GBase8a SSL 配置
GBase8a MPP Cluster 支持 SSL 标准协议, SSL 协议是一种安全性更高的协议标准, 它加入了数字签名和数字证书来实现客户端和服务器的双向身份验证,保证了通信双方更加安全的数据传输。
配置客户端使用 SSL 安全连接的方式连接到 GBase8a MPP Cluster 数据库集群的配置总体流程如下:
生成 SSL 连接证书 ==> server 配置 ==> client 配置
- 生成 SSL 连接证书
在集群 server 端的系统中, 根据需要选择生成 SSL 密钥的目录, 下面以 GBase8a 的安装目录下的 ssl 目录保存相关文件为例进行配置说明。
1.1 在 server 上操作生成 server 端的密钥和证书
step1:
su - gbase
$ mkdir -p /opt/gbase8a/ssl # /opt/gbase8a 是我的GBase8a安装目录,在安装目录下有权限创建 ssl 目录
$ cd /opt/gbase8a/ssl
后续的证书也秘钥生成过程中,需要填写一些信息,我除了 Country Name 填写 CN,password 填写 123456 外,其他都未填写直接回车了,项目中可以根据实际情况填写。
step2:
生成 ca-cert.pem, 需要填写 Country Name 等信息
$ openssl req -sha1 -new -x509 -nodes -days 3650 -keyout ca-key.pem > ca-cert.pem
You are about to be asked to enter information that will be incorporated into your certificate request.
......
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
执行完毕,会生成两个文件:ca-cert.pem 和 ca-key.pem
step3:
生成服务端密钥, 同样填写一些信息, password 部分( A challenge password []: ) 建议填写复杂一些的密码
$ openssl req -sha1 -newkey rsa:2048 -days 3650 -nodes -keyout server-key.pem > server-req.pem
Generating a 2048 bit RSA private key
......
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
执行完毕,会生成两个文件:server-key.pem 和 server-req.pem
step4:
将 server-key.pem 导出为 RSA 类型:
$ openssl rsa -in server-key.pem -out server-key.pem
step5:
生成服务端证书 server-cert.pem
$ openssl x509 -sha1 -req -in server-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
ssl 证书相关查看命令:
openssl rsa -in server-key.pem -text #查看证书私钥文件中的私钥和公钥信息
openssl x509 -in server-cert.pem -noout -text #查看证书详细信息
1.2 在 server 上操作生成 client 端的密钥和证书
step1:
在同一目录下, 生成 client 端的密钥和证书, 生成密钥, 输入信息与 server 端相同。
$ openssl req -sha1 -newkey rsa:2048 -days 3650 -nodes -keyout client-key.pem > client-req.pem
Generating a 2048 bit RSA private key
......
Country Name (2 letter code) [XX]:CA
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
会生成两个文件:client-key.pem 和 client-req.pem
step2:
将 client-key.pem 导出为 RSA 类型
$ openssl rsa -in client-key.pem -out client-key.pem
step3:
生成 client-cert.pem
$ openssl x509 -sha1 -req -in client-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem
前面所有过程总共生成的8个文件:
ca-key.pem:CA 私钥, 用于生成服务器端/客户端的数字证书;
ca-cert.pem:CA 证书,用于生成服务器端/客户端的数字证书;
server-key.pem:服务器端的 RSA 私钥;
server-req.pem:服务器端的证书请求文件,用于生成服务器端的数字证书;
server-cert.pem:服务器端的数字证书;
client-key.pem:客户端的 RSA 私钥;
client-req.pem:客户端的证书请求文件,用于生成客户端的数字证书;
client-cert.pem:客户端的数字证书。
- server 配置
step1:
修改集群配置文件 gbase_8a_gcluster.cnf, 在 [gbased] 里添加 ssl 信息。 以路径 /opt/gbase8a/ssl 为例, 添加示例如下:
vi GCLUSTER_BASE/config/gbase_8a_gcluster.cnf
client
port=5258
socket=/tmp/gcluster_5258.sock
connect_timeout=43200
#default-character-set=gbk
default-character-set=utf8
gbased
basedir = /opt/gcluster/server
datadir = /opt/gcluster/userdata/gcluster
socket=/tmp/gcluster_5258.sock
pid-file = /opt/gcluster/log/gcluster/gclusterd.pid
#default-character-set=gbk
default-character-set=utf8
server cfg for ssl
ssl-ca=/opt/gbase8a/ssl/ca-cert.pem
ssl-cert=/opt/gbase8a/ssl/server-cert.pem
ssl-key=/opt/gbase8a/ssl/server-key.pem
log-error
port=5258
core-file
step2:
重启集群,查看配置是否成功
$ gcluster_services all restart
step3:
执行 gccli, 登录集群
$ gccli -ugbase -p
step4:
查看 ssl 参数状态, 配置成功则显示为"YES"。
gbase> show variables like 'have_%ssl';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_openssl | YES |
| have_ssl | YES |
+---------------+-------+
- client 配置
集群 client 的配置,直接在 client 端的 Linux 上配置。
step1:
将 server 端生成的 ca-cert.pem,client-key.pem,client-cert.pem 文件拷贝到 client 端,
修改 client 端的集群配置文件 gbase_8a_gcluster.cnf,在 [client] 里添加 ssl 信息, 以路径 /opt/gbase8a/ssl 为例:
注意:如果客户端是独立安装的 gccli 工具客户端,则配置文件位于:gccli 安装目标路径/config/gbase_8a_gcluster.cnf
vi GCLUSTER_BASE/config/gbase_8a_gcluster.cnf
client
port=5258
socket=/tmp/gcluster_5258.sock
connect_timeout=43200
#default-character-set=gbk
default-character-set=utf8
client cfg for ssl
ssl-ca=/opt/gbase8a/ssl/ca-cert.pem
ssl-cert=/opt/gbase8a/ssl/client-cert.pem
ssl-key=/opt/gbase8a/ssl/client-key.pem
step2:
通过 client 端远程访问 server 并执行 status 命令查看当前连接是否为 ssl 加密连接(ssl 部分显示有 "Cipher in use",如果未走ssl则显示"Not in use")
$ gccli -h192.168.1.162 -ugbase -p
gbase> status
如果是单独创建的 gbasessl 用户,则执行:
$ gccli -h192.168.1.162 -ugbasessl -p -Dtestdb01
gbase> status
/home/frank/gccli/gcluster/server/bin/gbase ver 9.5.3.14.121230, for unknown-linux-gnu (x86_64) using readline 6.3
Connection id: 18
Current database: testdb01
Current user: [email protected]
SSL: Cipher in use is DHE-RSA-AES256-SHA ==> 说明当前连接时SSL加密连接
Current pager: stdout
......
step3:
如果 client 端没有进行上述 ssl 配置, 则仍然会按默认方式(非ssl)连接 server。如果想要强制用户必须使用 ssl 连接,则可以通过如下方式配置来强制指定的用户必须使用 ssl 连接:
gbase> grant all on testdb01.* to gbase require ssl
gbase用于原来已经在使用了,为了不影响原来的使用,gbase用户连接方式在服务器端不做强制要求配置,我直接单独创建一个新用户 gbasessl 来指定必须SSL连接(grant ...... require ssl):
gbase> create user gbasessl identified by '1q2w3e';
gbase> grant all on testdb01.* to gbasessl require ssl;
gbase> quit;
$ gccli -h192.168.1.162 -ugbasessl -p -Dtestdb01
gbase> status
查看用户是否备服务器配置为强制SSL连接,可以通过查询系统表 gbase.user 来看:
$ gccli -h192.168.1.162 -ugbase -p -Dtestdb01
gbase> select user,ssl_type from gbase.user;
+-----------------+----------+
| user | ssl_type |
+-----------------+----------+
| root | |
| gbase | |
| gbasessl | ANY |
+-----------------+----------+
为空代表没有强制必须使用SSL连接,不为空(ANY | X509 | SPECIFIED)都代表必须使用SSL连接。
ssl 连接参数:
--skip-ssl:客户端强制使用非SSL连接
--ssl:客户端强制使用SSL连接
如果不加参数,默认优先使用非SSL连接
gbasessl 账号连接测试(创建用户时指定了 require ssl):
$ gccli -h192.168.1.162 -ugbasessl -Dtestdb01 -p --skip-ssl
客户端指定非SSL(--skip-ssl),我 gbasessl 服务器强制ssl(require ssl),所以会连接失败
$ gccli -h192.168.1.162 -ugbasessl -Dtestdb01 -p
gbase> status;
客户端不指定,连接成功,为SSL
$ gccli -h192.168.1.162 -ugbasessl -Dtestdb01 -p --ssl
gbase> status;
客户端指定SSL(--ssl),连接成功,为SSL
gbase 账号连接测试(默认未指定 require ssl)
gbase账号服务器没有设置强制ssl
$ gccli -h192.168.1.162 -ugbase -Dtestdb01 -p --skip-ssl
gbase> status
客户端指定非SSL(--skip-ssl),连接成功,为普通连接(Not in use)
$ gccli -h192.168.1.162 -ugbasessl -Dtestdb01 -p
gbase> status;
客户端不指定,连接成功,为SSL
$ gccli -h192.168.1.162 -ugbasessl -Dtestdb01 -p --ssl
gbase> status;
客户端指定SSL(--ssl),连接成功,为SSL。
1)客户端指定 --ssl 但如果客户端配置未配置 ssl-cert、ssl-key 参数时,也能连接成功,为非SSL连接。
2)ssl-ca:非必须参数,如果不校验CA证书的话,不需要配置;
如果 gccli 客户端配置文件(gbase_8a_gcluster.cnf)未配置对应参数,也可以直接在 gccli 命令行指定 ssl 参数:
$ gccli -h192.168.1.162 -ugbase -Dtestdb01 -p --ssl --ssl-cert=/opt/gbase8a/gccli/ssl/client-cert.pem --ssl-key=/opt/gbase8a/gccli/ssl/client-key.pem
$ gccli -h192.168.1.162 -ugbasessl -Dtestdb01 -p --ssl --ssl-cert=/opt/gbase8a/gccli/ssl/client-cert.pem --ssl-key=/opt/gbase8a/gccli/ssl/client-key.pem
如果要校验CA证书,则指定 --ssl-ca CA证书文件路径(非必须):
$ gccli -h192.168.1.162 -ugbase -Dtestdb01 -p --ssl --ssl-cert=/opt/gbase8a/gccli/ssl/client-cert.pem --ssl-key=/opt/gbase8a/gccli/ssl/client-key.pem --ssl-ca=/opt/gbase8a/gccli/ssl/ca-cert.pem
$ gccli -h192.168.1.162 -ugbasessl -Dtestdb01 -p --ssl --ssl-cert=/opt/gbase8a/gccli/ssl/client-cert.pem --ssl-key=/opt/gbase8a/gccli/ssl/client-key.pem --ssl-ca=/opt/gbase8a/gccli/ssl/ca-cert.pem
jdbc 使用 ssl 加密连接传输数据
如果数据库的客户端应用(client)使用 jdbc 方式使用 ssl 加密连接方式,则应用客户端的配置参考如下:
如果使用 jdbc 进行 ssl 数据传输,前提也是必须 server 支持 ssl,必须先开启 server 端的 ssl 功能(开启配置详情可参考上面的 《1. 生成 SSL 连接证书》和《2. server 配置》章节)。
配置操作的命令集如下:
因为前面我配置过了,所以下面的1)和2)步骤我直接跳过,直接从步骤3)开始
1)生成 ssl 文件(直接在 linux 下执行即可)
生成 server 证书:
$ mkdir -p /opt/gbase8a/ssl
$ cd /opt/gbase8a/ssl
$ openssl genrsa 2048 > ca-key.pem # CA 私钥
$ openssl req -sha1 -new -x509 -nodes -days 3650 -key ca-key.pem -out ca-cert.pem # CA 证书。
注意:CA私钥和CA证书生成的两步也可以合并成一步操作:openssl req -sha1 -new -x509 -nodes -days 3650 -keyout ca-key.pem > ca-cert.pem 来代替
$ openssl req -sha1 -newkey rsa:2048 -days 3650 -nodes -keyout server-key.pem -out server-req.pem # 服务器私钥
$ openssl rsa -in server-key.pem -out server-key.pem # 转为 RSA 格式,文件名也可以命名为:server-key.rsa
$ openssl x509 -sha1 -req -in server-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem # 服务器证书
$ openssl verify -CAfile ca-cert.pem server-cert.pem # 验证
生成 client 证书:
$ openssl req -sha1 -newkey rsa:2048 -days 3650 -nodes -keyout client-key.pem -out client-req.pem # 客户端私钥
$ openssl rsa -in client-key.pem -out client-key.pem # 转为 RSA 格式,文件名也可以命名为:client-key.rsa
$ openssl x509 -sha1 -req -in client-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem # 客户端证书
$ openssl verify -CAfile ca-cert.pem client-cert.pem # 验证
ssl 证书相关查看命令:
openssl rsa -in server-key.pem -text #查看证书私钥文件中的私钥和公钥信息
openssl x509 -in server-cert.pem -noout -text #查看证书详细信息
2)server 配置开启 ssl 功能:
vi $GCLUSTER_BASE/config/gbase_8a_gcluster.cnf
在 [gbased] 下配置 ssl 相关文件的路径
server cfg for ssl
ssl-ca=/opt/gbase8a/ssl/ca-cert.pem
ssl-cert=/opt/gbase8a/ssl/server-cert.pem
ssl-key=/opt/gbase8a/ssl/server-key.pem
3)server 集群服务重启:
gcluster_services all restart
4)查看服务器SSL配置:
$ gccli -ugbase -p
gbase> show variables like '%SSL%';
经过前面三步集群已经开启ssl功能,针对jdbc按照如下使用步骤:
1) 生成jdbc连接用密钥(根据 ca-cert.pem 生成 truststore)
su - frank
$ mkdir -p /home/frank/demo/ssl-certs/
$ cd /home/frank/demo/ssl-certs/
$ cp /home/frank/gccli/ssl/ca-cert.pem ./
$ cp /home/frank/gccli/ssl/client-cert.pem ./
$ keytool -import -alias GBaseCACert -file ca-cert.pem -keystore truststore
说明: ca-cert.pem 为服务器端生成 ssl 文件时生成的文件,执行该步骤后会提示输入认证密码,比如输入123456(jdbc连接会用到), Trust this certificate? [no]: yes
2)把 gbase Client 证书转换成DER格式:
$ openssl x509 -outform DER -in client-cert.pem -out client.cert
3)根据 client.cert 文件生成客户端 keystore 文件:
$ keytool -import -alias GBaseClientCertificate -file client.cert -keystore keystore
说明: client-cert.pem 为生成 ssl 文件时生成的文件,执行该步骤后会提示输入认证密码,比如输入123456(jdbc连接会用到),Trust this certificate? [no]: yes
4)上述步骤会生成两个文件 truststore, keystore,将这两个文件拷贝到 jdbc 可以访问的路径下(例如:/home/frank/demo/ssl-certs/),我直接在该demo可访问的目录下生成的,无需再拷贝了
5) 参考下面方式编写连接测试代码(参考官方的《GBase 8a 程序员手册JDBC篇.pdf》中的ssl jdbc连接的介绍编码测试):
Main.java:
java
public class Main {
public static void main(String args[]) {
String str = "=== dbconnector in ===";
System.out.println(CommonUtil.getMethodName() + str);
System.out.println(CommonUtil.getMethodName() + "====================No SSL");
GBase8aClient.connectTest();
System.out.println(CommonUtil.getMethodName() + "====================SSL01");
GBase8aClient.connectTestSSL01();
System.out.println(CommonUtil.getMethodName() + "====================SSL02");
GBase8aClient.connectTestSSL02();
System.out.println(CommonUtil.getMethodName() + "====================SSL03");
GBase8aClient.connectTestSSL03();
System.out.println(CommonUtil.getMethodName() + "====================SSL04");
GBase8aClient.connectTestSSL04();
System.out.println(CommonUtil.getMethodName() + "====================SSL05");
GBase8aClient.connectTestSSL05();
System.out.println(CommonUtil.getMethodName() + "====================SSL06");
GBase8aClient.connectTestSSL06();
}
}GBase8aClient.java:
java
public class GBase8aClient {
static String user = "gbase";
// static String user = "gbasessl";
static String pwd = "1q2w3e";
static String trustStorePath = System.getProperty("user.dir") + "/ssl-certs/truststore";
static String keyStorePath = System.getProperty("user.dir") + "/ssl-certs/keystore";
public static void printSysProperties() {
System.out.println(CommonUtil.getMethodNameParent() + "keyStore:" + System.getProperty("javax.net.ssl.keyStore"));
System.out.println(CommonUtil.getMethodNameParent() + "keyStorePassword:" + System.getProperty("javax.net.ssl.keyStorePassword"));
System.out.println(CommonUtil.getMethodNameParent() + "trustStore:" + System.getProperty("javax.net.ssl.trustStore"));
System.out.println(CommonUtil.getMethodNameParent() + "trustStorePassword:" + System.getProperty("javax.net.ssl.trustStorePassword"));
}
public static void setSysProperties(String target) {
if ("keyStore".equalsIgnoreCase(target) || "all".equalsIgnoreCase(target)) {
System.setProperty("javax.net.ssl.keyStore", keyStorePath);
System.setProperty("javax.net.ssl.keyStorePassword", "123456");
}
if ("trustSotre".equalsIgnoreCase(target) || "all".equalsIgnoreCase(target)) {
System.setProperty("javax.net.ssl.trustStore", trustStorePath);
System.setProperty("javax.net.ssl.trustStorePassword", "123456");
}
}
public static void removeSysProperties() {
System.getProperties().remove("javax.net.ssl.keyStore");
System.getProperties().remove("javax.net.ssl.keyStorePassword");
System.getProperties().remove("javax.net.ssl.trustStore");
System.getProperties().remove("javax.net.ssl.trustStorePassword");
}
public static void connectTest() {
// 不设置 useSSL & requireSSL,使用非SSL连接
String url = "jdbc:gbase://192.168.1.162:5258/testdb01";
Connection conn = null;
try {
Class.forName("com.gbase.jdbc.Driver");
conn = DriverManager.getConnection(url, user, pwd);
Statement st = conn.createStatement();
ResultSet rs = st.executeQuery("show status like '%SSL%'");
while (rs.next()) {
// 仅打印 Ssl_cipher, Ssl_cipher_list, Ssl_verify_depth, Ssl_verify_mode, Ssl_version
if (rs.getString(1).startsWith("Ssl_cipher") ||
rs.getString(1).startsWith("Ssl_ver")) {
System.out.println(rs.getString(1) + "-----"
+ rs.getString(2).substring(0,min(50,rs.getString(2).length())));
}
}
} catch (ClassNotFoundException e) {
System.out.println(CommonUtil.getMethodName() + "ERROR: ClassNotFound!");
} catch (SQLException e) {
System.out.println(CommonUtil.getMethodName() + "ERROR: conn failed!" + e.getMessage());
e.printStackTrace();
} finally {
if (null != conn) {
try {
conn.close();
} catch (SQLException e) {
}
}
}
}
public static void connectTestSSL01() {
// 设置 useSSL & requireSSL,也设置 keystore & truststore
String url = "jdbc:gbase://192.168.1.162:5258/testdb01?useSSL=true&requireSSL=true";
setSysProperties("all");
printSysProperties();
Connection conn = null;
try {
Class.forName("com.gbase.jdbc.Driver");
conn = DriverManager.getConnection(url, user, pwd);
Statement st = conn.createStatement();
ResultSet rs = st.executeQuery("show status like '%SSL%'");
while (rs.next()) {
// 仅打印 Ssl_cipher, Ssl_cipher_list, Ssl_verify_depth, Ssl_verify_mode, Ssl_version
if (rs.getString(1).startsWith("Ssl_cipher") ||
rs.getString(1).startsWith("Ssl_ver")) {
System.out.println(rs.getString(1) + "-----"
+ rs.getString(2).substring(0,min(50,rs.getString(2).length())));
}
}
} catch (ClassNotFoundException e) {
System.out.println(CommonUtil.getMethodName() + "ERROR: ClassNotFound!");
} catch (SQLException e) {
System.out.println(CommonUtil.getMethodName() + "ERROR: conn failed!" + e.getMessage());
e.printStackTrace();
} finally {
removeSysProperties();
if (null != conn) {
try {
conn.close();
} catch (SQLException e) {
}
}
}
}
public static void connectTestSSL02() {
// 设置 useSSL & requireSSL,设置 keystore,不设置 truststore
String url = "jdbc:gbase://192.168.1.162:5258/testdb01?useSSL=true&requireSSL=true";
setSysProperties("keyStore");
printSysProperties();
Connection conn = null;
try {
Class.forName("com.gbase.jdbc.Driver");
conn = DriverManager.getConnection(url, user, pwd);
Statement st = conn.createStatement();
ResultSet rs = st.executeQuery("show status like '%SSL%'");
while (rs.next()) {
// 仅打印 Ssl_cipher, Ssl_cipher_list, Ssl_verify_depth, Ssl_verify_mode, Ssl_version
if (rs.getString(1).startsWith("Ssl_cipher") ||
rs.getString(1).startsWith("Ssl_ver")) {
System.out.println(rs.getString(1) + "-----"
+ rs.getString(2).substring(0,min(50,rs.getString(2).length())));
}
}
} catch (ClassNotFoundException e) {
System.out.println(CommonUtil.getMethodName() + "ERROR: ClassNotFound!");
} catch (SQLException e) {
System.out.println(CommonUtil.getMethodName() + "ERROR: conn failed!" + e.getMessage());
e.printStackTrace();
} finally {
removeSysProperties();
if (null != conn) {
try {
conn.close();
} catch (SQLException e) {
}
}
}
}
public static void connectTestSSL03() {
// 设置 useSSL & requireSSL,不设置 keystore & truststore
String url = "jdbc:gbase://192.168.1.162:5258/testdb01?useSSL=true&requireSSL=true";
printSysProperties();
Connection conn = null;
try {
Class.forName("com.gbase.jdbc.Driver");
conn = DriverManager.getConnection(url, user, pwd);
Statement st = conn.createStatement();
ResultSet rs = st.executeQuery("show status like '%SSL%'");
while (rs.next()) {
// 仅打印 Ssl_cipher, Ssl_cipher_list, Ssl_verify_depth, Ssl_verify_mode, Ssl_version
if (rs.getString(1).startsWith("Ssl_cipher") ||
rs.getString(1).startsWith("Ssl_ver")) {
System.out.println(rs.getString(1) + "-----"
+ rs.getString(2).substring(0,min(50,rs.getString(2).length())));
}
}
} catch (ClassNotFoundException e) {
System.out.println(CommonUtil.getMethodName() + "ERROR: ClassNotFound!");
} catch (SQLException e) {
System.out.println(CommonUtil.getMethodName() + "ERROR: conn failed!" + e.getMessage());
e.printStackTrace();
} finally {
if (null != conn) {
try {
conn.close();
} catch (SQLException e) {
}
}
}
}
public static void connectTestSSL04() {
// 设置 useSSL & requireSSL,不设置 keystore & truststore
// 暂未找到服务端模式的设置,尝试客户端设置校验模式:
// 1)尝试设置 sslmode: disable | allow | prefer | require | verify-ca | verify-full,gbase8a 驱动不支持设置
// 2)尝试设置 verifyServerCertificate = true
// GBase官方手册没有找到 sslmode 和 verifyServerCertificate 的介绍,这个测试纯属尝试测试
String url = "jdbc:gbase://192.168.1.162:5258/testdb01?useSSL=true&requireSSL=true&verifyServerCertificate=true";
printSysProperties();
Connection conn = null;
try {
Class.forName("com.gbase.jdbc.Driver");
conn = DriverManager.getConnection(url, user, pwd);
Statement st = conn.createStatement();
ResultSet rs = st.executeQuery("show status like '%SSL%'");
while (rs.next()) {
// 仅打印 Ssl_cipher, Ssl_cipher_list, Ssl_verify_depth, Ssl_verify_mode, Ssl_version
if (rs.getString(1).startsWith("Ssl_cipher") ||
rs.getString(1).startsWith("Ssl_ver")) {
System.out.println(rs.getString(1) + "-----"
+ rs.getString(2).substring(0,min(50,rs.getString(2).length())));
}
}
} catch (ClassNotFoundException e) {
System.out.println(CommonUtil.getMethodName() + "ERROR: ClassNotFound!");
} catch (SQLException e) {
System.out.println(CommonUtil.getMethodName() + "ERROR: conn failed!" + e.getMessage());
e.printStackTrace();
} finally {
if (null != conn) {
try {
conn.close();
} catch (SQLException e) {
}
}
}
}
public static void connectTestSSL05() {
String url = "jdbc:gbase://192.168.1.162:5258/testdb01?useSSL=true&requireSSL=true&verifyServerCertificate=true";
setSysProperties("all");
printSysProperties();
Connection conn = null;
try {
Class.forName("com.gbase.jdbc.Driver");
conn = DriverManager.getConnection(url, user, pwd);
Statement st = conn.createStatement();
ResultSet rs = st.executeQuery("show status like '%SSL%'");
while (rs.next()) {
// 仅打印 Ssl_cipher, Ssl_cipher_list, Ssl_verify_depth, Ssl_verify_mode, Ssl_version
if (rs.getString(1).startsWith("Ssl_cipher") ||
rs.getString(1).startsWith("Ssl_ver")) {
System.out.println(rs.getString(1) + "-----"
+ rs.getString(2).substring(0,min(50,rs.getString(2).length())));
}
}
} catch (ClassNotFoundException e) {
System.out.println(CommonUtil.getMethodName() + "ERROR: ClassNotFound!");
} catch (SQLException e) {
System.out.println(CommonUtil.getMethodName() + "ERROR: conn failed!" + e.getMessage());
e.printStackTrace();
} finally {
removeSysProperties();
if (null != conn) {
try {
conn.close();
} catch (SQLException e) {
}
}
}
}
public static void connectTestSSL06() {
// 测试失败:执行报错 KeyManagerFactoryImpl is not initialized
String url = "jdbc:gbase://192.168.1.162:5258/testdb01?useSSL=true&requireSSL=true&verifyServerCertificate=false&clientCertificateKeyStoreUrl=file:/home/frank/demo/ssl-certs/keystore&clientCertificateKeyStorePassword=123456";
// String url = "jdbc:gbase://192.168.1.162:5258/testdb01?useSSL=true&requireSSL=true&verifyServerCertificate=true&clientCertificateKeyStoreUrl=file:/home/frank/demo/ssl-certs/keystore&clientCertificateKeyStorePassword=123456&trustCertificateKeyStoreUrl=file:/home/frank/demo/ssl-certs/truststore&trustCertificateKeyStorePassword=123456";
printSysProperties();
Connection conn = null;
try {
Class.forName("com.gbase.jdbc.Driver");
conn = DriverManager.getConnection(url, user, pwd);
Statement st = conn.createStatement();
ResultSet rs = st.executeQuery("show status like '%SSL%'");
while (rs.next()) {
// 仅打印 Ssl_cipher, Ssl_cipher_list, Ssl_verify_depth, Ssl_verify_mode, Ssl_version
if (rs.getString(1).startsWith("Ssl_cipher") ||
rs.getString(1).startsWith("Ssl_ver")) {
System.out.println(rs.getString(1) + "-----"
+ rs.getString(2).substring(0,min(50,rs.getString(2).length())));
}
}
} catch (ClassNotFoundException e) {
System.out.println(CommonUtil.getMethodName() + "ERROR: ClassNotFound!");
} catch (SQLException e) {
System.out.println(CommonUtil.getMethodName() + "ERROR: conn failed!" + e.getMessage());
e.printStackTrace();
} finally {
if (null != conn) {
try {
conn.close();
} catch (SQLException e) {
}
}
}
}
}5)编译 jar 拷贝到 /home/frank/demo/ 执行程序连接数据库
可以对比看出,几种不同的连接方式 show status like '%SSL%' 显示的信息有区别SSL还是非SSL:
frank@localhost demo\]$ java -Xbootclasspath/a:gbase-connector-java-9.5.0.1-build1-bin.jar -jar dbconnector-1.0-SNAPSHOT-shaded-with-dependencies.jar
\[main:27\] === dbconnector in ===
\[main:29\] ====================No SSL
Ssl_cipher-----
Ssl_cipher_list-----
Ssl_verify_depth-----0
Ssl_verify_mode-----0
Ssl_version-----
\[main:31\] ====================SSL01
\[connectTestSSL01:100\] keyStore:/home/frank/demo/ssl-certs/keystore
\[connectTestSSL01:100\] keyStorePassword:123456
\[connectTestSSL01:100\] trustStore:/home/frank/demo/ssl-certs/truststore
\[connectTestSSL01:100\] trustStorePassword:123456
Ssl_cipher-----AES256-SHA
Ssl_cipher_list-----ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM
Ssl_verify_depth-----18446744073709551615
Ssl_verify_mode-----5
Ssl_version-----TLSv1
\[main:33\] ====================SSL02
\[connectTestSSL02:137\] keyStore:/home/frank/demo/ssl-certs/keystore
\[connectTestSSL02:137\] keyStorePassword:123456
\[connectTestSSL02:137\] trustStore:null
\[connectTestSSL02:137\] trustStorePassword:null
Ssl_cipher-----AES256-SHA
Ssl_cipher_list-----ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM
Ssl_verify_depth-----18446744073709551615
Ssl_verify_mode-----5
Ssl_version-----TLSv1
\[main:35\] ====================SSL03
\[connectTestSSL03:173\] keyStore:null
\[connectTestSSL03:173\] keyStorePassword:null
\[connectTestSSL03:173\] trustStore:null
\[connectTestSSL03:173\] trustStorePassword:null
Ssl_cipher-----AES256-SHA
Ssl_cipher_list-----ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM
Ssl_verify_depth-----18446744073709551615
Ssl_verify_mode-----5
Ssl_version-----TLSv1
\[main:37\] ====================SSL04
\[connectTestSSL04:212\] keyStore:null
\[connectTestSSL04:212\] keyStorePassword:null
\[connectTestSSL04:212\] trustStore:null
\[connectTestSSL04:212\] trustStorePassword:null
Ssl_cipher-----AES256-SHA
Ssl_cipher_list-----ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM
Ssl_verify_depth-----18446744073709551615
Ssl_verify_mode-----5
Ssl_version-----TLSv1
\[main:39\] ====================SSL05
\[connectTestSSL05:247\] keyStore:/home/frank/demo/ssl-certs/keystore
\[connectTestSSL05:247\] keyStorePassword:123456
\[connectTestSSL05:247\] trustStore:/home/frank/demo/ssl-certs/truststore
\[connectTestSSL05:247\] trustStorePassword:123456
Ssl_cipher-----AES256-SHA
Ssl_cipher_list-----ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM
Ssl_verify_depth-----18446744073709551615
Ssl_verify_mode-----5
Ssl_version-----TLSv1
\[main:41\] ====================SSL06
\[connectTestSSL06:284\] keyStore:null
\[connectTestSSL06:284\] keyStorePassword:null
\[connectTestSSL06:284\] trustStore:null
\[connectTestSSL06:284\] trustStorePassword:null
\[connectTestSSL06:303\] ERROR: conn failed!Could not create connection to database server.
com.gbase.jdbc.exceptions.jdbc4.GBaseNonTransientConnectionException: Could not create connection to database server.
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at com.gbase.jdbc.Util.handleNewInstance(Util.java:422)
at com.gbase.jdbc.Util.getInstance(Util.java:397)
at com.gbase.jdbc.SQLError.createSQLException(SQLError.java:1024)
at com.gbase.jdbc.SQLError.createSQLException(SQLError.java:998)
at com.gbase.jdbc.SQLError.createSQLException(SQLError.java:993)
at com.gbase.jdbc.SQLError.createSQLException(SQLError.java:935)
at com.gbase.jdbc.ConnectionImpl.connectOneTryOnly(ConnectionImpl.java:2498)
at com.gbase.jdbc.ConnectionImpl.createNewIO(ConnectionImpl.java:2247)
at com.gbase.jdbc.ConnectionImpl.\