PDF (US Ltr)
- 1.3Mb
5.5 Enabling Host Name Identity Verification
MySQL HeatWave on AWS supports TLSv1.2 and requires that all MySQL client and application
connections over the public internet are encrypted. Private connections over PrivateLinks are also encrypted by default. For DB Systems that only accept private connections (i.e., not accessible from public IP addresses), if
you need to disable encryption for your client connections (for example, due to certain
client-side limitations), you can update the MySQL configuration of your DB System to set the system
variable
require_secure_transport
to OFF, and have
clients connect to the MySQL DB System through a PrivateLink. For added security, download a signed certificate bundle to enable host name
identity verification for connecting clients and applications (for more information, see Enabling Host Name Identity Verification).
When a DB System is provisioned, a TLS certificate is installed
on the MySQL Server. The certificate, which defines the DB
System host name as the Common Name, is
signed by a regional Certificate Authority (CA). When a client
connects to the DB System with host name identity verification
enabled and a CA certificate matching the one used by the
server, the server and client place their trust in the same CA
certificate and the client verifies that the host to which it
connected is the one intended.
To obtain a CA certificate file, you must download a MySQL HeatWave on AWS certificate bundle. Store the certificate bundle in a secure location that is accessible to the client or application. The bundle is a regional CA certificate file in PEM format. You can download the regional certificate bundle for the supported regions:
- AWS US East (N. Virginia) Region (
us-east-1): https://cloud.mysql.com/us-east-1/aws-us-east-1-cabundle.pem - Germany Central (Frankfurt) Region (
eu-central-1): https://cloud.mysql.com/eu-central-1/aws-eu-central-1-cabundle.pem - India West (Mumbai) Region (
ap-south-1): https://cloud.mysql.com/ap-south-1/aws-ap-south-1-cabundle.pem - Japan East (Tokyo) Region (
ap-northeast-1): https://cloud.mysql.com/ap-northeast-1/aws-ap-northeast-1-cabundle.pem - Mexico Central (Queretaro) Region (
mx-central-1): https://cloud.mysql.com/mx-central-1/aws-mx-central-1-cabundle.pem - UK South (London) Region (
eu-west-2): https://cloud.mysql.com/eu-west-2/aws-eu-west-2-cabundle.pem - South Korea Central (Seoul) Region (
ap-northeast-2): https://cloud.mysql.com/ap-northeast-2/aws-ap-northeast-2-cabundle.pem - US West (San Jose) Region (
us-west-2): https://cloud.mysql.com/us-west-2/aws-us-west-2-cabundle.pem
Note:
MySQL HeatWave on AWS is currently supported in the regions mentioned in Region Availability. Certificate bundles for other regions will be made available as support for MySQL HeatWave on AWS is extended to other regions.
Alternatively, you can download the regional certificate bundle from the Console using cURL as shown below:
curl -o aws-us-east-1-cabundle.pem \
https://cloud.mysql.com/us-east-1/aws-us-east-1-cabundle.pemcurl -o aws-ap-south-1-cabundle.pem \
https://cloud.mysql.com/ap-south-1/aws-ap-south-1-cabundle.pemcurl -o aws-eu-central-1-cabundle.pem \
https://cloud.mysql.com/eu-central-1/aws-eu-central-1-cabundle.pemcurl -o aws-ap-northeast-1-cabundle.pem \
https://cloud.mysql.com/ap-northeast-1/aws-ap-northeast-1-cabundle.pemcurl -o aws-eu-west-2-cabundle.pem \
https://cloud.mysql.com/eu-west-2/aws-eu-west-2-cabundle.pemcurl -o aws-mx-central-1-cabundle.pem \
https://cloud.mysql.com/mx-central-1/aws-mx-central-1-cabundle.pemcurl -o aws-ap-northeast-2-cabundle.pem \
https://cloud.mysql.com/ap-northeast-2/aws-ap-northeast-2-cabundle.pemcurl -o aws-us-west-2-cabundle.pem \
https://cloud.mysql.com/us-west-2/aws-us-west-2-cabundle.pemNote:
It is recommend that you update your MySQL HeatWave on AWS certificate bundle
quarterly to ensure that you always have the latest version.
Issues connecting with
--ssl-mode
may
indicate that your certificate bundle is outdated.
To establish an encrypted connection, launch the MySQL client
with the --ssl-ca and
--ssl-mode options; for example:
MySQL Shell:
$> mysqlsh --host=HostNameOfMySQLDBSystem \
--user=user1 \
--password \
--port=3306 \
--ssl-mode=VERIFY_IDENTITY \
--ssl-ca=aws-us-east-1-cabundle.pemMySQL Command-Line Client:
$> mysql --host=HostNameOfMySQLDBSystem \
--user=user1 \
--password \
--protocol=TCP \
--port=3306 \
--ssl-mode=VERIFY_IDENTITY \
--ssl-ca=aws-us-east-1-cabundle.pemwhere:
-
--hostspecifies the host name of the DB System. The host name is found on the MySQL DB System Details page. See Viewing DB System Details. -
--userspecifies the user name of the MySQL account to use for connecting to the server. -
-pspecifies the password of the MySQL account used for connecting to the server. The password value is optional. If not given as in the examples above,mysqlprompts for one. -
--protocolspecifies transport protocol to use for connecting to the server. This option is not applicable to MySQL Shell. -
--ssl-modeis the security state of the connection to server. TheVERIFY_IDENTITYmode ensures that an encrypted connection is established, that the TLS certificate is verified against the configured CA certificate, and that the host name identity is verified by checking the host name the client uses for connecting to the server against the identity in the certificate that the server sends to the client. -
--ssl-caspecifies the fully qualified path to the CA certificate file.
For more information about ssl-* connection options, see Command Options for Connecting to the Server.
Parent topic: Connecting to a DB System