Skip to main content

Encrypt Database Communications

You can enable SSL to encrypt communications between all Moogsoft Onprem components and the MySQL database.

For information on creating SSL keys and certificates for MySQL, see Creating SSL and RSA Certificates and Keys using MySQL.

Establish Trust for the MySQL Certificate

To establish trust for the MySQL database certificate, create a truststore to house the root certificate for the Certificate Authority that signed the MySQL Server certificate.

  1. If you upgraded from a previous version of Moogsoft Onprem, run the following command to extract the certificate for the root CA for MySQL:

    mysql_ssl_rsa_setup

    The command generates new keys and writes them to the /var/lib/mysql directory.

  2. Run the java keytool command to create a trust store containing the certificate for the root CA for MySQL.

    keytool -import -alias mysqlServerCACert -file /var/lib/mysql/ca.pem -keystore $MOOGSOFT_HOME/etc/truststore
    • When keytool prompts you, enter a password for the keystore. You will need this password to configure Moogsoft Onprem.

    • Answer 'yes' to "Trust this certificate."

    Keytool creates a truststore at the path $MOOGSOFT_HOME/etc/truststore.

Configure Moogsoft Onprem to use SSL for Database Communications

After you have created the truststore, edit the Moogsoft Onprem configuration to enable SSL.

  1. Edit $MOOGSOFT_HOME/config/system.conf.

  2. Inside the MySQL property, uncomment the SSL property and the properties that comprise it. Make sure to uncomment the opening "{" and closing braces "}". For example:

    ,“ssl” :
    {
    # # The location of the SSL truststore.
    # #
    # # Relative pathing can be used, i.e. ‘.’ to mean current directory,
    # # ‘../truststore’ or ‘../../truststore’ etc. If neither relative
    # # nor absolute (using ‘/’) path is used then $MOOGSOFT_HOME is
    # # prepended to it.
    # # i.e. “config/truststore” becomes “$MOOGSOFT_HOME/config/truststore”
    # #
    # #
    # # Specify the server certificate.
    # #
    “trustStorePath” : “etc/truststore”,
    
    # “trustStoreEncryptedPassword” : “vQj7/yom7e5ensSEb10v2Rb/pgkaPK/4OcUlEjYNtQU=“,
    
    “trustStorePassword” : “moogsoft”
    }
    
    
  3. Provide the path to the truststore you created. For example:

    "trustStorePath" : "etc/truststore",
  4. Edit the password for the truststore. For example:

    "trustStorePassword" : "moogsoft"

    See Moog Encryptor if you want to use an encrypted password. Uncomment trustStoreEncryptedPassword and provide the encrypted password for the value. For example:

    “trustStoreEncryptedPassword” : “vQj7/yom7e5ensSEb10v2Rb/pgkaPK/4OcUlEjYNtQU=“
  5. Save your changes and restart the following components:

    • Moogfarmd

    • Apache Tomcat

    • All LAMs

After you restart, all Moogsoft Onprem components encrypt communications with the MySQL database.