Tutorial: Set up an SSL Connection to MySQL or AWS RDS
Create an SSL connection between Access Server and a MySQL database to store your VPN server configuration.
Overview
With Access Server 2.9.0 and newer, you can make an encrypted connection to MySQL or AWS RDS servers.
You can configure one of three available modes for your database connection:
Disabled: No SSL.
Preferred: Create an SSL connection, but fallback to insecure if SSL isn't supported or can't be established.
Note
This is the default behavior.
Required: The database connection is dropped if the certificate check fails.
An installed Access Server using a database server for the configuration files.
Root access to the Access Server console.
Root access to the database server.
Generate client and server certificates on the MySQL server side to use SSL mode.
Note
Depending on the Linux OS of your database server, the server and client certificate generations can be included in the installation script. For more details on creating these certificates, refer to documentation from the OS vendor of the MySQL server package maintainer.
Once you have the CA bundle, client certificate, and client private key files, rename them for their use.
In our example, we refer to them as mysql-as-CAbundle.crt, mysql-as-client.crt, and mysql-as-client.key.
Upload your client certificate and CA bundle files to Access Server in this directory: /etc/ssl/certs/.
Upload your client private key to Access Server in this directory: /etc/ssl/private/.
Grant read rights to the file for Access Server:
chown openvpn_as:openvpn_as /etc/ssl/certs/mysql-as-CAbundle.crt chown openvpn_as:openvpn_as /etc/ssl/certs/mysql-as-client.crt chown openvpn_as:openvpn_as /etc/ssl/private/mysql-as-client.key chmod 644 /etc/ssl/certs/mysql-as-CAbundle.crt chmod 644 /etc/ssl/certs/mysql-as-client.crt chmod 640 /etc/ssl/private/mysql-as-client.key
Configure these files for establishing a connection to the database server and define SSL mode by running these commands with root privileges in the /usr/local/openvpn_as/scripts/ directory:
./sacli --key "mysql.ssl_ca_cert" --value '/etc/ssl/certs/mysql-as-CAbundle.crt' ConfigPut ./sacli --key "mysql.ssl_auth_cert" --value '/etc/ssl/certs/mysql-as-client.crt' ConfigPut ./sacli --key "mysql.ssl_auth_key" --value '/etc/ssl/private/mysql-as-client.key' ConfigPut ./sacli --key "mysql.ssl_mode" --value "PREFERRED" ConfigPut
Restart the Access Server service:
service openvpnas restart
Note
Restarting the openvpnas service also forces all VPN connections to reconnect.
Download the Amazon RDS certificate bundle file for your AWS region:
Using SSL/TLS to encrypt a connection to a DB instance or cluster
AWS doesn’t provide client certificate or private key files, but uploading only the certificate bundle file is enough to establish a secure connection to an RDS MySQL database instance.
Important
AWS rotates certificate bundle files. Refer to Amazon’s documentation for details: Rotating your SSL/TLS certificate.
Upload the AWS RDS CA bundle file to Access Server in this directory: /etc/ssl/certs/.
Grant Access Server read rights to the file — using the correct .pem file name for the AWS bundle you uploaded:
chown openvpn_as:openvpn_as /etc/ssl/certs/us-east-1-bundle.pem chmod 644 /etc/ssl/certs/us-east-1-bundle.pem
Configure these files for establishing a connection to the database server and define SSL mode by running these commands with root privileges in the /usr/local/openvpn_as/scripts/ directory:
./sacli --key "mysql.ssl_ca_cert" --value '/etc/ssl/certs/us-east-1-bundle.pem' ConfigPut ./sacli --key "mysql.ssl_mode" --value "PREFERRED" ConfigPut
Important
Ensure you replace
us-east-1-bundle.pemwith the name of the AWS RDS CA bundle for your region.Restart the Access Server service:
service openvpnas restart
Note
Restarting the openvpnas service also forces all VPN connections to reconnect.