Results 1 to 8 of 8
  1. #1
    porchrat is offline Senior Member
    Join Date
    Mar 2009
    Posts
    105
    Rep Power
    0

    Default Help with JDBC and x509

    Hi all

    I've been trying to get x509 working through the JDBC (Mysql Connector J) and I'm having some trouble.

    So far I've managed to get SSL working through the JDBC without x509. I've also managed to get x509 working through the MySQL client connecting to the server but the minute I take those same certificates (self-signed) that work with the MySQL client --> MySQL server connection and put them into keystores I can't get the JDBC to connect via x509.

    Does anyone have a guide they can link to or something to help me out with this because right now I'm battling to figure out what is going on with this thing.

  2. #2
    masijade is offline Senior Member
    Join Date
    Jun 2008
    Posts
    2,571
    Rep Power
    9

    Default

    Import the CA cert that you used to sign the certificate into cacerts? See the keytool documentation.

  3. #3
    porchrat is offline Senior Member
    Join Date
    Mar 2009
    Posts
    105
    Rep Power
    0

    Default

    Quote Originally Posted by masijade View Post
    Import the CA cert that you used to sign the certificate into cacerts? See the keytool documentation.
    That might be it. You're saying maybe the certificate isn't recognised by Java?

    but then why would SSL work through the JDBC and not x509?

  4. #4
    masijade is offline Senior Member
    Join Date
    Jun 2008
    Posts
    2,571
    Rep Power
    9

    Default

    Don't know, it's just a guess. Before I could offer more I would have to be able to physically play with your system a bit (I am much better at that type of stuff hands on than remote).

  5. #5
    porchrat is offline Senior Member
    Join Date
    Mar 2009
    Posts
    105
    Rep Power
    0

    Default

    Well I'm definitely going to give that a try. I hope it is that simple though somehow I doubt it. I would imagine I would get a message about trusted certificates and besides I explicitly tell the program to use my keystore and truststore which means it should disregard that the certificates aren't trusted as far as cacerts is concerned.

    To me it seems that because plain SSL works through the JDBC (and that involves using the CA certificate and the server certificate signed through that CA certificate) the problem must be with the client certificate (also signed against the CA certificate) or at least how it is handled by the JDBC and it's associated classes.

    This is annoying me because I have followed numerous guides now including the one in the MySQL manual and I'm still not up and running. :(

    Alternatively is there any other way to uniquely identify a client connecting to a MySQL server that you know of other than this x509 system?

    That and how does this x509 system actually result in a uniquely identified client? There doesn't seem to be a need to transfer the client public key to the server like there is with SSH.
    Last edited by porchrat; 07-26-2011 at 02:54 PM.

  6. #6
    porchrat is offline Senior Member
    Join Date
    Mar 2009
    Posts
    105
    Rep Power
    0

    Default

    LOL I eventually figured out the problem. I was being a moron :p

    The problem was that I wasn't importing the client key along with the client certificate into the keystore. Without the key the certificate was useless. I found out that keytool doesn't allow you to import keys so I had to combine the key with the certificate and import them together. Annoying and seemingly silly (you would think that keytool would have functionality for what is undeniably a common operation) but I got there in the end.

    Thanks you masijade for your advice and attempts to help me. Once again I am blown away by the willingness of people here to help. Keep up the good work guys :)

  7. #7
    anson5 is offline Member
    Join Date
    Apr 2012
    Posts
    1
    Rep Power
    0

    Default Re: Help with JDBC and x509

    porchrat, can you give more detail as in how you import the private key into the keystore to get the X509 SSL connection working?

    I followed the instructions at this link and ended up with a keystore file containing both the certificate and private key, as shown in the keytool -list output below:

    C:\>keytool -list -keystore keystore
    Enter keystore password:

    Keystore type: JKS
    Keystore provider: SUN

    Your keystore contains 2 entries

    mariadbclientcert, 19-Apr-2012, trustedCertEntry,
    Certificate fingerprint (SHA1): 94:BF:50:EC:0C:38:64:91:E3:8F:B4:BE:19:43:09:CC:BD :0B:26:1C
    mariadbclientkey, 19-Apr-2012, PrivateKeyEntry,
    Certificate fingerprint (SHA1): 94:BF:50:EC:0C:38:64:91:E3:8F:B4:BE:19:43:09:CC:BD :0B:26:1C


    However, when I specify -Djavax.net.ssl.keyStore=keystore in addition to -Djavax.net.ssl.trustStore, I got the following error:

    SQLException: Communications link failure

    The last packet successfully received from the server was 114 milliseconds ago. The last packet sent successfully to the server was 111 milliseconds ago.
    SQLState: 08S01
    VendorError: 0


    Any clue how I can get it to work?
    Last edited by DarrylBurke; 04-20-2012 at 11:06 AM.

  8. #8
    MMatten is offline Member
    Join Date
    Jul 2012
    Posts
    1
    Rep Power
    0

    Default Re: Help with JDBC and x509

    In the standard instructions on the MySQL site the key gets combined into the final certificate doesn't it?

    Did you solve your issue?

    I'm having problems too now!

    I can connect fine using the mysql command line client, when x509 is required, but I just can't connect from Java :(

Similar Threads

  1. Jdbc
    By KumbhaniMehul in forum Java Servlet
    Replies: 3
    Last Post: 04-07-2010, 03:56 AM
  2. Jdbc
    By KumbhaniMehul in forum Java Servlet
    Replies: 1
    Last Post: 04-06-2010, 07:18 PM
  3. Replies: 0
    Last Post: 04-01-2008, 11:17 AM
  4. Replies: 0
    Last Post: 09-28-2007, 01:56 PM
  5. Ha-jdbc 2.0
    By JavaBean in forum Java Software
    Replies: 0
    Last Post: 07-17-2007, 06:40 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •