Configuring a Fusion JDBC Connector Using SSL

More and more frequently, database administrators are implementing security beyond a simple username and password. One example is the use of SSL, with certificate and key files, to provide a mechanism to ensure encrypted communication between the client and server. Setting up a new connector in Lucidworks Fusion that utilizes this method of encryption is easy, if not straightforward. Below I’ll describe how I configured a JDBC connector as a client to a MySQL database (using MySQL JDBC JAR v5.1.31, link at end) using SSL and a private key.

Prerequisite: Configuring a Java KeyStore (JKS)

Before we can connect to MySQL, we need to set up a Java KeyStore on the Fusion server(s) that host your connectors. This is the trickiest aspect of configuring a connector for SSL, and occurs outside of Fusion. Given a public/private key pair, you’ll need to create a new (or import into an existing) Java KeyStore. Your database administrator will need to provide you with the appropriate public key, and may or may not provide you with a private key (you may be required to generate this yourself.) Since creating a JKS is a blog post in itself, I’ll share some resources at the end of this example to point you in the right direction; for the purposes of this example, I’ll assume you’ve already set up your JKS appropriately.

Pointing Fusion to your JKS

The first step in configuring this connector is to ensure that Fusion will have a handle to your JKS. To do this, you’ll need to modify the connector’s startup script (<Fusion home>/bin/connectors on *nix, or <Fusion home>/bin/connectors.cmd on Windows) to include the following Java options:

-Djavax.net.ssl.keyStore=/path/to/keystore
-Djavax.net.ssl.keyStorePassword=password

In the *nix script, you can add these options to the JAVA_OPTIONS variable already defined; in the Windows batch file, there are several conditionals that set JAVA_OPTIONS differently, so you’re best bet is to add them to the START command in the :do_start block.

Configuring Your JDBC Connector

Once your JKS is set up and Fusion knows where to find it, we can create a new JDBC connector that utilizes SSL. As I mentioned, we’ll be using MySQL for this example, so my connector URL and driver are as follows:

URL: jdbc:mysql://<server_name>:<port>/<db_name>?useSSL=true
Driver: org.gjt.mm.mysql.Driver

A quick note here: you’ll notice that the only change from the basic MySQL connection string is the addition of the useSSL flag – it’s really that simple. You’ll also notice I’m using the “older” named MySQL JDBC driver class; using “com.mysql.jdbc.Driver” resulted in “value.not.allowed” exceptions. I’ve added some resources that talk about the difference between these classes.
And that’s it! Not exactly straightforward, but not difficult. As I mentioned, for most people the trickiest part is configuring the JKS. Here are some further resources that may help you out with JKS and MySQL using SSL.

Resources

• Java KeyTool: the command-line utility for creating and updating keystores and truststores
• KeyStore Explorer: a free, multi-platform user interface to keystores and truststores – it makes setting them up much easier
• Importing a private key/public certificate pair
• MySQL JDBC driver
• MySQL and SSL: Some articles from MySQL regarding SSL configuration on both the client and server side:
  • Configuring MySQL for SSL
  • Using SSL Connections
• What is the difference between com.mysql.jdbc.Driver and org.gjt.mm.mysql.Driver?

About the Author

Sean Mare is a technologist with over 18 years of experience in enterprise application design and development. As Solution Architect with Knowledgent Group Inc., a leading Big Data and Analytics consulting organization and partner with Lucidworks, he leverages the power of enterprise search to enable people and organizations to explore their data in exciting and interesting ways. He resides in the greater New York City area.