来自 Compute Engine 和/或外部网络的带有 SSL 的 Google Cloud SQL

Question

我正在尝试使用 SSL 连接到 Google Cloud SQL (mysql) 实例。我已经启用了两个 IP 地址和一个具有来自这些 IP 地址的远程访问权限的用户。我还从 Google 的开发者控制台生成了证书文件。

client-key.pem client-cert.pem server-ca.pem

使用来自两个启用的 IP 地址中的每一个的此命令，我成功地建立了连接。

mysql --ssl-ca=server-ca.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem --host=xxx.xxx.xxx.xxx --user=username --password

由于 mysql 客户端工作，我知道我的防火墙设置、用户、证书等设置正确。

现在我想从一个可执行的 jar 文件中与 java 建立类似的连接。

遵循此处概述的步骤：http : //dev.mysql.com/doc/connector-j/en/connector-j-reference-using-ssl.html

Step 1: keytool -import -alias mysqlServerCACert -file cacert.pem -keystore truststore  

注意：我用 server-ca.pem 替换了说明中使用的 cacert.pem

Step 2: openssl x509 -outform DER -in client-cert.pem -out client.cert
Step 3: keytool -import -file client.cert -keystore keystore -alias mysqlClientCertificate

这些步骤创建了我的密钥库和信任库文件。在生成这两个文件时，我为它们中的每一个关联了不同的密码。

这是相关的Java代码：

public void testConnection() throws ClassNotFoundException, SQLException,
        IllegalAccessException, InstantiationException {

    String path = "/home/user/dir/"; // path to keystore and truststore file

    System.setProperty("javax.net.ssl.keyStore",path + "keystore");
    System.setProperty("javax.net.ssl.keyStorePassword",keyStorePassword);
    System.setProperty("javax.net.ssl.trustStore",path + "truststore");
    System.setProperty("javax.net.ssl.trustStorePassword",trustStorePassword);

    String user = "dbuser";
    String password = "dbUserPassword";

    Connection conn = null;
    int i = 0;
    try {
        String url = "jdbc:mysql://<databaseip>:3306/<databaseName>"
            + "?verifyServerCertificate=true"
            + "&useSSL=true"
            + "&requireSSL=true";

        Class dbDriver = Class.forName("com.mysql.jdbc.Driver");
        conn = DriverManager.getConnection(url, user, password);

        ResultSet rs = conn.createStatement().executeQuery(
                "SELECT 1 + 1 as val");

        while (rs.next()) {
            i = rs.getInt(1);
        }
    } catch (Exception ex) {
        ex.printStackTrace();
    } finally {
        if (conn != null) {
            try {
                conn.close();
            } catch (Exception e) {
                e.printStackTrace();
            }
        }
    }
    System.out.println("The MySQL value is: " + i);
}

同样，从两个启用的 IP 地址，我能够使用 Java 代码中使用的相同用户和密码连接 MySQL 命令行客户端。

我收到以下 java 连接异常。鉴于 mysql 客户端使用相同的用户/密码凭证，我有点怀疑错误消息。任何见解都非常感谢。有没有其他人设置 SSL 并使用 Google SQL？想法，建议，技巧和技巧表示赞赏。谢谢！

java.sql.SQLException: Access denied for user 'dbuser'@'xxx.xxx.xxx.xxx' (using password: YES)
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:946)
at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:2985)
at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:885)
at com.mysql.jdbc.MysqlIO.secureAuth411(MysqlIO.java:3421)
at com.mysql.jdbc.MysqlIO.negotiateSSLConnection(MysqlIO.java:3988)
at com.mysql.jdbc.MysqlIO.doHandshake(MysqlIO.java:1293)
at com.mysql.jdbc.Connection.createNewIO(Connection.java:2775)
at com.mysql.jdbc.Connection.<init>(Connection.java:1555)
at com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:285)
at java.sql.DriverManager.getConnection(DriverManager.java:571)
at java.sql.DriverManager.getConnection(DriverManager.java:215)
at com.test.UserData.getConnection(UserData.java:81)
at com.test.UserData.testConnection(UserData.java:52)

Answer 1

mba12我遇到了同样的问题，感谢您的回答！

所以，解决方案就在这里（正如您所指出的）： How to connect to MySQL with X509 using JDBC？

我还发现了这个： importing an existing x509 certificate and private key in Java keystore to use in ssl

只是为了澄清

javax.net.ssl.keyStore 必须是客户端证书 + 密钥组合，而不仅仅是 MySQL 指南中描述的客户端证书。

总结一下

1. 我们有：

server-ca.pem - MySQL CA certificate, can be downloaded from "SSL Configuration -> View Server CA Certificate"

client-cert.pem - client public key, can be downloaded from "Client Certificates -> newly created certificate"

client-key.pem - client private key, can be downloaded only from "New SSL Certificate created dialog box"

Described here: https://cloud.google.com/sql/docs/configure-ssl-instance

Let's save them in server-instance/ folder and create jks/ folder for generated files in step 2.

2. Create truststore file

   2.1. Copy original JAVA's cacerts to jks/truststore.jks:

   cp $JAVA_HOME/jre/lib/security/cacerts jks/truststore.jks

   2.2. Add MySQL Server CA Certificate / Google Cloud SQL Server CA server-ca.pem to JAVA's default truststore cacerts which we've copied in step 2.1.:

   keytool -importcert -noprompt -trustcacerts -keystore jks/truststore.jks -storepass changeit -alias googlecloudsqlservercacert -file server-instance/server-ca.pem

3. Create keystore file

   3.1. Convert x509 certificate and private key to a pkcs12 file:

   openssl pkcs12 -export -in server-instance/client-cert.pem -inkey server-instance/client-key.pem -out jks/client.p12

   (enter mandatory password), for example: p4ssw0rd

   3.2. Convert the pkcs12 file to a java keystore:

   keytool -importkeystore -srckeystore jks/client.p12 -srcstoretype PKCS12 -destkeystore jks/keystore.jks -deststoretype JKS

   (enter same passwords), for example: p4ssw0rd

About conversion: http://blog.ejbca.org/2008/02/converting-keystores-between-jks-and.html