I have installed EJBCA and we are currently testing it. We are using MariaDB. I have configured certificates on the MariaDB server and from the application server if I connect I can see we are using SSL, see below.<o:p></o:p>
<o:p> </o:p>
MariaDB [(none)]> SHOW STATUS LIKE 'Ssl_cipher';<o:p></o:p>
However, how do we get this to actually work. EJBCA fails if I enforce the following directive on the server<o:p></o:p>
require-secure-transport = on<o:p></o:p>
From what I can tell EJBCA is using a java driver (JDBC) How do we build EJBCA to connect via SSL using the certificate it does if I connect using the maria DB client from the command line?<o:p></o:p>
<o:p> </o:p>
We are using the setup script (ejbca-setup.sh)<o:p></o:p>
Everything else is fine. Our database replication traffic is been encrypted etc. It's just the EJBCA -> DB is plaintext. Normally this lives locally (different virtual machine) but during some failure scenarios it could be over network.<o:p></o:p>
Any pointers much appreciated.<o:p></o:p>
<o:p> </o:p>
<o:p> </o:p>
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
And where does it call the client certs from? The mariaDB client or somewhere in Jboss?
Is there a way to change the database url post install? Do I just change the database.properties and do an ant deployear
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
To configure MariaDB Jdbc to use SSL, you need to do put MariaDB DB server certificate to Jboss/Wildfly's truststore. I think you can add the jdbc url in the db.properties file
I'm still not having much luck. Tried with a new deployment (again using the setup script and both ways above don't seem to work) When deploying ejbca no tables get created in the database. Whereas they do if using plaintext.
If I run tcpdump on the server it looks like I'm seeing db drivers etc in cleartext come through so I'm not convinced it's actually trying to do a TLS handshake?
Since I'm not using a FQDN for the server at the moment I've set the verifyServerCertificate=false
I see the following when deploying (one was with & the other without)
Is this just meaning that any change I make on database_host isn't been passed to the driver hence the plaintext transactions I see?
Anyway after install I tried editing the database.properties (it is correct there actually anyway) and rebuild using ant deploy-datasource and it fails.
Did you find this information about and deploy-datasource in HOWTO-database.txt? There is no such command since a long time. I will update that text file for the next release removing that.
In database.properties you only need to configure database.name as it says in the database.properties.sample file. The other settings can be ignored (unless for the database CLI as it also mentions, but that is an Enterprise feature)
In WildFly you can configure in configuration/standalone.xml, after making the base configuration with the commands in install guide. There in the section for "EjbcaDS" you can tweak the settings used by WildFly just as you want.
Cheers,
Tomas
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="Generator" content="Microsoft Word 15 (filtered medium)"><style><!-- /* Font Definitions */ @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0cm; font-size:11.0pt; font-family:"Calibri",sans-serif;} a:link, span.MsoHyperlink {mso-style-priority:99; color:blue; text-decoration:underline;} .MsoChpDefault {mso-style-type:export-only;} @page WordSection1 {size:612.0pt 792.0pt; margin:72.0pt 72.0pt 72.0pt 72.0pt;} div.WordSection1 {page:WordSection1;} --></style>
Hi There,<o:p></o:p>
<o:p> </o:p>
I have installed EJBCA and we are currently testing it. We are using MariaDB. I have configured certificates on the MariaDB server and from the application server if I connect I can see we are using SSL, see below.<o:p></o:p>
<o:p> </o:p>
MariaDB [(none)]> SHOW STATUS LIKE 'Ssl_cipher';<o:p></o:p>
+---------------+------------------------+<o:p></o:p>
| Variable_name | Value |<o:p></o:p>
+---------------+------------------------+<o:p></o:p>
| Ssl_cipher | TLS_AES_256_GCM_SHA384 |<o:p></o:p>
+---------------+------------------------+<o:p></o:p>
<o:p> </o:p>
However, how do we get this to actually work. EJBCA fails if I enforce the following directive on the server<o:p></o:p>
require-secure-transport = on<o:p></o:p>
From what I can tell EJBCA is using a java driver (JDBC) How do we build EJBCA to connect via SSL using the certificate it does if I connect using the maria DB client from the command line?<o:p></o:p>
<o:p> </o:p>
We are using the setup script (ejbca-setup.sh)<o:p></o:p>
database_url="jdbc:mysql://${database_host}:3306/${database_name}?characterEncoding=UTF-8"<o:p></o:p>
<o:p> </o:p>
Everything else is fine. Our database replication traffic is been encrypted etc. It's just the EJBCA -> DB is plaintext. Normally this lives locally (different virtual machine) but during some failure scenarios it could be over network.<o:p></o:p>
Any pointers much appreciated.<o:p></o:p>
<o:p> </o:p>
<o:p> </o:p>
You can add end of database_url something like that:
?verifyServerCertificate=true&useSSL=trueThanks. I'll give it a go.
And where does it call the client certs from? The mariaDB client or somewhere in Jboss?
Is there a way to change the database url post install? Do I just change the database.properties and do an ant deployear
To configure MariaDB Jdbc to use SSL, you need to do put MariaDB DB server certificate to Jboss/Wildfly's truststore. I think you can add the jdbc url in the db.properties file
NB! maybe you need to use
&instead of &P.S! It seems that useSSL is kinda old method and the new way is to use sslMode: https://mariadb.com/docs/xpand/connect/programming-languages/java/tls/
Last edit: aloeee 2022-12-23
Thank you again.
I'm still not having much luck. Tried with a new deployment (again using the setup script and both ways above don't seem to work) When deploying ejbca no tables get created in the database. Whereas they do if using plaintext.
If I run tcpdump on the server it looks like I'm seeing db drivers etc in cleartext come through so I'm not convinced it's actually trying to do a TLS handshake?
Since I'm not using a FQDN for the server at the moment I've set the verifyServerCertificate=false
I see the following when deploying (one was with & the other without)
I think I've added the ca-cert and server cert (is this even needed when signed by the ca-cert?) to the correct stores. Can I verify this?
No other trust stores exist during install, but post (successful install when using plain text I see the following)
So it it actually going to be one of these instead? I thought they were for TLS/SSL for the Wildfly application instead (i.e. the webserver)
I even tried with &SSLmode=trust (I know bad idea, but for just testing..) rather than the useSSL options. Same thing.
I have everything else working (well that I've tried so far) it's just this one thing that seems to be beating me.
Thanks again!
I saw this in the setup script
wildfly_exec "data-source add --name=ejbcads --driver-name=\"mariadb-java-client.jar\" --connection-url=\"jdbc:mysql://${database_host}:3306/${database_name}\" --jndi-name=\"java:/EjbcaDS\" --use-ccm=true --driver-class=\"org.mariadb.jdbc.Driver\" --user-name=\"${database_username}\" --password=\"${database_passw>Is this just meaning that any change I make on database_host isn't been passed to the driver hence the plaintext transactions I see?
Anyway after install I tried editing the database.properties (it is correct there actually anyway) and rebuild using ant deploy-datasource and it fails.
Cheers.
Did you find this information about and deploy-datasource in HOWTO-database.txt? There is no such command since a long time. I will update that text file for the next release removing that.
Just follow the installation guide.
https://doc.primekey.com/ejbca/ejbca-installation/application-servers
In database.properties you only need to configure database.name as it says in the database.properties.sample file. The other settings can be ignored (unless for the database CLI as it also mentions, but that is an Enterprise feature)
In WildFly you can configure in configuration/standalone.xml, after making the base configuration with the commands in install guide. There in the section for "EjbcaDS" you can tweak the settings used by WildFly just as you want.
Cheers,
Tomas