Help Center/ GaussDB/ M-Compatibility Developer Guide(Centralized)/ Application Development Guide/ Development Based on MySQL JDBC/ Development Process/ Connecting to a Database/ Connecting to a Database in SSL Mode
Updated on 2025-10-23 GMT+08:00
View PDF
Share

Connecting to a Database in SSL Mode

When establishing connections to the GaussDB server using JDBC, you can enable SSL connections to encrypt client and server communications for security of sensitive data transmission on the Internet.

This section describes how applications configure the client in SSL mode through the JDBC driver. For details about how to configure the server, contact the administrator.

Before the connection, the default user must obtain the certificate and private key files required by the server and client. For details about how to generate and obtain a certificate, contact the administrator or see related documents and commands of OpenSSL.

Configuring the Client

Obtain the client.key, client.crt, and cacert.pem certificate files for subsequent configurations.

Set the server authentication, which requires the generated server certificate file cacert.pem.

  1. Use the Java keytool to import the server certificate: 

    1
    		 
    >keytool -importcert -alias MyCACert -file cacert.pem -keystore truststore -storepass mypassword

  2. Configure the truststore in Java or applications in any of the following methods:

    Method 1: Use Java command line parameters. 
    1
2
    		 
    -Djavax.net.ssl.trustStore=path_to_truststore_file  
-Djavax.net.ssl.trustStorePassword=mypassword
    Method 2: Set system attributes in the client code. 
    1
2
    		 
    System.setProperty("javax.net.ssl.trustStore","path_to_truststore_file");
System.setProperty("javax.net.ssl.trustStorePassword","mypassword");
    Method 3: Configure the truststore in the connection attributes. 
    1
2
    		 
    trustCertificateKeyStoreUrl=file:path_to_truststore_file 
trustCertificateKeyStorePassword=mypassword

Set the client authentication, which requires the generated certificate files clientcert.pem and clientkey.pem.

  1. Convert the client certificate files clientcert.crt and clientkey.crt into the PEM format: 

    1
2
    		 
    >openssl x509 -in client.crt -out client.pem -outform PEM
>openssl rsa -in client.key -out clientkey.pem -outform PEM

  2. Convert the client key and certificate file into the PKCS 12 format: 

    1
    		 
    >openssl pkcs12 -export -in client.pem -inkey clientkey.pem -name "myclient" -passout pass:mypassword -out clientkeystore.p12

  3. Import the client key and certificate into the Java keystore: 

    1
    		 
    >keytool -importkeystore -srckeystore clientkeystore.p12 -srcstoretype pkcs12 -srcstorepass mypassword -destkeystore keystore -deststoretype JKS -deststorepass mypassword

  4. Configure the truststore in Java or applications in any of the following methods:

    Method 1: Use Java command line parameters. 
    1
2
    		 
    -Djavax.net.ssl.keyStore=path_to_keystore_file 
-Djavax.net.ssl.keyStorePassword=mypassword
    Method 2: Set system attributes in the client code. 
    1
2
    		 
    System.setProperty("javax.net.ssl.keyStore","path_to_keystore_file");
System.setProperty("javax.net.ssl.keyStorePassword","mypassword");
    Method 3: Configure the truststore in the connection attributes. 
    1
2
    		 
    clientCertificateKeyStoreUrl=file:path_to_truststore_file
clientCertificateKeyStorePassword=mypassword

Examples

// There will be security risks if the username and password used for authentication are directly written into code. It is recommended that the username and password be stored in the configuration file or environment variables (the password must be stored in ciphertext and decrypted when being used) to ensure security.
// In this example, the username and password are stored in environment variables. Before running this example, set environment variables EXAMPLE_USERNAME_ENV and EXAMPLE_PASSWORD_ENV in the local environment (set the environment variable names based on the actual situation).
import java.sql.Connection;
import java.sql.DriverManager;
import java.util.Properties;

public class SSL{
    public static void main(String[] args) {
        String userName = System.getenv("EXAMPLE_USERNAME_ENV");
        String password = System.getenv("EXAMPLE_PASSWORD_ENV");
        String urls = "jdbc:gaussdb://$ip:$port/database?useSSL=true&verifyServerCertificate=true"+
            "&trustCertificateKeyStoreUrl=file:path_to_truststore_file" +
            "&trustCertificateKeyStorePassword=mypassword"+
            "&clientCertificateKeyStoreUrl=file:path_to_truststore_file" +
            "&clientCertificateKeyStorePassword=mypassword";


       // Create a database connection.
        try {
            Class.forName("com.mysql.jdbc.Driver").newInstance();
        } catch (Exception e) {
            e.printStackTrace();
        }
        try {
            Connection conn;
            conn = DriverManager.getConnection(urls,userName, password);
            conn.close();
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}
Parent topic: Connecting to a Database