...
If you use SSL/TLS for JDBC communication to your MySQL environment, some additional configuration is required (depending on your needs). To use SSL/TLS for encryption only and bypass verification of the MySQL server certificate
The MySQL configuration property sslMode can be used to control the SSL behavior for database connections.
By default, network connections are SSL encrypted; the sslMode property permits secure connections to be turned off or different levels of security to be selected.
The following sslMode values are allowed:
sslMode Value | Description |
---|---|
"DISABLED" | Establish unencrypted connections. |
"PREFERRED" | Establish encrypted connections if the server enabled them, otherwise fall back to unencrypted connections. (Default value) |
"REQUIRED" | Establish secure connections if the server enabled them, fail otherwise. |
"VERIFY_CA" | Similar to REQUIRED; but additionally, verify the server TLS certificate against the configured Certificate Authority (CA) certificates. |
"VERIFY_IDENTITY" | Similar to VERIFY_CA; but additionally, verify that the server certificate matches the host to which the connection is attempted. |
To change the default behavior of SSL (PREFERRED), add the following to the uc.properties configuration file where sslModeValue is one of the values listed above (DISABLED, PREFERRED, REQUIRED, VERIFY_CA, VERIFY_IDENTITY):
Panel |
---|
uc.db.url.append.properties=&sslMode=sslModeValue |
This property replaced the deprecated legacy properties "useSSL
", "requireSSL
", and "verifyServerCertificate
...
To use SSL/TLS for encryption and verify the MySQL server certificate, add the following to the uc.properties configuration file AND import the MySQL server certificate CA into the Universal Controller Truststore:
...
", which are still accepted but translated into a value for "sslMode"
.
If "sslMode"
is not explicitly set:
- {
"useSSL=false"
} is translated to"sslMode=DISABLED"
. {"useSSL=true"
,"requireSSL=false"
,"verifyServerCertificate=false"
} is translated to"sslMode=PREFERRED
".{"useSSL=true"
,"requireSSL=true"
,"verifyServerCertificate=false"
} is translated to"sslMode=REQUIRED"
.- {
"useSSL=true"
AND"verifyServerCertificate=true"
} is translated to"sslMode=VERIFY_CA"
. - There is no equivalent legacy settings for
"sslMode=VERIFY_IDENTITY"
.
Note | ||
---|---|---|
| ||
For ALL server versions, the default setting of Applications that continue to use the legacy properties and rely on their old default settings should be reviewed. |
You may need to enable connections with TLSv1.2 and higher versions using the enabledTLSProtocols connection property. To specify the enabledTLSProtocols property, add the following to the uc.properties configuration file:
...