Kettle, JDBC, MySQL, SSL: Could not Connetct to database

Question

I am trying to connect to a MySQL Database with SSL using a Client Certificate. I have created a truststore with the CA Certificate:

keytool -import -alias mysqlServerCACert -file ca.crt -keystore truststore

Then I created a keystore with my private key and my client certificate:

openssl pkcs12 -export -out bi.pfx -inkey bi.key -in bi.crt -certfile ca.crt
openssl x509 -outform DER -in bi.pem -out bi.der
keytool -importkeystore -file bi.der -keystore keystore -alias mysqlClientCertificate

I added useSSL=true and requireSSL=true to the jdbc URL and passed

 -Djavax.net.ssl.keyStore=${db.keyStore}
 -Djavax.net.ssl.keyStorePassword=${db.keyStore.pwd}
 -Djavax.net.ssl.trustStore=${db.trustStore}
 -Djavax.net.ssl.trustStorePassword=${db.keyStore.pwd}

to the kettle transformation from the surrounding job. I still get "Could not create connection to database server".

I can connect via SSL using the command line tool:

 mysql --protocol=tcp -h myqlhost -P 3309 -u bi -p --ssl=on --ssl-ca=ca.crt --ssl-cert=bi.crt --ssl-key=bi.key db_name

Therefore my current guess is, that ther is an issue with the SSL Certificates.

Is there a way to make the MySQL JDBC Driver tell me more details, what went wrong?

Is my assumtion wrong, that kettle parameters can be used to set system properties? How do I do that instead then?

Answer 1

OK, here is the solution, that I have found now:

The start scripts for the various kettle tools pass parameters to the JVM by reading an environment-variable "OPT". So I have set

export OPT="-Djavax.net.ssl.keyStore=/path/to/keystore -Djavax.net.ssl.keyStorePassword=private -Djavax.net.ssl.trustStore=/path/to/truststore -Djavax.net.ssl.trustStorePassword=private"

Now the MySQL JDBC Driver finds its certificates and private key and can establish the connection.

Answer 2

Establish Secure Connection (SSL) To AWS (RDS) Aurora / MySQL from Pentaho (PDI Kettle)

1. You need to create a new user id and Grant SSL rights to it. So this user id can connect to Aurora / MySQL only using Secured connection.
GRANT USAGE ON *.* TO 'admin'@'%' REQUIRE SSL
2. Download public RDS key (.pem fie) from AWS  (http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Aurora.html#Aurora.Overview.Security.SSL)
3. Downloaded file contains certificates / keys for each region. 
4. Split certificates from .PEM file into different .PEM files 
5. Use JDK keytool command utility to import all these PEM files into a single truststore (xyz.jks) file
    a. keytool -import -alias xyz.jks -file abc1.pem -keystore truststore
6. Configure JNDI entry for your Aurora / MySQL instance in Pentaho Properties File "data-integration\simple-jndi\jdbc.properties"
    a. Sample JNDI configuration 
    -------------------------------------------------------------------------
    RDSSecured/type=javax.sql.DataSource
    RDSSecured/driver=com.mysql.jdbc.Driver
    RDSSecured/user=admin
    RDSSecured/password=password
    RDSSecured/url=jdbc:mysql://REPLACE_WITH_RDS_ENDPOINT_HERE:3306/DATABASE_NAME?verifyServerCertificate=true&useSSL=true&requireSSL=true
    -------------------------------------------------------------------------
7. Make sure you copied MySQL connector jar in "lib" directory of your pentaho installation. Use connector version 5.1.21 or higher.
8. 
9. Create a copy of Spoon.bat / Spoon.sh based on your operating system E.g. Spoon_With_Secured_SSL_TO_RDS.bat or Spoon_With_Secured_SSL_TO_RDS.sh
10. Now we need to pass the truststore details to Pentaho at startup, so edit the copied script and append below mentioned arguments to OPT variable 
    a. -Djavax.net.ssl.trustStore="FULL_PATH\xyz.jks"
    b. -Djavax.net.ssl.trustStorePassword="YOUR_TRUSTSTORE_PASSWORD"
11. Use new script to start Spoon here after to establish the secure connection
12. Open/create your Job / Transformation
13. Go To View Tab - Database Connections and create new connection
    a. Connection Type: MySQL
    b. Access: JNDI
    c. JNDI Name: RDSSecured 
        i. Same as name used in JDBC.properties file
14. Test Connection and you are ready…. :)