Please pardon my non-understanding here. I have a local mysql server and I need to be able to access that data over an encrypted channel from a java web application running on a web host. Can anyone recommend the best way to do this?
Thank you! Joshua
AFAIK MySQL does not support encrypted streams (correct me if I am wrong).
One solution I can see would be to have an encrypted tunnel running between the MySQL server and the web host, and route connections to the database through it.
MySQL does support SSL connections.
Check this document for assistance: http://dev.mysql.com/doc/refman/5.0/en/connector-j-reference-using-ssl.html
SSH Port Forwarding
In this instance, one could port forward db_server:3306 to web_server:3306. Then it would appear as if there were a MySQL database running locally on the web server listening on port 3306. However, localhost:3306 on the web server is really being securely forwarded to localhost:3306 on the database server.
To set this up, you'll want a password-less key pair to allow the SSH tunnel to be started automagically. Do the following:
db_serv$ ssh-keygen -t rsa
db_serv$ scp .ssh/id_rsa.pub webserver:
web_serv$ cd ~; mkdir .ssh
web_serv$ cat id_rsa.pub >> .ssh/authorized_keys2
web_serv$ chmod -R go-rwx .ssh; rm id_rsa.pub
db_serv$ ssh webserver
The last command should let you SSH from the database server without providing a password. The keypair does the authentication.
The command to open an SSH tunnel is:
db_server$ ssh -f -q -N -R3306:db_server:3306 webserver
You can then test out local database access on the webserver. You'll need to have the permissions set correctly in the MySQL databse for the user and password you're using.
web_serv$mysql -h 127.0.0.1 -P 3306 -u user -p db_name
You'll probably want to add the 'ssh' line above to /etc/rc.d/rc.local (on Red Hat) so that the tunnel gets opened on reboots. Remember if the tunnel goes down, your web app can't access the database.
Yes, MySQL supports encrypted connections over SSL.
You need a version of MySQL Server that has been built with either OpenSSL, or the bundled yaSSL. If your MySQL Server wasn't built with SSL support, the --ssl and related options will give errors.
You need to start the MySQL Server (mysqld) with the --ssl option and related options to specify the SSL key and certificate. See http://dev.mysql.com/doc/refman/5.1/en/secure-connections.html for more information on enabling MySQL Server to support SSL.
Your Java client also must support SSL. You need to supply a client certificate when you connect. See http://dev.mysql.com/doc/refman/5.1/en/connector-j-reference-using-ssl.html for more information on making secure connections to MySQL from Java.
This is basically the same as every other answer here, but here goes anyway. Use a VPN tunnel such as openVPN to encrypt the communication. The best part about it is the transparency. When you're on the VPN, you don't need to think about it any more, just send secure communications. Of course, setting it up is NOT the easy part...