SSL in JPA App

2022-09-20 21:50:05 +05:30
parent 8b5e486eb9
commit 325e68967a
8 changed files with 252 additions and 6 deletions
--- a/persistence-modules/spring-boot-mysql/mysql-server/createuser_query.sql
+++ b/persistence-modules/spring-boot-mysql/mysql-server/createuser_query.sql
@@ -0,0 +1,2 @@
+CREATE USER 'test_user'@'%' IDENTIFIED BY 'Password2022' require X509;
+GRANT ALL PRIVILEGES ON test_db.* TO 'test_user'@'%';
--- a/persistence-modules/spring-boot-mysql/mysql-server/docker-compose.yml
+++ b/persistence-modules/spring-boot-mysql/mysql-server/docker-compose.yml
@@ -0,0 +1,24 @@
+version: '3.8'
+
+services:
+  mysql-service:
+        image: "mysql/mysql-server:8.0.30"
+        container_name: mysql-db
+        command: [ "mysqld",
+                    "--require_secure_transport=ON",
+                    "--ssl-ca=/etc/certs/root-ca.pem",
+                    "--ssl-cert=/etc/certs/server-cert.pem",
+                    "--ssl-key=/etc/certs/server-key.pem",
+                    "--default_authentication_plugin=mysql_native_password",
+                    "--general_log=ON" ]
+        ports:
+            - "3306:3306"
+        volumes:
+            - type: bind
+              source: ./certs
+              target: /etc/certs/
+        restart: always
+        environment:
+           MYSQL_ROOT_HOST: "%"
+           MYSQL_ROOT_PASSWORD: "Password2022"
+           MYSQL_DATABASE: test_db
--- a/persistence-modules/spring-boot-mysql/mysql-server/generatecerts.sh
+++ b/persistence-modules/spring-boot-mysql/mysql-server/generatecerts.sh
@@ -0,0 +1,35 @@
+mkdir certs
+cd ./certs
+
+# Generate new CA certificate ca.pem file.
+openssl genrsa 2048 > root-ca-key.pem
+
+openssl req -new -x509 -nodes -days 3600 \
+    -subj "/C=SE/ST=STOCKHOLM/L=Test/CN=fake-CA" \
+    -key root-ca-key.pem -out root-ca.pem
+
+# Create the server-side certificates
+openssl req -newkey rsa:2048 -days 3600 -nodes \
+    -subj "/C=SE/ST=STOCKHOLM/L=Test/CN=localhost" \
+    -keyout server-key.pem -out server-req.pem
+openssl rsa -in server-key.pem -out server-key.pem
+openssl x509 -req -in server-req.pem -days 3600 \
+    -CA root-ca.pem -CAkey root-ca-key.pem -set_serial 01 -out server-cert.pem
+
+# Create the client-side certificates
+openssl req -newkey rsa:2048 -days 3600 -nodes \
+    -subj "/C=SE/ST=STOCKHOLM/L=Test/CN=localhost" \
+    -keyout client-key.pem -out client-req.pem
+openssl rsa -in client-key.pem -out client-key.pem
+openssl x509 -req -in client-req.pem -days 3600 \
+    -CA root-ca.pem -CAkey root-ca-key.pem -set_serial 01 -out client-cert.pem
+
+# Verify the certificates are correct
+openssl verify -CAfile root-ca.pem server-cert.pem client-cert.pem
+
+# Convert pem to jks file
+keytool -importcert -alias MySQLCACert.jks -file root-ca.pem \
+    -keystore truststore.jks -storepass mypassword
+
+openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem -out certificate.p12 -name "certificate"
+keytool -importkeystore -srckeystore certificate.p12 -srcstoretype pkcs12 -destkeystore cert.jks