Enabling Host Name Identity Verification
MySQL HeatWave on AWS supports TLSv1.2 and requires that all MySQL client and application connections are encrypted. For added security, you can download a signed certificate bundle and enable host name identity verification for your connecting clients and applications.
When a DB System is provisioned, a TLS certificate is installed
on the MySQL Server. The certificate, which defines the DB
System host name as the
Common Name, is
signed by a regional Certificate Authority (CA). When a client
connects to the DB System with host name identity verification
enabled and a CA certificate matching the one used by the
server, the server and client place their trust in the same CA
certificate and the client verifies that the host to which it
connected is the one intended.
To obtain a CA certificate file, you must download a MySQL HeatWave on AWS certificate bundle. Store the certificate bundle in a secure location that is accessible to the client or application. The bundle is a regional CA certificate file in PEM format. You can download the regional certificate bundle for the supported regions:
- AWS US East (N. Virginia) Region (
- Germany Central (Frankfurt) Region (
- India West (Mumbai) Region (
- Japan East (Tokyo) Region (
- UK South (London) Region (
MySQL HeatWave on AWS is currently supported in the regions mentioned in Region Availability. Certificate bundles for other regions will be made available as support for MySQL HeatWave on AWS is extended to other regions.
Alternatively, you can download the regional certificate bundle from the Console using cURL as shown below:
$> curl -o aws-us-east-1-cabundle.pem \ https://cloud.mysql.com/us-east-1/aws-us-east-1-cabundle.pem
$> curl -o aws-ap-south-1-cabundle.pem \ https://cloud.mysql.com/ap-south-1/aws-ap-south-1-cabundle.pem
$> curl -o aws-eu-central-1-cabundle.pem \ https://cloud.mysql.com/eu-central-1/aws-eu-central-1-cabundle.pem
$> curl -o aws-ap-northeast-1-cabundle.pem \ https://cloud.mysql.com/ap-northeast-1/aws-ap-northeast-1-cabundle.pem
$> curl -o aws-eu-west-2-cabundle.pem \ https://cloud.mysql.com/eu-west-2/aws-eu-west-2-cabundle.pem
It is recommend that you update your MySQL HeatWave on AWS certificate bundle
quarterly to ensure that you always have the latest version.
Issues connecting with
indicate that your certificate bundle is outdated.
To establish an encrypted connection, launch the MySQL client
--ssl-mode options; for example:
$> mysqlsh --host=HostNameOfMySQLDBSystem \ --user=user1 \ --password \ --port=3306 \ --ssl-mode=VERIFY_IDENTITY \ --ssl-ca=aws-us-east-1-cabundle.pem
MySQL Command-Line Client:
$> mysql --host=HostNameOfMySQLDBSystem \ --user=user1 \ --password \ --protocol=TCP \ --port=3306 \ --ssl-mode=VERIFY_IDENTITY \ --ssl-ca=aws-us-east-1-cabundle.pem
--userspecifies the user name of the MySQL account to use for connecting to the server.
-pspecifies the password of the MySQL account used for connecting to the server. The password value is optional. If not given as in the examples above,
mysqlprompts for one.
--protocolspecifies transport protocol to use for connecting to the server. This option is not applicable to MySQL Shell.
--ssl-modeis the security state of the connection to server. The
VERIFY_IDENTITYmode ensures that an encrypted connection is established, that the TLS certificate is verified against the configured CA certificate, and that the host name identity is verified by checking the host name the client uses for connecting to the server against the identity in the certificate that the server sends to the client.
--ssl-caspecifies the fully qualified path to the CA certificate file.
For more information about
ssl-* connection options, see Command Options for Connecting to the Server.