TLS connection to backend database

Started by zsing82, May 17, 2021, 02:13:51 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

zsing82

May 17, 2021, 02:13:51 AM
I have Netxms 3.8 installed on Debian 10.  On a separate machine, I have MariaDB 10.5 installed on Debian 10. (I used DEBs from MariaDB repo)  I'd like to force TLS between NetXMS Server & MariaDB Server.  I have MariaDB setup with SSL enabled:
Code Select
MariaDB [(none)]> show global variables like '%ssl%';
+---------------------+--------------------------------+
| Variable_name       | Value                          |
+---------------------+--------------------------------+
| have_openssl        | YES                            |
| have_ssl            | YES                            |
| ssl_ca              | /etc/mysql/ssl/ca.pem          |
| ssl_capath          |                                |
| ssl_cert            | /etc/mysql/ssl/server-cert.pem |
| ssl_cipher          |                                |
| ssl_crl             |                                |
| ssl_crlpath         |                                |
| ssl_key             | /etc/mysql/ssl/server-key.pem  |
| version_ssl_library | OpenSSL 1.1.1d  10 Sep 2019    |
+---------------------+--------------------------------+
and created the database and user:
Code Select
MariaDB [(none)]> show grants for [email protected];
+---------------------------------------------------------------------+
| Grants for [email protected]                                   |
+---------------------------------------------------------------------+
| GRANT USAGE ON *.* TO `netxms`@`netxms.mgmt.lan` REQUIRE X509       |
| GRANT ALL PRIVILEGES ON `db_netxms`.* TO `netxms`@`netxms.mgmt.lan` |
+---------------------------------------------------------------------+
Here is my NetXMS configuration:
Code Select
## Logging
# Log file name
LogFile=/var/log/netxmsd

# Increase logging verbosity, 0 (only errors) to 9 (verbose debug)
DebugLevel=0

## Database configuration.
DBDriver=mariadb.ddr
DBServer=mariadb.mgmt.lan
DBName=db_netxms
DBLogin=netxms
DBPassword=

But I can't seem to get a connection working.  NXDBMGR INIT tells me Access denied, probably because it's not presenting the X509 cert & key to MariaDB. Where do I drop my user cert & key in NetXMS, and how do I configure mariadb driver to use X509?

Victor Kirhenshtein

#1
May 17, 2021, 10:47:48 AM
Hello!

You can turn on TLS in driver by adding

DBDrvParams = enforceTLS=true

to netxmsd.conf. User authentication with X.509 certificates is not supported.

Best regards,
Victor
Print
Go Up Pages1
User actions