Configure secured MySQL connections for standalone SnapCenter Server configurations

Contributors netapp-soumikd netapp-asubhas Download PDF of this page

You can generate Secure Sockets Layer (SSL) certificates and key files, if you want to secure the communication between SnapCenter Server and MySQL Server. You must configure the certificates and key files in the MySQL Server and SnapCenter Server.

The following certificates are generated:

  • CA certificate

  • Server public certificate and private key file

  • Client public certificate and private key file

Steps

  1. Set up the SSL certificates and key files for MySQL servers and clients on Windows by using the openssl command.

    The common name value that is used for the server certificate, client certificate, and key files must each differ from the common name value that is used for the CA certificate. If the common name values are the same, the certificate and key files fail for servers that are compiled by using OpenSSL.

    Best Practice: You should use the server fully qualified domain name (FQDN) as the common name for the server certificate.

  2. Copy the SSL certificates and key files to the MySQL Data folder.

    The default MySQL Data folder path is C:\ProgramData\NetApp\SnapCenter\MySQL Data\Data\.

  3. Update the CA certificate, server public certificate, client public certificate, server private key, and client private key paths in the MySQL server configuration file (my.ini).

    The default MySQL server configuration file (my.ini) path is C:\ProgramData\NetApp\SnapCenter\MySQL Data\my.ini.

    You must specify the CA certificate, server public certificate, and server private key paths in the [mysqld] section of the MySQL server configuration file (my.ini).

    You must specify the CA certificate, client public certificate, and client private key paths in the [client] section of the MySQL server configuration file (my.ini).

    The following example shows the certificates and key files copied to the [mysqld] section of the my.ini file in the default folder C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data.

    ssl-ca="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/ca.pem"
    ssl-cert="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/server-cert.pem"
    ssl-key="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/server-key.pem"

    The following example shows the paths updated in the [client] section of the my.ini file.

    ssl-ca="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/ca.pem"
    ssl-cert="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/client-cert.pem"
    ssl-key="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/client-key.pem"
  4. Stop the SnapCenter Server web application in the Internet Information Server (IIS).

  5. Restart the MySQL service.

  6. Update the value of the MySQLProtocol key in the web.config file.

    The following example shows the value of the MySQLProtocol key updated in the web.config file.

    <add key="MySQLProtocol" value="SSL" />
  7. Update the web.config file with the paths that were provided in the [client] section of the my.ini file.

    The following example shows the paths updated in the [client] section of the my.ini file.

    <add key="ssl-client-cert" value="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/client-cert.pem" />
    <add key="ssl-client-key" value="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/client-key.pem" />
    <add key="ssl-ca" value="C:/ProgramData/NetApp/SnapCenter/MySQL Data/Data/ca.pem" />
  8. Start the SnapCenter Server web application in the IIS.