当前位置: 首页 > 知识库问答 >
问题:

使用Java建立到MySQL Amazon RDS(SSL/TLS)的安全连接

萧永望
2023-03-14
keytool -import -alias mysqlServerCACert -file file_location.pem -keystore truststore

虽然我理解SSL/TSL和私钥/公钥的概念,但我很困惑如何实现它?

当我运行show VARIABLES LIKE'have_ssl';命令时,我会收到“yes”作为值。当我连接到数据库并运行show SESSION STATUS LIKE'ssl_version';时,我不会收到返回的值。

如何建立从Java到MySQL数据库的安全连接?

import com.mysql.jdbc.Connection;

public class mainClass{

    public static void main(String[] args){

        System.setProperty("javax.net.ssl.trustStore", "/usr/lib/jvm/java/jre/truststore.jks");
        System.setProperty("javax.net.ssl.trustStorePassword", "truststore_password");

        final String url = "jdbc:mysql://mysql_rds_enpoint:port/db_name?verifyServerCertificate=true&useSSL=true&requireSSL=true";
        final String username = "username";
        final String password = "password";

        Connection mysqlConnection = null;
        mysqlConnection = (Connection) mysqlMethods.connectToMysql(url, username, password);
    }
}
import java.sql.DriverManager;
import java.sql.SQLException;

class testClass{

    public static void main(String[] args){
        System.setProperty("javax.net.ssl.trustStore", "/usr/lib/jvm/java/jre/truststore.jks");
        System.setProperty("javax.net.ssl.trustStorePassword", "truststore_password");

        final String url = "jdbc:mysql://mysql_rds_enpoint:port/db_name?verifyServerCertificate=true&useSSL=true&requireSSL=true";
        final String username = "username";
        final String password = "password";

        try {
            Object connection = DriverManager.getConnection(url, username, password);
        } catch (SQLException e) {
            e.printStackTrace();
        }
    }
}
com.mysql.jdbc.exceptions.jdbc4.CommunicationsException: Communications link failure

The last packet successfully received from the server was 206 milliseconds ago.  The last packet sent successfully to the server was 203 milliseconds ago.
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
    at com.mysql.jdbc.Util.handleNewInstance(Util.java:389)
    at com.mysql.jdbc.SQLError.createCommunicationsException(SQLError.java:1038)
    at com.mysql.jdbc.ExportControlled.transformSocketToSSLSocket(ExportControlled.java:110)
    at com.mysql.jdbc.MysqlIO.negotiateSSLConnection(MysqlIO.java:4760)
    at com.mysql.jdbc.MysqlIO.proceedHandshakeWithPluggableAuthentication(MysqlIO.java:1629)
    at com.mysql.jdbc.MysqlIO.doHandshake(MysqlIO.java:1206)
    at com.mysql.jdbc.ConnectionImpl.coreConnect(ConnectionImpl.java:2239)
    at com.mysql.jdbc.ConnectionImpl.connectOneTryOnly(ConnectionImpl.java:2270)
    at com.mysql.jdbc.ConnectionImpl.createNewIO(ConnectionImpl.java:2069)
    at com.mysql.jdbc.ConnectionImpl.<init>(ConnectionImpl.java:794)
    at com.mysql.jdbc.JDBC4Connection.<init>(JDBC4Connection.java:44)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
    at com.mysql.jdbc.Util.handleNewInstance(Util.java:389)
    at com.mysql.jdbc.ConnectionImpl.getInstance(ConnectionImpl.java:399)
    at com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:325)
    at java.sql.DriverManager.getConnection(DriverManager.java:664)
    at java.sql.DriverManager.getConnection(DriverManager.java:247)
    at apples.main(mainClass.java:18)

Caused by: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1906)
    at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1889)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1410)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
    at com.mysql.jdbc.ExportControlled.transformSocketToSSLSocket(ExportControlled.java:95)
    ... 18 more

Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
    at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:90)
    at sun.security.validator.Validator.getInstance(Validator.java:179)
    at sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:312)
    at sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:171)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:184)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1488)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
    ... 20 more

Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
    at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
    at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120)
    at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104)
    at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:88)
    ... 32 more

我还使用Workbench和。pem文件确认了用户可以使用SSL登录。

更新3:将javax.net.Debug设置为SSL后的调试信息:

keyStore is : 
keyStore type is : jks
keyStore provider is : 
init keystore
init keymanager of type SunX509
trustStore is: /usr/lib/jvm/java/jre/truststore.jks
trustStore type is : jks
trustStore provider is : 
init truststore
adding as trusted cert:
  Subject: CN=aws.amazon.com/rds/, OU=RDS, O=Amazon.com, L=Seattle, ST=Washington, C=US
  Issuer:  CN=aws.amazon.com/rds/, OU=RDS, O=Amazon.com, L=Seattle, ST=Washington, C=US
  Algorithm: RSA; Serial number: 0xe775b657e21a8128
  Valid from Tue Apr 06 08:44:31 AEST 2010 until Sun Apr 05 08:44:31 AEST 2015

trigger seeding of SecureRandom
done seeding SecureRandom
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
%% No cached client session
*** ClientHello, TLSv1
RandomCookie:  GMT: 1425012760 bytes = { 250, 182, 202, 168, 139, 248, 125, 121, 251, 188, 182, 110, 1, 234, 29, 105, 158, 219, 212, 122, 105, 57, 87, 80, 44, 141, 121, 154 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension server_name, server_name: [type=host_name (0), value=abcd.abcd123.ap-southeast-1.rds.amazonaws.com]
***
main, WRITE: TLSv1 Handshake, length = 202
main, READ: TLSv1 Handshake, length = 74
*** ServerHello, TLSv1
RandomCookie:  GMT: -1571637097 bytes = { 78, 228, 80, 30, 162, 233, 208, 59, 196, 166, 88, 129, 155, 99, 123, 252, 123, 153, 129, 25, 144, 235, 185, 112, 68, 79, 2, 79 }
Session ID:  {104, 7, 155, 31, 238, 102, 222, 218, 193, 219, 108, 206, 57, 235, 53, 253, 1, 200, 64, 46, 92, 60, 63, 251, 142, 106, 233, 54, 27, 110, 79, 128}
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
***
Warning: No renegotiation indication extension in ServerHello
%% Initialized:  [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA]
** TLS_RSA_WITH_AES_128_CBC_SHA
main, READ: TLSv1 Handshake, length = 1057
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, OU=RDS, CN=sifrmedium.cove4uttgoa2.ap-southeast-2.rds.amazonaws.com
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 1024 bits
  modulus: 7182371456073335432842458631460148573771628715802835656528548198324749485547005738326606223242830258829871966755842342342342344059076665280539770508892924695580383343581127930380098999434723444448883595421930164673020286553920728427
  public exponent: 65537
  Validity: [From: Sun Jun 21 11:55:57 AEST 2015,
               To: Fri Mar 06 09:03:24 AEDT 2020]
  Issuer: CN=Amazon RDS ap-southeast-2 CA, OU=Amazon RDS, O="Amazon Web Services, Inc.", L=Seattle, ST=Washington, C=US
  SerialNumber: [    810c7b2c 621bcf07 366cad3b ab405b]

Certificate Extensions: 2
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 89 50 9D 8D 0A 1D 42 A7   D6 36 2E 99 27 44 61 FC  .P.......6..'Ia.
0010: 23 FC D7 F0                                        #...
]
[CN=Amazon RDS Root CA, OU=Amazon RDS, O="Amazon Web Services, Inc.", L=Seattle, ST=Washington, C=US]
SerialNumber: [    46]
]

[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 0C 5C 64 D5 CE C4 27 13   34 01 A0 0D 64 8C B1 C9  .\d...'.4...d<..
0010: 4D 6C 3D 16                                        M\=.
]
]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 16 53 AA 7A 55 49 84 87   5C EC 49 B9 BD 51 98 83  .S.zUI..\.I..Q..
0010: BA 91 84 72 29 77 19 6C   F7 CA 0A 36 09 AC 70 F4  ...r)w.l...6..p.
0020: 8A 2C 90 FD 36 3D 3D CD   E9 BA 2C 5C 95 C3 79 78  .,..6==...,\..yx
0030: CE FA 46 A0 3D 77 31 11   E3 5B 9C 84 AF 4D 60 51  ..F.=w1..[...M`Q
0040: 80 52 04 1E 65 4D 6E 5B   92 E1 69 79 12 8E 56 0F  .R..eMn[..iy..V.
0050: 83 E4 F8 31 4E A7 65 4E   C2 BB 97 A8 B4 67 79 F4  ...1N.eN.....gy.
0060: CD 37 F7 00 A5 42 B9 E0   CB D9 CA 81 EC E3 A3 E3  .7...B..........
0070: FB 05 40 2F 9A 4B 5D AE   7C 30 F4 BA ED DC 74 AC  ..@/.K]..0....t.
0080: 89 30 AD 13 26 F7 88 09   66 01 E1 4B 3A 8C B1 3D  .0..&...f..K:..=
0090: 28 6F 74 1D B0 00 25 FB   9B 1E 00 8D F1 1F 83 84  (ot...%.........
00A0: CE D7 92 39 78 C4 70 26   8E 3C 05 1C 10 3C A3 E0  ...9x.p&.<...<..
00B0: CC 30 F0 A0 68 B1 26 C4   23 AC C0 C6 8A 27 DB 3C  .0..h.&.#....'.<
00C0: 7F 38 DD EE 92 1B A3 A4   99 13 9F 80 62 66 C8 F0  .8..........bf..
00D0: 46 25 38 C3 99 0A A2 A7   04 E5 FF 4D 31 2B E4 82  F%8........M1+..
00E0: BE D9 D5 07 28 96 17 07   30 B9 EC BA 26 F3 7B C3  ....(...0...&...
00F0: 1A CF 13 73 58 96 F2 87   3F FD 86 09 35 FA A3 7B  ...sX...?...5...

]
***
%% Invalidated:  [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA]
main, SEND TLSv1 ALERT:  fatal, description = certificate_unknown
main, WRITE: TLSv1 Alert, length = 2
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
main, called close()
main, called closeInternal(true)

共有1个答案

欧照
2023-03-14

当您运行下面的命令并被要求输入密码时,您应该键入“ChangeIt”。这是密钥库的默认密码

keytool -import -alias mysqlServerCACert -file file_location.pem -keystore truststore

接下来,确保您正在使用的mysql用户配置为需要SSL,如下所示

GRANT ALL PRIVILEGES ON test.* TO 'root'@'localhost' REQUIRE SSL;

接下来,确保从https://s3.amazonaws.com/rds-downloads/rds-combinated-ca-bundle.pem下载的rds包导入到试图连接到AWS rds的应用服务器的默认java cacerts上。

?verifyServerCertificate=true&useSSL=true&requireSSL=true
final String url = "jdbc:mysql://mysql_rds_enpoint:port/db_name?verifyServerCertificate=true&useSSL=true&requireSSL=true";
 类似资料:
  • 问题内容: 我试图使用JDK 1.8和MySQL Connector / J版本5.1.23安全地连接到Amazon RDS,并且对MySQL Connector / J文档中 的说明感到困惑。 说明说明要在当前目录中创建信任库并导入服务器的CA证书。当我运行以下命令时,系统会要求我输入密码,但我不知道输入什么: 另一方面,Amazon的说明指出证书由证书颁发机构签名。SSL证书包括数据库实例终结

  • 当我尝试在https上使用Invoke WebRequest时,我遇到了一些奇怪的错误: "调用-网络请求:基础连接已关闭:无法为SSL/TLS安全通道建立信任关系。" 这是我的密码: 对我有什么建议吗??多谢了。

  • 我试图通过我的groovy代码连接到我公司的Microsoft sql。使用此代码: 这会导致错误: 39m:没有这样的属性:类的连接:31m[0;39m[31m39m(31m)[0;39m[31m39m(31m)[0;39m[31m39m(31m)[0;39m[31m39m(CreateOrg: 47)[0;39m[31m31m(39m)[0;TempTestCase1555589132729.

  • 我使用此代码创建了与 SQL Server 的连接。 但我有一个错误: 驱动程序无法使用安全套接字层(SSL)加密建立到sqlserver的安全连接。错误:“套接字关闭”。client connection id:5975 fad 5-8f8d-496 a-a2bb-BF F3 A8 D1 a 755 有人能帮我吗?预先感谢

  • 0个 我正在尝试从Java连接到邮件服务器。我已经能够使用相同的代码成功地从Java连接到许多邮件服务器,包括Gmail、Rackspace、GoDaddy和其他,但是无论我尝试什么设置,这个都不起作用。 此操作失败,javax.mail.MessaginException:无法将套接字转换为TLS;嵌套异常为:javax.net.ssl.SSLException:无法识别的ssl消息,纯文本连接

  • 问题内容: 我使用此代码创建了到SQL Server的连接。 但是我得到了这个错误: com.microsoft.sqlserver.jdbc.SQLServerException:驱动程序无法使用安全套接字层(SSL)加密建立与SQL Server的安全连接。错误:“套接字已关闭”。ClientConnectionId:5975fad5-8f8d-496a-a2bb- bff3a8d1a755