Monitor SSL-enabled MySQL on Amazon RDS

To monitor a MySQL instance that uses SSL connections, enable MySQL in SSL mode, consulting the online documentation appropriate to your deployment.

Download the files shown below as they are required to complete this procedure:

  • ca.pem
  • server-cert.pem
  • server-key.pem
  • client-cert.pem
  • client-cert.key

Run the following commands at the command line. Substitute URLs and other information from your deployment for the placeholders in the examples.

  1. Test your local SSL connection:
    CODE 
    mysql -h ec2-11-111-111-11.us-west-2.compute.amazonaws.com -u Testssl --ssl-ca=/etc/certs/ca.pem --ssl-cert=/etc/certs/server-cert.pem --ssl-key=/etc/certs/server-key.pem -p
  2. Verify the remote connection:
    CODE 
    mysql -h ec2-11-111-111-11.us-west-2.compute.amazonaws.com -u Testssl --ssl-ca=/home/appdynamics/cert/ca.pem --ssl-cert=/home/appdynamics/cert/client-cert.pem --ssl-key=/home/appdynamics/cert/client-key.pem -p
  3. Import the ca.pem file to the default truststore:
    CODE 
    sudo keytool -importcert -alias MySQLCACert -file ca.pem -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit
    Remember: Do not forget the password, as you need it in step 7.
  4. Convert the client key and certificate files to a PKCS #12 archive:
    CODE 
    openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem -name "mysqlclient" -passout pass:changeit -out client-keystore.p12
  5. Import the client key and certificate into a Java keystore:
    CODE 
    sudo keytool -importkeystore -srckeystore client-keystore.p12 -srcstoretype pkcs12 -srcstorepass changeit -destkeystore $JAVA_HOME/jre/lib/security/cacerts -deststoretype JKS -deststorepass changeit
  6. Verify that the certificate was added:
    CODE 
    keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass mypassword
  7. Start the db-agent after ensuring that the following properties are added:
    CODE 
    /<full path to application JRE>/bin/java -jar -Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.keyStore=$JAVA_HOME/jre/lib/security/cacerts -Djavax.net.ssl.keyStorePassword=changeit db-agent.jar
  8. In the Controller, create a new collector for MySQL
    • In the Create New Collector panel, add the connection property with named useSSL with value true.
    • Alternatively, you can also use the following custom connection string:
      CODE 
      jdbc:mysql://<RDS-Hostname>:<RDS-Port>/database?useSSL=true