Configuring secured MySQL connections for standalone SnapCenter Server configurations

You can generate Secure Sockets Layer (SSL) certificates and key files, if you want to secure the communication between SnapCenter Server and MySQL Server. You must configure the certificates and key files in the MySQL Server and SnapCenter Server.

Before you begin

SnapCenter Server must be installed.

About this task

The following certificates are generated:

Steps

  1. Set up the SSL certificates and key files for MySQL servers and clients on Windows by using the openssl command.

    MySQL Version 5.7: Creating SSL Certificates and Keys Using openssl

    Note: The common name value that is used for the server certificate, client certificate, and key files must each differ from the common name value that is used for the CA certificate. If the common name values are the same, the certificate and key files fail for servers that are compiled by using OpenSSL.

    Best Practice: You should use the server fully qualified domain name (FQDN) as the common name for the server certificate.
  2. Copy the SSL certificates and key files to the MySQL Data folder.
    The default MySQL Data folder path is C:\ProgramData\NetApp\SnapCenter\MySQL Data\Data\.
  3. Update the CA certificate, server public certificate, client public certificate, server private key, and client private key paths in the MySQL server configuration file (my.ini).
    The default MySQL server configuration file (my.ini) path is C:\ProgramData\NetApp\SnapCenter\MySQL Data\my.ini.
    Note: You must specify the CA certificate, server public certificate, and server private key paths in the [mysqld] section of the MySQL server configuration file (my.ini).

    You must specify the CA certificate, client public certificate, and client private key paths in the [client] section of the MySQL server configuration file (my.ini).

    Example
    The following example shows the certificates and key files copied to the [mysqld] section of the my.ini file in the default folder C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data.
    ssl-ca="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/ca.pem"
    ssl-cert="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/server-cert.pem"
    ssl-key="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/server-key.pem"

    The following example shows the paths updated in the [client] section of the my.ini file.

    ssl-ca="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/ca.pem"
    ssl-cert="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/client-cert.pem"
    ssl-key="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/client-key.pem"
  4. Stop the SnapCenter Server web application in the Internet Information Server (IIS).
  5. Restart the MySQL service.
  6. Update the value of the MySQLProtocol key in the web.config file.
    Example
    The following example shows the value of the MySQLProtocol key updated in the web.config file.
    <add key="MySQLProtocol" value="SSL" />
  7. Update the web.config file with the paths that were provided in the [client] section of the my.ini file.
    Example
    The following example shows the paths updated in the [client] section of the my.ini file.
    <add key="ssl-client-cert" value="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/client-cert.pem" />
    <add key="ssl-client-key" value="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/client-key.pem" />
    <add key="ssl-ca" value="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/ca.pem" />
  8. Start the SnapCenter Server web application in the IIS.