I have been looking into using X.509 certificate based authentication for Ignition DB connections to MySQL, but I can’t seem to find much of anything on that topic in the Ignition documentation or the forums.
It is already working with SSL/TLS but without using a certificate on the client side (the client being Ignition). In this case in MySQL the DB user would have REQUIRE SSL. Therefore all data going across is encrypted but the authentication is just by username and password.
It would also be nice to have the capability to require a client certificate to authenticate Ignition as the DB client. (MySQL user with REQUIRE X509).
I have found some forum postings on other forums on how to install and use client certificates in JDBC connections, but these specifically relate to Oracle Java JDK 1.6 and later.
This approach could be possible with Ignition 7 and earlier, but with Ignition 8 moving to Azul Systems Java, I’m not sure how relevant those procedures would be for Ignition 8.
From what I can tell, Ignition 8 install only installs the Azul Java runtime, without any development kit.
So my questions are:
Is there a way to install a client certificate in the Azul Java certificate store with only the Java runtime installed?
If not, is there an available development kit or other tools that would make this possible?
Is there something built into Ignition that I have missed, that would allow this?
When you get to it, you probably want to use the option where you configured the keystore and password via the connection properties rather than Java system properties.
Most of what you’ve found reference to is for installing the MySQL server certificate into the trusted CA list so that a connection can be made and the server certificate is considered trusted even though it’s self-signed or signed by a private CA. This is also still possible in Ignition 8 via the supplemental certificates functionality but it’s not the same thing as setting up a client certificate (you’ll probably need to do both).
Thanks Kevin, I haven’t seen that particular MySQL documentation yet, I will have a look. You are right, I am trying to use a self signed certificate. I created a server and client certificate using openSSL. As far as the supplemental certificate functionality in Ignition 8, could you point me to any documentation on that? I haven’t run across that in the Ignition online documentation or the training videos.
I’ve recently updated my MariaDB to 10.4.11 and Ignition to 8.0.7 for testing. The test machine is Windows. Previously I had SSL working with ignition and mariadb. My connection flags looked something like (my jks files are in a folder parallel to the ignition install folder:
Should not need the trustServerCertificate flag but tried with “trustServerCertificate=true” as well which might be required with newer java (9 or higher) if certificate authority is self-signed or subject alternative name in the database server cert does not have server name or ip address that matches.
Anyway, I cannot connect to my database anymore even if I remove the subject/issuer restrictions and just indicate that any SSL is required on the account and use “UseSSL=true” on the connection string. If I remove SSL requirement on the account then it connects fine.
Debugging the network connection indicates that the mysql connector client is not using the SSL flag which causes everything to fail. I know the server works as my other clients HeidiSQL and DataGrip can connect with SSL enabled. Datagrip is java and I’ve tried to use the same official MariaDB Connector/J in both apps and Ignition still doesn’t work with that account.
Anyway I do think something changed but since I upgraded MariaDB at same time I am not sure exactly what is wrong but seems more likely to be Ignition. Its been 9 months since I’ve touched Ignition so probably 8.0.0 was what I used previously. Still troubleshooting but thought I’d post since I saw this.