HeatWave on AWS supports TLSv1.2 and requires that all MySQL client and application connections are encrypted. For added security, you can download a signed certificate bundle and enable host name identity verification for your connecting clients and applications.

When a DB System is provisioned, a TLS certificate is installed on the MySQL Server. The certificate, which defines the DB System host name as the Common Name, is signed by a regional Certificate Authority (CA). When a client connects to the DB System with host name identity verification enabled and a CA certificate matching the one used by the server, the server and client place their trust in the same CA certificate and the client verifies that the host to which it connected is the one intended.

To obtain a CA certificate file, you must download a HeatWave on AWS certificate bundle. Store the certificate bundle in a secure location that is accessible to the client or application. The bundle is a regional CA certificate file in PEM format. You can download the regional certificate bundle for the supported regions:

• AWS US East (N. Virginia) Region (us-east-1): https://cloud.mysql.com/us-east-1/aws-us-east-1-cabundle.pem
• Germany Central (Frankfurt) Region (eu-central-1): https://cloud.mysql.com/eu-central-1/aws-eu-central-1-cabundle.pem
• India West (Mumbai) Region (ap-south-1): https://cloud.mysql.com/ap-south-1/aws-ap-south-1-cabundle.pem
• Japan East (Tokyo) Region (ap-northeast-1): https://cloud.mysql.com/ap-northeast-1/aws-ap-northeast-1-cabundle.pem
• UK South (London) Region (eu-west-2): https://cloud.mysql.com/eu-west-2/aws-eu-west-2-cabundle.pem

Alternatively, you can download the regional certificate bundle from the Console using cURL as shown below:

curl -o aws-us-east-1-cabundle.pem \
https://cloud.mysql.com/us-east-1/aws-us-east-1-cabundle.pem

curl -o aws-ap-south-1-cabundle.pem \
https://cloud.mysql.com/ap-south-1/aws-ap-south-1-cabundle.pem

curl -o aws-eu-central-1-cabundle.pem \
https://cloud.mysql.com/eu-central-1/aws-eu-central-1-cabundle.pem

curl -o aws-ap-northeast-1-cabundle.pem \
https://cloud.mysql.com/ap-northeast-1/aws-ap-northeast-1-cabundle.pem

curl -o aws-eu-west-2-cabundle.pem \
https://cloud.mysql.com/eu-west-2/aws-eu-west-2-cabundle.pem

To establish an encrypted connection, launch the MySQL client with the --ssl-ca and --ssl-mode options; for example:

MySQL Shell:

$> mysqlsh --host=HostNameOfMySQLDBSystem \
           --user=user1 \
           --password \
           --port=3306 \
           --ssl-mode=VERIFY_IDENTITY \
           --ssl-ca=aws-us-east-1-cabundle.pem

MySQL Command-Line Client:

$> mysql --host=HostNameOfMySQLDBSystem \ 
         --user=user1 \
         --password \ 
         --protocol=TCP \
         --port=3306 \
         --ssl-mode=VERIFY_IDENTITY \ 
         --ssl-ca=aws-us-east-1-cabundle.pem

where:

• --host specifies the host name of the DB System. The host name is found on the MySQL DB System Details page. See Viewing DB System Details.

• --user specifies the user name of the MySQL account to use for connecting to the server.

• -p specifies the password of the MySQL account used for connecting to the server. The password value is optional. If not given as in the examples above, mysql prompts for one.

• --protocol specifies transport protocol to use for connecting to the server. This option is not applicable to MySQL Shell.

• --ssl-mode is the security state of the connection to server. The VERIFY_IDENTITY mode ensures that an encrypted connection is established, that the TLS certificate is verified against the configured CA certificate, and that the host name identity is verified by checking the host name the client uses for connecting to the server against the identity in the certificate that the server sends to the client.

• --ssl-ca specifies the fully qualified path to the CA certificate file.

For more information about ssl-* connection options, see Command Options for Connecting to the Server.