web stats
MySQL SSL and Docker - Mirth Community

Go Back   Mirth Community > Mirth Connect > Support

Reply
 
Thread Tools Display Modes
  #1  
Old 11-15-2019, 07:40 AM
wtt235 wtt235 is offline
What's HL7?
 
Join Date: Oct 2019
Posts: 3
wtt235 is on a distinguished road
Question MySQL SSL and Docker

We are attempting in enforce SSL connections between a Mirth container (the image is based off the official docker source code here https://github.com/nextgenhealthcare/connect-docker), and an Azure MySQL database. However, when we enable SSL on the MySQL server and force SSL connections via the JDBC connection url in mirth.properties, the Mirth fails to connect. If we disable SSL on the MySQL server, Mirth connects just fine.

Microsoft provides some documentation about enabling SSL connections here https://docs.microsoft.com/en-us/azu...-configure-ssl.

They provide a .pem cert that we assume needs to be imported somewhere in the container that is running Mirth. We've been trying to follow instructions (https://dev.mysql.com/doc/connector-...using-ssl.html) for importing a cert into the keystore that's in /appdata, and we've tried using an example connection url (https://www.mirthproject.org/communi...ight=mysql+ssl), but we have still been unsuccessful.

We are not confident that we are importing the .pem cert properly, and the example connection url found in the thread mentioned earlier is confusing. Can we get some help?
Reply With Quote
  #2  
Old 11-15-2019, 08:48 AM
agermano agermano is offline
Mirth Guru
 
Join Date: Apr 2017
Location: Indiana, USA
Posts: 1,028
agermano is on a distinguished road
Default

The mircosoft doc says that's a CA Cert, so it needs to go into your truststore, not your keystore (this is a public key that you need to trust.)

Mirth uses your system truststore by default, and is in different places depending on several factors including OS and JRE.

Alternatively, according to the mysql doc you linked, it looks like you can create a new truststore specifically for this connection, and specify the location in your jdbc url by adding properties
Code:
clientCertificateKeyStoreUrl=file:path_to_truststore_file 
clientCertificateKeyStorePassword=mypassword
Reply With Quote
  #3  
Old 11-15-2019, 08:59 AM
agermano agermano is offline
Mirth Guru
 
Join Date: Apr 2017
Location: Indiana, USA
Posts: 1,028
agermano is on a distinguished road
Default

Actually, I think there's a typo in that document. The properties should be trustCertificateKeyStoreUrl and trustCertificateKeyStorePassword. You may also want to use trustCertificateKeyStoreType and set the type to PKCS12 (also when you create the truststore use that type.)

https://dev.mysql.com/doc/connector-...roperties.html
Reply With Quote
  #4  
Old 11-15-2019, 09:11 AM
agermano agermano is offline
Mirth Guru
 
Join Date: Apr 2017
Location: Indiana, USA
Posts: 1,028
agermano is on a distinguished road
Default

https://docs.oracle.com/cd/E19509-01...fhb/index.html

Here's how to create a pkcs12 keystore/truststore from the .pem file using openssl.

Basically,
Code:
openssl pkcs12 -export -in mykeycertificate.pem.txt -out mykeystore.pkcs12 -name myAlias -noiter -nomaciter
Reply With Quote
  #5  
Old 11-15-2019, 09:12 AM
wtt235 wtt235 is offline
What's HL7?
 
Join Date: Oct 2019
Posts: 3
wtt235 is on a distinguished road
Default

For context, we are running the containers on Linux nodes, and the Dockerfile we are using is based off of https://github.com/nextgenhealthcare...ter/Dockerfile.
Reply With Quote
  #6  
Old 11-15-2019, 09:19 AM
agermano agermano is offline
Mirth Guru
 
Join Date: Apr 2017
Location: Indiana, USA
Posts: 1,028
agermano is on a distinguished road
Default

Sorry, you said that in your original post and I glazed right over that. In this case, I would probably go with creating the separate truststore, because it will be easier to add that file, either through a custom Dockerfile or using a docker volume, than to try to update the system truststore stored in the container.
Reply With Quote
  #7  
Old 11-15-2019, 11:41 AM
wtt235 wtt235 is offline
What's HL7?
 
Join Date: Oct 2019
Posts: 3
wtt235 is on a distinguished road
Default

We are attempting to go the custom Dockerfile route.
Reply With Quote
Reply

Tags
azure, docker, mysql, ssl

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -8. The time now is 10:47 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2019, vBulletin Solutions, Inc.
Mirth Corporation