How do you specify different keystore alias for mysql ssl connection and tomcat ssl connection?

I have a Centos 7 server which I am installing Jira Core (will expand to include Service Desk and Software later). I have a CA signed wildcard SSL certificate for my domain that I am trying to configure with tomcat. I also have a remote MySQL server configured for SSL connections (self signed).

Looking at the documentation  and  It seems that Tomcat and MySQL JDBC are using the settings from server.xml for port 8443. 

I started off configuring MySQL for SSL which worked fine. I then went through the steps and  to use my CA signed cert for Tomcat. At this point the web session is working in 8443 but it seems that it's using the wrong SSL cert or something for MySQL because I keep getting an error that access was denied to mysql using password yes.

I thought that the MySQL specific SSL settings would be dbconfig.xml file but I can't find any options for that.

I may have asked the wrong question, but I hope I explained my problem well enough for you to see what I'm trying to accomplish.

2 answers

0 votes

Hi Jeff,

Are you seeing a message similar to the following:

Access denied for user 'branden'@''(using password: YES)

I normally see this when attempting to access MySQL from another computer other than the one it's setup on.  In light of that, there is a MySQL knowledge base that may assist with this error titled Troubleshooting Problems Connecting to MySQL:

If you get the following error, it means that you are using an incorrect password:

If the preceding error occurs even when you have not specified a password, it means that you have an incorrect password listed in some option file. Try the --no-defaults option as described in the previous item.

Please review Troubleshooting Problems Connecting to MySQL in it's entirety and you should be able to get around this.



It's been a while and probably the issue has been fixed but as far as I understand the issue is the Jira can't connect to MySQL over SSL while the articles mentioned explain how to import an SSL certificate so that Jira can be accessed  over https by users.

MySQL has its own SSL related properties that can be passed either via the jdbc url or through the code as connection properties.

As the second approach is not viable (you can't modify Jira source code, you have to add certain parameters to the jdbc URL

That page explains them in details - 

but you need useSSL, requireSSL, verifyServerCertificate, clientCertificate[all of them] and trustCertificate[all of them] if you use a self signed server certificate.

Follow the JKS/PKCS12 keystore procedure described in the articles you have mentioned to generate the keystore and truststore files.

The "access denied" error is quite misleading as the real reason is ssl handshake can't be completed if SSL is forced on MySQL server side. Spent half a day fighting it.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Mar 14, 2019 in Jira

Updates to give you visibility into what's coming in Jira Server and Data Center

Hello, Community! My name is Gosia and I'm a Product Manager on Jira Server and Data Center here at Atlassian. Since 2002 when we launched our public issue tracker, jira.atlass...

633 views 1 15
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you