Using SLL to create secure connection between a servlet (using JDBC) and MySQL

This is a test which will be used to develop a web application, living in
Tomcat or Sun's application server (assuming the latter is available on
Linux). I am doing the initial testing on Windows because I haven't set up
my Linux box yet.

I have read the docs regarding using SSL with MySQL 5.0.16, and there is a
little detail wanting. In the section dealing with setting up the
certificates, can I use certificates I'd normally create using the keytool
that comes with J2SDK? If so, am I safe to assume I'd create and use them
in much the same way I'd use them in a client/server app I'd normally
develop in Java?

What I am aiming for is this: I want to have an application server running,
serving up my apps, and have my MySQL database responding ONLY to my own app
server apps, and that using http over SSL. I'll have to set this up twice,
though: once on Windows XP during initial proof of concept testing and later
on Suse Linux (initially on a single machine and later using server
clusters, once I figure out how to do that for both the app server and the
MySQL database).

Any idea on how I can set up mutual authentication between my app server
apps and MySQL? I should be able to significantly improve the security of
my app and database by forcing both the server and the client app to
authenticate themselves to each other, and refuse all other connection
attempts, right? And of course, SSL is needed to ensure both the integrity
and confidentiality of the data exchanged between my apps and my DB.

I'll appreciate any help offered. This is a self instruction exercise, with
what I intend to be a short learning curve, regardless of how steep the
resulting curve may be. I find myself frustrated by insufficient detail and
examples in the documentation I have found so far.

Thanks,

Ted

--
R.E. (Ted) Byers, Ph.D., Ed.D.
R & D Decision Support Solutions
http://www.randddecisionsupportsolutions.com/
Healthy Living Through Informed Decision Making

>This is a test which will be used to develop a web application, living in
>Tomcat or Sun's application server (assuming the latter is available on
>Linux). I am doing the initial testing on Windows because I haven't set up
>my Linux box yet.

>I have read the docs regarding using SSL with MySQL 5.0.16, and there is a
>little detail wanting. In the section dealing with setting up the
>certificates, can I use certificates I'd normally create using the keytool
>that comes with J2SDK?

If these are created by the keytool using Openssl, chances are the
certs are compatible.

>If so, am I safe to assume I'd create and use them
>in much the same way I'd use them in a client/server app I'd normally
>develop in Java?

>What I am aiming for is this: I want to have an application server running,
>serving up my apps, and have my MySQL database responding ONLY to my own app
>server apps, and that using http over SSL. I'll have to set this up twice,
>though: once on Windows XP during initial proof of concept testing and later
>on Suse Linux (initially on a single machine and later using server
>clusters, once I figure out how to do that for both the app server and the
>MySQL database).

>Any idea on how I can set up mutual authentication between my app server
>apps and MySQL? I should be able to significantly improve the security of
>my app and database by forcing both the server and the client app to
>authenticate themselves to each other, and refuse all other connection
>attempts, right? And of course, SSL is needed to ensure both the integrity
>and confidentiality of the data exchanged between my apps and my DB.

On the MySQL side: the grant command is your friend here. You
probably need at least 2 accounts set up: an administrative account,
probably accessible only from localhost on the MySQL server and
with a strong password, and the web access account, which is (a)
restricted to access from ONE IP address or very small netblock
only, and (b) is required to use SSL. You might want two web access
accounts: one for your test machine and one for the production
machine. Stage the tests a little: first, can you establish
a connection AT ALL? Next, can you do it with SSL? Then,
can you restrict it to accept only your cert?

On the application side: I don't know. But I suggest you break the
task into two by using the mysql command-line client from the
web server box, if that's possible. You need to do several things:
(a) confirm that you can establish a SSL connection.
(b) confirm that your cert works.
(c) confirm that the wrong cert doesn't work.
(d) confirm that you CANNOT establish a non-SSL connection.

A firewall on or in front of the MySQL server to prevent access to
port 3306 from anything but the web server (or localhost) wouldn't
hurt, either.

Gordon L. Burditt