MySQL

The MySQL service authenticator processes connection requests to a MySQL database.

To secure connections, we support all the MySQL SSL options you're familiar with. For details, see the sslmode option.

 

Unlike most clients, the default sslmode for Secretless is require, since nearly all use cases require TLS. If you do need to turn it off, however, and know you can do so safely, you can.

Configure the service authenticator

Configure the Secretless Broker to specify where to find your database connection details in the yaml file's credentials section. This includes where to find your database's host, port, username, and password, as well as the sslmode details, such as the location of any relevant certificates and revocation lists, if applicable.

The options are as follows:

Option

Description

Required

host

Host name of the MySQL server

Required

port

Port of the MySQL server

Required

username

Username of the MySQL account

Required

password

Password of the MySQL account

Required

sslmode

This option determines if the connection between Secretless Broker and your database will be protected by SSL.

For details on the supported values of this parameter, see supported SSL modes.

Optional

(Default setting is require)

sslcert

The content of this parameter specifies the client SSL certificate in PEM format. This parameter is ignored if an SSL connection is not made. Corresponds to ssl-cert.

Optional

sslrootcert

The content of this parameter specifies the SSL certificate authority (CA) certificate(s) in PEM format. If present, the server’s certificate will be verified to be signed by one of these authorities. Corresponds to ssl-ca.

Optional

sslkey

The content of this parameter specifies the secret key used for the client certificate. This parameter is ignored if an SSL connection is not made. Corresponds to ssl-key.

Optional

 

You must supply a valid value for port in the MySQL service authenticator configuration. A missing or invalid port will cause the Secretless Broker to error; please see the troubleshooting section for more information.

The MySQL documentation website provides detail on the levels of protection provided by different values for the sslmode parameter.

There are five modes:

Mode

Description

disable

Corresponds to DISABLED. Only try a non-SSL connection.

require

Default

Corresponds to REQUIRED. Only try an SSL connection. As is the MySQL standard, if a root CA file is present in this mode no verification of the server certificate will be done, despite a CA certificate option being specified.

verify-ca

Corresponds to VERIFY_CA. Only try an SSL connection, and verify that the server certificate is issued by a trusted certificate authority (CA).

The optional SSL configuration parameters sslcert, sslkey, sslrootcert, and sslcrlmay be necessary if sslmode is set to require,verify-ca, or verify-full. The particular values needed depend on your use case; more information on these parameters can be found in the MySQL documentation.

Examples

See also

Troubleshoot Service Authenticators

 
9.7