Healthcare IRAD
December 17, 2009
HARRIS CORPORATION
|
Government Communications Systems Division
assuredcommunications™
Revision
1.0
Date
12/17/2009
HARRIS CORPORATION
|
Change History
Revised By
Change(s)
Derrick
Initial Version
Cannon
Government Communications Systems Division
assuredcommunications™ Page 2
Contents
1
2
3
4
5
Steps for Compiling MySQL with SSL Enabled .................................................................................. 5
Helpful Links ....................................................................................................................................... 7
Verification Commands ...................................................................................................................... 7
Instructions for Building and Running Windows SSL Enabled MySQL Server ................................... 9
Configuring OpenSSL ......................................................................................................................... 9
5.1
Download and install OpenSSL Windows binaries. ................................................................... 9
5.2
Add OpenSSL\bin to the system path ........................................................................................ 9
5.2.1 Add C:\OpenSSL\bin to the end of the path. ........................................................................ 10
6 Verify OpenSSL installation .............................................................................................................. 10
6.1.1 Create clean environment .................................................................................................... 11
6.1.2 Create CA certificate ............................................................................................................ 11
6.1.3 Create server certificate ....................................................................................................... 11
6.1.4 Create client certificate......................................................................................................... 11
6.1.5 Server ................................................................................................................................... 12
6.1.6 Client .................................................................................................................................... 12
7 Starting the server using the Certificates .......................................................................................... 12
7.1.1 That's it! Your MySQL Server is now up and running with SSL Enabled. ........................... 13
8 Creating an SSL required User ......................................................................................................... 14
9 Installing SSL enabled MySQL on a client machine ......................................................................... 14
10
Copying the client certifications .................................................................................................... 14
11
Starting MySQL client with certifications ...................................................................................... 15
12
Verify Encryption .......................................................................................................................... 15
HARRIS CORPORATION
|
Government Communications Systems Division
assuredcommunications™ Page 3
HARRIS CORPORATION
|
Government Communications Systems Division
assuredcommunications™ Page 4
1 Steps for Compiling MySQL with SSL Enabled
Download whatever version of MySQL source you want to build. (These steps used 5.1.41 )
http://dev.mysql.com/downloads/mysql/5.1.html#win32
Download cmake - http://www.cmake.org
Install cmake via its install wizard accept the default settings. Ensure that the add to path is selected.
Download and Install Visual Studio C++ Express 2008 http://www.microsoft.com/Express/VC/
Unzip the 5.1.41 download. If the zip contains duplicate top level directories get rid of the top level by
renaming it and moving the sub directory up. Then delete the renamed top level directory.
Next open the command line and go to the unzipped directory.
Now run the configure.js script accepting the default options.
Run command line bat for vs9 (see image below)
HARRIS CORPORATION
|
Government Communications Systems Division
assuredcommunications™ Page 5
If requested install VC redist from openssl for win site, openssl bins from openssl site. (these steps
are listed in detail in the server configuration section)
Change the Visual Studio compile line args to add in the "--with-vio --with-openssl" options.
Install Cygwin.
Add Cygwin to your windows path environment variable.
Change the make_win_bin_dist.
HARRIS CORPORATION
|
Government Communications Systems Division
assuredcommunications™ Page 6
Changed
#cp Docs/manual.chm
$DESTDIR/Docs/ || /bin/true
And then Changed
# ---------------------------------------------------------------------# Copy what could be usable in the "scripts" directory
# ---------------------------------------------------------------------#mysql_scripts="\
#mysql_config.pl \
#mysql_convert_table_format.pl \
#mysql_install_db.pl \
#mysql_secure_installation.pl \
#mysqld_multi.pl \
#mysqldumpslow.pl \
#mysqlhotcopy.pl \
#"
2 Helpful Links
http://dev.mysql.com/doc/refman/5.0/en/windows-source-build.html
http://dev.mysql.com/doc/refman/5.0/en/windows-source-build-cmake.html
http://dev.mysql.com/doc/refman/5.1/en/make-win-bin-dist.html
http://dev.mysql.com/doc/refman/5.0/en/secure-basics.html
http://dev.mysql.com/doc/refman/5.0/en/windows-start-command-line.html
http://www.techotopia.com/index.php/The_mysql_Command-Line_Tool - help file and command usage
for mysql command line tool.
http://csrc.nist.gov/groups/STM/cmvp/validation.html FIPS Vendor List Reference information of FIPS
compliant vendors, MySQL, Sun are not listed.
http://groups.google.com/group/mailing.database.mysql/msg/1bb1c6698f118764 No windows binaries
http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html - Complete description of SSL options
http://www.connectopensource.org/pages/viewpageattachments.action?pageId=26673622 Wiki page
with zip
http://www.waterlovinghead.com/MysqlSSL - Steps to verify and enable SSL once made.
http://dev.mysql.com/doc/refman/5.0/en/secure-create-certs.html - Steps for creating certs.
3 Verification Commands
show status like 'Ssl_cipher';
SHOW VARIABLES LIKE 'have_openssl'
HARRIS CORPORATION
|
Government Communications Systems Division
assuredcommunications™ Page 7
4
HARRIS CORPORATION
|
Government Communications Systems Division
assuredcommunications™ Page 8
Instructions for Building and Running Windows SSL
Enabled MySQL Server
Download PackageMySQL.zip from the Connect Wiki (attachment on this page if being
viewed from Wiki)
This is a zip file which contains the contents of the SSL Enabled MySQL Server version 5.1.41
Unzip the zip file. You can do this anywhere. (e.g. C:\PackageMySQL)
The unzipped file structure may contain duplicate directories that look like
PackageMySQL\PackageMySQL\<files> ....
You can create your own directory and copy the contents of the lowest PackageMySQL folder
into it
For example open a dos prompt
> C:
> mkdir MySql
> cd MySql
> xcopy C:\PackageMySQL /e
where the 'C:\PackageMySQL' is wherever you unzipped to.
Or
simply copy the PackageMySQL directory itself where you want and use this as your default.
5 Configuring OpenSSL
5.1 Download and install OpenSSL Windows binaries.
http://www.openssl.org/related/binaries.html or this sublink
http://www.slproweb.com/products/Win32OpenSSL.html
If asked for by OpenSSL installer download and install "Visual C++ 2008 Redistributables"
from the same site above.
Follow the default install options.
5.2 Add OpenSSL\bin to the system path
Start -> ControlPanel -> System -> Advanced (tab) -> Environment Variables (button)
In the bottom window scroll down to path and click Edit.
HARRIS CORPORATION
|
Government Communications Systems Division
assuredcommunications™ Page 9
5.2.1 Add C:\OpenSSL\bin to the end of the path.
(NOTE: replace C:\OpenSSL\bin with your path to it if you altered the OpenSSL install)
Click Ok 3 times to close out the dialogs and save changes.
6 Verify OpenSSL installation
Next open a new dos command window. (Start -> Run -> cmd.exe)
Microsoft Windows [Version ...]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\Windows\system32>*cd *
C:\>openssl
HARRIS CORPORATION
|
Government Communications Systems Division
assuredcommunications™ Page 10
OpenSSL> exit <<< If you see the OpenSSL prompt, then OpenSSL installation was
successful.
C:\>
Now execute the following commands (bold text) in the dos window
6.1.1 Create clean environment
shell> md c:\newcerts
shell> cd c:\newcerts
6.1.2 Create CA certificate
shell> openssl genrsa 2048 > ca-key.pem
shell> openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem
6.1.3 Create server certificate
shell> openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem > serverreq.pem
shell> openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey cakey.pem -set_serial 01 > server-cert.pem
6.1.4 Create client certificate
shell> openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem > clientreq.pem
shell> openssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey cakey.pem -set_serial 01 > client-cert.pem
On the second command of each of the cert creation statements you are prompted for
information about the certificate similar to the screen shots below, Enter information at each
prompt relative to your organization/information.
Note: Make sure that the Common Name is Unique for both the client and server certificates
HARRIS CORPORATION
|
Government Communications Systems Division
assuredcommunications™ Page 11
6.1.5 Server
6.1.6 Client
7 Starting the server using the Certificates
From the new cert directory it would be as below, else append the C:\newcerts\ path to each file
or whatever corresponding path you have used for your certs.
Shell> mysqld --ssl-ca=ca-cert.pem --ssl-cert=server-cert.pem --ssl-key=server-key.pem
HARRIS CORPORATION
|
Government Communications Systems Division
assuredcommunications™ Page 12
Alternatively you can create an ini file like my.ini file in notepad and add the following text:
[mysqld]ssl-ca=C:/newcerts/cacert.pemssl-cert=C:/newcerts/server-cert.pemsslkey=C:/newcerts/server-key.pem
And then execute the server via the below command
C:\PackageMySQL\bin>mysqld --defaults-file=C:/newcerts/my.ini &
This is useful as it can store any other variables conditions you use to start MySQL Server.
See MySQL documentation for additional properties that can be added.
7.1.1 That's it! Your MySQL Server is now up and running with SSL
Enabled.
HARRIS CORPORATION
|
Government Communications Systems Division
assuredcommunications™ Page 13
8 Creating an SSL required User
Open a DOS Command prompt and login to mysql.
On the SSL enabled Server create a user, in this example ‘ssluser’.
mysql> CREATE USER 'ssluser'@'localhost' IDENTIFIED BY 'goodsecret';
Next from the mysql prompt or UI command prompts execute the following command.
mysql> GRANT ALL PRIVILEGES ON *.* TO 'ssluser'@'localhost' IDENTIFIED BY 'goodsecret'
REQUIRE SSL;
9 Installing SSL enabled MySQL on a client machine
Download PackageMySQL.zip from the Connect Wiki
This is a zip file which contains the contents of the SSL Enabled MySQL Server version 5.1.41
Unzip the zip file. You can do this anywhere. (this example saves the zip to C:\PackageMySQL)
The structure may contain duplicate directories that look like PackageMySQL\PackageMySQL\<files>
You can create your own directory and copy the contents of the lowest PackageMySQL folder into it or
simply copy the PackageMySQL directory itself and use this as your default.
For example open a dos prompt




C:
mkdir MySql
cd MySql
xcopy C:\PackageMySQL /e
Where the ‘C:\PackageMySQL’ is wherever you unzipped to.
10 Copying the client certifications
Copy the client cert file “client-cert.pem” generated in the SSL enabled Server installation process from
the Server to the machine you are establishing as a client. (Do this with email, ftp, etc)
This guide places it in a new directory called C:\newcerts\
HARRIS CORPORATION
|
Government Communications Systems Division
assuredcommunications™ Page 14
11 Starting MySQL client with certifications
From the command line execute the mysql client start command as below.
>C:\PackageMySQL\bin\mysql –u ssluser –p –h dnocc8324 --ssl-ca C:\newcerts\cacert.pem
(Here ssluser is the secured user username, and dnocc8324 is the server machine name, and the
“C:\newcerts\” was the path to where you saved the cert. Replace these as appropriate.)
It will prompt for password; enter the password created for your user.
12 Verify Encryption
Next from the mysql prompt execute a \s as below.
mysql> \s
It will display information about the server connection including the Cipher being used.
Verify that SSL: has a Cipher listed.
That’s all you’ve now verified SSL secured client-server configuration.
HARRIS CORPORATION
|
Government Communications Systems Division
assuredcommunications™ Page 15