Encrypt Database Communications
You can enable SSL to encrypt communications between all Moogsoft Onprem components and the MySQL database.
For information on creating SSL keys and certificates for MySQL, see Creating SSL and RSA Certificates and Keys using MySQL.
Establish Trust for the MySQL Certificate
To establish trust for the MySQL database certificate, create a truststore to house the root certificate for the Certificate Authority that signed the MySQL Server certificate.
If you upgraded from a previous version of Moogsoft Onprem, run the following command to extract the certificate for the root CA for MySQL:
mysql_ssl_rsa_setup
The command generates new keys and writes them to the
/var/lib/mysql
directory.Run the java
keytool
command to create a trust store containing the certificate for the root CA for MySQL.keytool -import -alias mysqlServerCACert -file /var/lib/mysql/ca.pem -keystore $MOOGSOFT_HOME/etc/truststore
When
keytool
prompts you, enter a password for the keystore. You will need this password to configure Moogsoft Onprem.Answer 'yes' to "Trust this certificate."
Keytool creates a truststore at the path
$MOOGSOFT_HOME/etc/truststore
.
Configure Moogsoft Onprem to use SSL for Database Communications
After you have created the truststore, edit the Moogsoft Onprem configuration to enable SSL.
Edit
$MOOGSOFT_HOME/config/system.conf
.Inside the MySQL property, uncomment the SSL property and the properties that comprise it. Make sure to uncomment the opening "
{
" and closing braces "}
". For example:,“ssl” : { # # The location of the SSL truststore. # # # # Relative pathing can be used, i.e. ‘.’ to mean current directory, # # ‘../truststore’ or ‘../../truststore’ etc. If neither relative # # nor absolute (using ‘/’) path is used then $MOOGSOFT_HOME is # # prepended to it. # # i.e. “config/truststore” becomes “$MOOGSOFT_HOME/config/truststore” # # # # # # Specify the server certificate. # # “trustStorePath” : “etc/truststore”, # “trustStoreEncryptedPassword” : “vQj7/yom7e5ensSEb10v2Rb/pgkaPK/4OcUlEjYNtQU=“, “trustStorePassword” : “moogsoft” }
Provide the path to the truststore you created. For example:
"trustStorePath" : "etc/truststore",
Edit the password for the truststore. For example:
"trustStorePassword" : "moogsoft"
See Moog Encryptor if you want to use an encrypted password. Uncomment
trustStoreEncryptedPassword
and provide the encrypted password for the value. For example:“trustStoreEncryptedPassword” : “vQj7/yom7e5ensSEb10v2Rb/pgkaPK/4OcUlEjYNtQU=“
Save your changes and restart the following components:
Moogfarmd
Apache Tomcat
All LAMs
After you restart, all Moogsoft Onprem components encrypt communications with the MySQL database.