If you are using an external MySQL database, you may want to encrypt the connection to the database using SSL.
Enabling SSL
You can enable SSL connections by selecting the Database service on your Instance page, then clicking Edit Parameters
At the bottom of your MySQL configuration, select the option to Encrypt connection with SSL, and 3 new fields will display.
To enable basic encryption on your connections, you must provide the CA Certificate which was used to sign the Database's Server Certificate. This must be in PEM (Base64) format.
If your database requires a more advanced connection, you may need to provide a Client Certificate and Client Key. These can be included in the form below the CA Certificate and also must be in PEM (Base64) format.
Click Validate Parameters to confirm Deskpro can connect to the database with the certificates successfully, then click Save to apply the changes.
Enforcing SSL
If you have enabled SSL on your helpdesk and you do not experience any issues, you can enforce SSL to ensure that connections will be rejected if any connection is made unencrypted.
This is done on a per-user level on the database itself, and requires you to run an ALTER USER statement to apply the changes.
There are different levels of security which can be applied to the users when requiring encryption.
Level | Description |
|---|---|
| This is the default state for users where no encryption is required. The user can connect both with encryption and without encryption. |
| This requires the user to connect with SSL, but does not require a client certificate. |
| This requires the user to connect with SSL with a valid client certificate. There are no restrictions on the client certificate |
| This requires the user to connect with SSL and with a valid client certificate which has been issued by a specific CA certificate |
| This requires the user to connect with SSL and with a specific client certificate which matches the defined subject |
For the majority of users, REQUIRE SSL will be adequate for most uses, and REQUIRE X509 if additional security is required.
We do not recommend using REQUIRE ISSUER or REQUIRE SUBJECT unless absolutely necessary and you understand how to configure the user and client certificate correctly.
To apply these encryption requirements to your database user, you would use the following command:
ALTER USER '<user>'@'<host>' REQUIRE <level>; copyA real-world example would look like the following:
ALTER USER 'deskpro'@'%' REQUIRE SSL; copyTroubleshooting
I'm using a client certificate and it won't validate
There are a number of steps you can take to diagnose certificate issues.
Confirm the Certificate and Key are in the correct fields and in the correct PEM format.
The key should start with -----BEGIN PRIVATE KEY----- and the the certificate should start with -----BEGIN CERTIFICATE-----
Confirm that your client certificate is still in date. Certificates have an expiration date to them, and will fail if they have expired.
You can test PEM certificates with online tools such as this SSL Certificate Decoder
If you are using REQUIRE ISSUER or REQUIRE SUBJECT, try reducing them down to REQUIRE X509 to confirm the certificate is installed correctly.
If REQUIRE X509 works, you have not set your subject lines correctly in the ALTER USER statement.
I've locked myself out of the database
If you have too many failed connection attempts, MySQL will automatically block any further login attempts to connect from your host.
If this happens, you will need to run the following command on your database server to clear the banned hosts list to allow you to attempt to connect again:
mysqladmin flush-hosts copy
Logga in eller registrera dig för att lämna en kommentar.