Knowledge Base
 
   

SunLync SSL Configuration

Article ID: 572
Last updated: 03 Jul, 2018
Revision: 12
print  Print
comment  Add comment
Views: 150
Comments: 0

Note: This article is for informational purposes only. The SunLync Support Team is unable to provide support on the proper configuration of MySQL for SSL or the creation of certificates.

Server Setup

  1. Check to see if MySQL has SSL enabled with the query: show variables like '%ssl%';
    1. If the result is: “Disabled” then the version of MySQL that is being used supports SSL and you can continue.
    2. If the result is: “Yes” then SSL is already active on this instance of MySQL.
    3. If the result is: “No” then the server is on a version on MySQL prior to 5.5 and should be updated.
  2. Install openSSL if not already installed on server (will be pre-installed on most Linux server distributions). On Windows, openSSL can be downloaded here: http://slproweb.com/products/Win32OpenSSL.html

Creating Certificates

Important: You will be prompted 3 times during this process to enter a ‘Common Name’ for the cert that you are creating. It is imperative that you use different names for each (e.g. ca, server, client).

The following instructions will allow you to create certificates in the command line, using the ‘openssl’ command. The output of these commands will be in your present working directory unless otherwise specified in your arguments. On Windows, these commands must be executed from the bin directory of openssl (by default C:\openssl-win32\bin) on Linux they can be executed from any directory. You can find an explanation of the arguments being used at the end of this file.  If you receive a "Warning:  can't open config file:" upon attempting the commands below, run the following command to declare the location of the SSL config file ( set openssl_conf=c:\directory\of\config\file\openssl.cfg )

            Generate a CA key and certificate

openssl genrsa 2048 > ca-key.pem

openssl req -new -x509 -nodes -days 3650 -key ca-key.pem -out ca-cert.pem

After this command you will be asked for:

  • Country Name
  • State
  • City
  • Company Name
  • Org Unit Name
  • Common Name (see note in the beginning of this section!!)
  • Email address

It is okay to skip Org unit and email.

            Generate a server key

openssl req -newkey rsa:2048 -days 3650 -nodes -keyout server-key.pem -out server-req.pem

After this command you will be asked for the same information as when creating the CA certificate. Remember to use a different common name and do not create a challenge password.

            Convert Server key to RSA

openssl rsa -in server-key.pem -out server-key.pem          

            Generate a server certificate

openssl x509 -req -in server-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

            Generate client key

openssl req -newkey rsa:2048 -days 3650 -nodes -keyout client-key.pem -out client-req.pem

After this command you will be asked for the same information as when creating the CA certificate. Remember to use a different common name and do not create a challenge password.       

            Convert client key to RSA

                  openssl rsa -in client-key.pem -out client-key.pem

            Generate client certificate

openssl x509 -req -in client-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

            Verifying that the certificates match

openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem

MySQL Setup

  1. After creating the SSL certificates and keys, move server-cert.pem, ca-cert.pem, and server-key.pem to their destination folder and add or uncomment the following lines in the [mysqld] section of the  my.cnf or my.ini:

ssl-cert = path/to/server-cert.pem

ssl-ca = path/to/ca-cert.pem

ssl-key = path/to/server-key.pem

  1. Create a mysql user with SSL required using the query:

grant [privileges] on [databases] to [username]@'%' identified by '[password]' require ssl;

  1. Restart MySQL
  2. Recheck SSL status using the query:

show variables like '%ssl%';

     Where you were previously seeing “disabled” you should now see “yes”.

Client Setup

  1. Transfer client-key.pem and client-cert.pem to their destination on the client computer.
  2. Make sure that there is a copy of ssleay32.dll and libeay32.dll in both \sunlync and \sunlync\config.
  3. Launch the Setup MySQL app and enter the server information using the new SSL user credentials.
  4. Enter the path of client-key.pem and client-cert.pem in the fields labeled SSL Key and SSL Certificate, respectively.
  5. Test Connection
    1. The result should be a message box telling you that the connection is okay and you should now see the phrase “SSL ACTIVATED” at the bottom of the screen.

When you start SunLync you should now see the SSL lock logo on the login page.

OpenSSL arguments

  • genrsa – generates private rsa key.
  • newkey rsa – creates a new rsa cert and key request
  • verify -  x.509 certificate verification
  • x590 – outputs a self-signed certificate
  • nodes – stops openssl from encrypting the key
  • days – the number of days to certify the certificate for
  • key – specifies the key to be used to create the certificate
  • newkey – used to generate a new key
  • CAkey – specifies the certificate authority key to use
  • in – the input for the preceding command
  • out – the output of the preceding command
  • set_serial – the serial number to use for a self-signed certificate.

Additional Information

For troubleshooting issues with SSL, see the document “SSL Troubleshooting”.

If you are interested in verifying that SSL encryption is functioning by viewing the packets being sent, see the document “Verifying SSL with TShark”.

This article was:   Report an issue