Configuring a TLS connection between nevisProxy and MariaDB
=========
In certain cases, the unencrypted connection between a nevisProxy node and a remote MariaDB session store can compromise security. To mitigate this risk, MariaDB allows encrypting data in transit between the server and clients using the TLS protocol. The following page in the MariaDB website describes how to enable a TLS connection (one-way or in both directions) between a MariaDB server and a client:(https://mariadb.com/kb/en/securing-connections-for-client-and-server/ "https://mariadb.com/kb/en/securing-connections-for-client-and-server/").
Configuring a TLS connection between nevisProxy and MariaDB not only requires changes to the server-side and the user. You also need to modify the client side. Proceed as follows:
- Create the necessary certificates as well as the MariaDB client configuration file on the host running nevisProxy, according to the instructions on the MariaDB website. See also the following code sample:
[client-mariadb]
...
ssl_cert = /etc/my.cnf.d/certificates/client-cert.pem
ssl_key = /etc/my.cnf.d/certificates/client-key.pem
ssl_ca = /etc/my.cnf.d/certificates/ca.pem
- Use the MariaDB configuration file with the dbclient_cfg_file connection key. Adapt the ConnectString parameter of the MySQLSessionStoreServlet by setting the key-value pair. For example:
<init-param>
<param-name>ConnectString</param-name>
<param-value>//nevisproxy-db:3306/remote_session_store?dbclient_cfg_file=/etc/my.cnf.d/nevisproxy.cnf</param-value>
</init-param>
- Restart nevisProxy to adapt the changes.