How do you specify different keystore alias for mysql ssl connection and tomcat ssl connection?

I have a Centos 7 server which I am installing Jira Core (will expand to include Service Desk and Software later). I have a CA signed wildcard SSL certificate for my domain that I am trying to configure with tomcat. I also have a remote MySQL server configured for SSL connections (self signed).

Looking at the documentation https://confluence.atlassian.com/jirakb/configuring-jira-to-connect-to-mysql-via-ssl-280691010.html  and   https://confluence.atlassian.com/jira064/running-jira-over-ssl-or-https-720411727.html  It seems that Tomcat and MySQL JDBC are using the settings from server.xml for port 8443. 

I started off configuring MySQL for SSL which worked fine. I then went through the steps https://confluence.atlassian.com/jira064/running-jira-over-ssl-or-https-720411727.html and https://confluence.atlassian.com/kb/how-to-import-an-existing-ssl-certificate-for-use-in-tomcat-838412853.html  to use my CA signed cert for Tomcat. At this point the web session is working in 8443 but it seems that it's using the wrong SSL cert or something for MySQL because I keep getting an error that access was denied to mysql using password yes.

I thought that the MySQL specific SSL settings would be dbconfig.xml file but I can't find any options for that.

I may have asked the wrong question, but I hope I explained my problem well enough for you to see what I'm trying to accomplish.

2 answers

0 votes

Hi Jeff,

Are you seeing a message similar to the following:

Access denied for user 'branden'@'192.168.2.82'(using password: YES)

I normally see this when attempting to access MySQL from another computer other than the one it's setup on.  In light of that, there is a MySQL knowledge base that may assist with this error titled Troubleshooting Problems Connecting to MySQL:

If you get the following error, it means that you are using an incorrect password:

If the preceding error occurs even when you have not specified a password, it means that you have an incorrect password listed in some option file. Try the --no-defaults option as described in the previous item.

Please review Troubleshooting Problems Connecting to MySQL in it's entirety and you should be able to get around this.

Cheers,

Branden

It's been a while and probably the issue has been fixed but as far as I understand the issue is the Jira can't connect to MySQL over SSL while the articles mentioned explain how to import an SSL certificate so that Jira can be accessed  over https by users.

MySQL has its own SSL related properties that can be passed either via the jdbc url or through the code as connection properties.

As the second approach is not viable (you can't modify Jira source code, you have to add certain parameters to the jdbc URL

That page explains them in details - https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-configuration-properties.html 

but you need useSSL, requireSSL, verifyServerCertificate, clientCertificate[all of them] and trustCertificate[all of them] if you use a self signed server certificate.

Follow the JKS/PKCS12 keystore procedure described in the articles you have mentioned to generate the keystore and truststore files.

The "access denied" error is quite misleading as the real reason is ssl handshake can't be completed if SSL is forced on MySQL server side. Spent half a day fighting it.

Suggest an answer

Log in or Join to answer
Community showcase
Sarah Schuster
Posted Jan 29, 2018 in Jira

What are common themes you've seen across successful & failed Jira Software implementations?

Hey everyone! My name is Sarah Schuster, and I'm a Customer Success Manager in Atlassian specializing in Jira Software Cloud. Over the next few weeks I will be posting discussion topics (8 total) to ...

3,006 views 12 18
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot