Monday, November 9, 2015

How to configure a Coldfusion MySql SSL connection to Google Cloud SQL



Here's instructions on how to get your MySQL Coldfusion server  (v10) to connect via SSL to Google Cloud SQL.

The tricky part of getting the SSL connection to work between Coldfusion and Cloud SQL is getting Coldfusion to use the Google CA Cert, your client cert and your client key.  I tried to put all this information into the datasource "Connection String" but was not able to get it to work that way, so I ended up splitting the information between configuring my client cert and key in the Coldfusion JVM arguments and then adding the other configuration items to the connection string in the datasource.


First Verify you can connect your datasources without SSL



If you can't connect without SSL, then you aren't going to be able to connect with SSL.  Verify first that you are able to connect your Coldfusion datasource to Cloud SQL using a non-encrypted connection.  If this works it means that you have your Coldfuison IP address added to the allowed connections for your Google Cloud SQL and it means that your mysql login id and password is working correctly.  (Make sure that your Cloud SQL is configured to allow unencrypted connections).


Now we work on the SSL Connection 


In order to get SSL connections to Google Cloud SQL you will need to have 3 files from your Google SQL Console.

server-ca.pem ->
This is your Cloud SQL Server CA and is how your client knows it is talking to your real SQL Server

client-cert.pem ->  This is your client certificate and is how the server knows it is really talking to you.

client-key.pem ->  This is your client private key.  Keep it safe.






Working with your truststore/keystore files

For working with keystores I used the opensource GUI program called Keystore Explorer  













Add your Server CA  to your Coldfusion truststore
We need to add your Cloud SQL Server CA to the Coldfusion truststore. THe truststore tells our coldfusion server which certificates that it trusts.  The default truststore coldfusion uses is located at [Coldfusion root]\jre\lib\cacerts


  1. Open Keystore explorer program
  2. Open the truststore located at [Coldfusion root]\jre\lib\cacerts
  3. The default password is changeit (the truststore must have a password)
  4. Select Tools->Import Trusted Certificate and import your server-ca.pem file
  5. Save your cacerts file.


OR an alternative way to manage your Coldfusion Truststore
Another way to manage the cacert file used by Coldfusion is to install the coldfusion extension Certman and then you can view and manage your trusted certificates directly via the Coldfusion Administrator pages.




Make the keystore file for your client certificate and key
We need to make a keystore file for holding your client certificate and key.  It is very important that you use a password on both the keypair and also a password on the keystore file and the password needs to be the same for both!
  1. Open Keystore explore
  2. Make a new keystore file of type JKS
  3. Select Tools->Import Key pair and select OpenSSL
  4. When prompted for the keypair password, make sure you use a password, for example "changeit".
  5. Save your new keystore file from the   File->Save menu.  MAKE SURE YOU save it with a keystore password, and it should be the same as the keypair password,  for example "changeit".
  6. For this example,  I am saving the file with the  name cloudsql6.keystore in the c:\keys folder and using the password "changeit" for both the imported keypair and the the keystore file. 



Configure Coldfusion to use your keystore file
Add this line below to your Coldfusion JVM configuration and restart coldfusion.  This is telling coldfusion to use youre keystore file c:\keys\cloudsql6.keystore .  The file must have a password or it will not work.

-Djavax.net.ssl.keyStore=c:\keys\cloudsql6.keystore -Djavax.net.ssl.keyStorePassword=changeit
















Connect a datasource using SSL

Add this to line below  to your datasource connectionstring to tell it to connect using SSL.  You must use the verifyServerCertificate or else it will not work.

useSSL=true&requireSSL=true&verifyServerCertificate=true















If you did everything correctly,  you will now have an SSL connection to your Google Cloud MySQL from your Coldfusion server.  Congratulations!!



Turn off allowed non-SSL connections to your Google Cloud SQL
Now you can turn off unsecured connections to your Cloud SQL to be even safer.  Tis is done from the Google Cloud Console.





No comments: