8PrivateBlob)
$CertLeafKeyBase64 = [System.Convert]::ToBase64String($CertLeafKeyBytes, [System.Base64FormattingOptions]::InsertLineBreaks)
$CertCAPemCert = @"
-----BEGIN CERTIFICATE-----
$CertCABase64
-----END CERTIFICATE-----
"@
$CertLeafPemKey = @"
-----BEGIN PRIVATE KEY-----
$CertLeafKeyBase64
-----END PRIVATE KEY-----
"@
$CertLeafPemCert = @"
-----BEGIN CERTIFICATE-----
$CertLeafBase64
-----END CERTIFICATE-----
"@
# Output to file
$CertCAPemCert | Out-File -FilePath ca-cert.pem -Encoding Ascii
$CertLeafPemKey | Out-File -FilePath server-key.pem -Encoding Ascii
$CertLeafPemCert | Out-File -FilePath server-cert.pem -Encoding Ascii
These commands create certificates for the current user and export the certificates to the PEM format. You only need the exported PEM files to authenticate the server. To remove the created certificates from Windows, execute the following command in PowerShell:
certmgr.msc
Locate the created certificates in the Personal → Certificates folder and delete them.
Run the Windows command prompt by using administrator rights, and then change your current directory to the directory with the klscflag utility. The klscflag utility is located in the folder where Administration Server is installed. The default installation path is <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center.
Use the klscflag utility to create the KLSRV_MYSQL_OPT_SSL_CA server flag and specify the path to the certificate as its value.
klscflag -fset -pv klserver -n KLSRV_MYSQL_OPT_SSL_CA -v <
path to
ca-cert.pem> -t d
Specify the certificates in the my.cnf file. Open the my.cnf file in a text editor and add the following lines into the [mysqld] section:
[mysqld]
ssl-ca=".../mysqlcerts/ca-cert.pem"
ssl-cert=".../mysqlcerts/server-cert.pem"
ssl-key=".../mysqlcerts/server-key.pem"
Enable two-way SSL authentication
Follow these steps to configure two-way SSL authentication for MySQL:
Run the Windows command prompt by using administrator rights, and then change your current directory to the directory with the klscflag utility. The klscflag utility is located in the folder where Administration Server is installed. The default installation path is <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center.
Use the klscflag utility to create the server flags and specify the path to the certificate files as their values:
klscflag -fset -pv klserver -n KLSRV_MYSQL_OPT_SSL_CA -v <
path to
ca-cert.pem> -t s
klscflag -fset -pv klserver -n KLSRV_MYSQL_OPT_SSL_CERT -v <
path to
server-cert.pem> -t s
klscflag -fset -pv klserver -n KLSRV_MYSQL_OPT_SSL_KEY -v <
path to
server-key.pem> -t s
If the server-key.pem requires a passphrase, create a KLSRV_MARIADB_OPT_TLS_PASPHRASE flag and specify the passphrase as its value:
klscflag -fset -pv klserver -n KLSRV_MARIADB_OPT_TLS_PASPHRASE -v <
passphrase
> -t s
Specify the certificates in the my.cnf file. Open the my.cnf file in a text editor and add the following lines into the [mysqld] section:
[mysqld]
ssl-ca="...\ca-cert.pem"
ssl-cert="...\server-cert.pem"
ssl-key="...\server-key.pem"