MySQL Enterprise Monitor 8.0 Release Notes
Important
The self-signed certificates are generated by the MySQL Enterprise Monitor installation or upgrade process, and are set to expire after 365 days. In the unlikely event you are running a version of MySQL Enterprise Service Manager using the default certificates for more than a year, you must generate new certificates. If you do not generate new certificates, the SSL connection between MySQL Enterprise Service Manager and the repository fails. This section describes how to generate those certificates.
These instructions guide you through the process of installing SSL certificates for your MySQL Enterprise Monitor installation.
All certificates and keys are stored in the Tomcat keystore. To check the certificates stored in the keystore, run the following command:
keytool -keystore $INSTALL_ROOT/apache-tomcat/conf/keystore -list -vFor all certificate-related activities, it is recommended to use the MySQL Enterprise Monitor Configuration Utility. See Chapter 11, Configuration Utilities for more information.
To generate the certificate and add it to the default keystore, run the following command with the MySQL Enterprise Monitor Configuration Utility:
config --renewThis regenerates the self-signed certificate. If the certificate is not self-signed, an error is displayed.
To install an SSL certificate for the MySQL Enterprise Service Manager, use the MySQL Enterprise Monitor Configuration Utility to import the certificate into the keystore.
To import your certificate, run the following command:
config --import-certificate=/path/to/client.crtTo import an existing certificate and key, run the following command:
config --import-certificate=/path/to/client.crt --import-key=/path/to/client.keyRestart the service manager. For more information about stopping and starting the service manager, see the instructions for Unix/macOS and Microsoft Windows.
For information on SSL and MySQL Server, see Creating SSL and RSA Certificates and Keys.
To configure SSL-related options for the Agent, the following
values may be placed in
$INSTALL_ROOT/etc/bootstrap.properties
Table 8.1 Agent SSL Configuration Options
| Parameter | Description |
|---|---|
|
Values: True or False (default). SSL connection between service manager and agent. Verify that the hostname of the service manager that the agent is connected to matches what is in the SSL certificate. |
|
Values:True (default) or False. SSL connection between agent and MySQL instance.
If set to |
|
Values: String SSL connection between agent and MySQL instance.
Path to keystore with CA cert(s), if
|
|
Values: String SSL connection between agent and MySQL instance.
Password for the CA keystore, if
|
An example bootstrap.properties SSL
certification section:
ssl-verify-hostname=false
ssl-allow-self-signed-certs=true
ssl-ca-keystore-path=file:///Applications/mysql/enterprise/agent/etc/mykeystore
ssl-ca-keystore-password=password123To import a CA certificate in PEM format to a new keystore on the Agent, execute the following:
$INSTALL_ROOT/java/bin/keytool -import -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $INSTALL_ROOT/etc/cacertsThe tool responds with the certificate details. For example:
Enter keystore password: (the keystore requires at least a 6 character password)
Re-enter new password:
Owner: CN=serverName.com, O=MySQL AB, ST=Uppsala, C=SE
Issuer: O=MySQL AB, L=Uppsala, ST=Uppsala, C=SE
Serial number: 100002
Valid from: Fri Jan 29 12:56:49 CET 2010 until: Wed Jan 28 12:56:49 CET 2015
Certificate fingerprints:
MD5: E5:FB:56:76:78:B1:0C:D7:B0:80:9F:65:06:3E:48:3E
SHA1: 87:59:80:28:CE:15:EF:7E:F1:75:4B:76:77:5E:64:EA:B7:1D:D1:18
SHA256: F4:0B:79:52:CF:F3:A1:A4:7F:B2:D7:C1:65:60:F0:80:93:87:D2:68:9A:A1:
84:F4:06:6E:8E:CF:C1:F6:1B:52
Signature algorithm name: MD5withRSA
Version: 1
Trust this certificate? [no]: (type yes + enter)
Certificate was added to keystore
You must edit the ssl-ca-* configuration
values in bootstrap.properties accordingly,
to use the path to the keystore and password.
Note
The connection between the agent and service manager is also an SSL connection.
SSL configuration for LDAP is configured at the MySQL Enterprise Service Manager Java VM level. That is, it is configured in the keystore of the Java VM bundled with your MySQL Enterprise Monitor installation.
Important
The JVM shipped with MySQL Enterprise Service Manager does not support the AES256 cipher. This can prevent you using LDAP servers which implement that cipher.
To connect to LDAP servers which implement the AES256 cipher, you must download and install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 package. This package is available from: Java Cryptography Extension.
The steps described in this section assume your LDAP server is correctly configured and you have a root CA certificate which was used to generate the LDAP server's certificate.
To enable SSL for LDAP and MySQL Enterprise Service Manager, you must do the following:
Convert the LDAP server's root CA certificate from PEM to DER format, if necessary. If the CA certificate is already in DER format, continue to the next step.
openssl x509 -in cacert.pem -inform PEM -out ~/cacert.der -outform DERImport the CA certificate, in DER format, into the MySQL Enterprise Service Manager Java keystore. Run the following command from the
bindirectory of your MySQL Enterprise Service Manager's Java installation:keytool -import -trustcacerts -alias ldapssl -file ~/cacert.der -keystore lib/security/cacertsRestart MySQL Enterprise Service Manager with the following command:
mysql/enterprise/monitor/mysqlmonitorctl.sh restart