I am trying to connect to a MySQL Database with SSL using a Client Certificate. I have created a truststore with the CA Certificate:
keytool -import -alias mysqlServerCACert -file ca.crt -keystore truststore
Then I created a keystore with my private key and my client certificate:
openssl pkcs12 -export -out bi.pfx -inkey bi.key -in bi.crt -certfile ca.crt
openssl x509 -outform DER -in bi.pem -out bi.der
keytool -importkeystore -file bi.der -keystore keystore -alias mysqlClientCertificate
I added useSSL=true and requireSSL=true to the jdbc URL and passed
-Djavax.net.ssl.keyStore=${db.keyStore}
-Djavax.net.ssl.keyStorePassword=${db.keyStore.pwd}
-Djavax.net.ssl.trustStore=${db.trustStore}
-Djavax.net.ssl.trustStorePassword=${db.keyStore.pwd}
to the kettle transformation from the surrounding job. I still get "Could not create connection to database server".
I can connect via SSL using the command line tool:
mysql --protocol=tcp -h myqlhost -P 3309 -u bi -p --ssl=on --ssl-ca=ca.crt --ssl-cert=bi.crt --ssl-key=bi.key db_name
Therefore my current guess is, that ther is an issue with the SSL Certificates.
Is there a way to make the MySQL JDBC Driver tell me more details, what went wrong?
Is my assumtion wrong, that kettle parameters can be used to set system properties? How do I do that instead then?
OK, here is the solution, that I have found now:
The start scripts for the various kettle tools pass parameters to the JVM by reading an environment-variable "OPT". So I have set
Now the MySQL JDBC Driver finds its certificates and private key and can establish the connection.