Skip to main content

Special Post-Installation Step: Configuring the MySQL SSL Option in Code Insight

Additional configuration is required when Code Insight is configured to use a MySQL database and any of the following:

  • MySQL 8.0 connector (any version)

  • MySQL 5.7 connector version greater than 5.1.37

  • Amazon Corretto OpenJDK JRE 17.0.16.8.1

If any of these conditions are met, the useSSL property in Code Insight’s core.db.properties file must be explicitly configured to indicate whether or not the MySQL instance is enabled for SSL communications. If this property is not properly set, issues with Code Insight startup or connectivity can occur. (For example, the Tomcat startup can hang while loading the ngbridge.properties file.)

Use the following instructions in the below sections to set this property correctly in Code Insight. This configuration should be performed immediately after Code Insight is installed to avoid possible issues. Apply the configuration to Code Insight Core Server and each Scan Server installation.

note

This section describes how to configure Code Insight if the MySQL instance is enabled for SSL. It does not describe how to enable SSL in the MySQL instance. For details on enabling SSL in MySQL, see the MySQL documentation.

Verify SSL Enablement in MySQL

First, determine whether the SSL connectivity is properly enabled in the MySQL instance (that is, certificates have been created and a truststore set up according to the MySQL documentation).

To determine whether SSL is enabled and properly configured in MySQL, do the following:

  1. Connect to the MySQL instance, and run the status command.

    In the results, locate the SSL property.

    • If this property is set to Not is use, SSL has not been enabled for the MySQL instance (that is, the require_secure_transport = ON value is not specified in the my.cnf file for the MySQL instance). Continue with Next Steps When SSL Is Not Enabled in MySQL to configure the useSSL property in Code Insight.

    • SSL is enabled for the MySQL instance if the SSL property is set to a value similar to this:

      cipher in use DHE-RSA-AES128-GCM-SHA256

      Continue with the next step.

  2. To determine whether the enabled SSL is properly configured in MySQL, run the following command:

    show global variables like '%ssl%';

    The enabled SSL is properly configured in MySQL if the results show the following:

    • The values of the have_openSSL and have_SSL properties show YES.

    • The ssl_ca, ssl_cert, and ssl_key properties each have a value showing the path of the corresponding certificate.

      If SSL is properly configured, continue with Next Steps When SSL Is Enabled in MySQL.

Next Steps When SSL Is Enabled in MySQL

If SSL is enabled in the MySQL instance, use these instructions to configure Code Insight.

To configure Code Insight when the MySQL instance is enabled for SSL, do the following:

  1. Shut down Tomcat if it is running (see Starting and Stopping Tomcat).

  2. Set up Code Insight for SSL communications with the MySQL instance (if this setup has not already been performed). See Setting Up Code Insight for SSL Communications with MySQL for instructions.

  3. In the Code Insight installation directory, navigate to the tomcat/bin/config/core.db.properties file.

  4. Locate the following line (and uncomment it if necessary):

    db.url=jdbc:mysql://<DB_HOST>:<DB_PORT>/<DB_NAME>?autoReconnect=true

  5. Append &useSSL=true&amp;verifyServerCertificate=true to the line:

    db.url=jdbc:mysql://:/ ?autoReconnect=true&useSSL=true&verifyServerCertificate=true

  6. Start up Tomcat to establish a connection between Code Insight and the MySQL instance.

Setting Up Code Insight for SSL Communications with MySQL

If MySQL is enabled for SSL and Code Insight is currently not configured for SSL communications with MySQL, use these instructions to configure Code Insight.

To set up Code Insight for SSL communications with the MySQL instance, do the following:

  1. Shut down Tomcat if it is running (see Starting and Stopping Tomcat).

  2. Obtain the ca.pem certificate from the MySQL instance, and move it to the bin directory of the JRE installation used by Code Insight (for example, <codeInsightInstallation>/jre/bin).

  3. From the same bin directory in the JRE installation, import the certificate to the Java truststore using the Java keytool utility. (This utility is located in the bin directory of JRE.) The following is a sample command used to import the certificate:

    -keytool -importcert -alias <alias_name> -file <path_to_certificate_file_ca.pem> -keystore<jreInstallation>/lib/security/cacerts> -storepass <password>

    In the command, replace the following:

    • <alias_name> with the alias given to certificate when it was created

    • <password> with the password used to access the truststore

    • <path_to_certificate_file_ca.pem> with the path where the ca.pem certificate file is stored

  4. Start up Tomcat to establish a connection between Code Insight and the MySQL instance.

Next Steps When SSL Is Not Enabled in MySQL

If SSL is not enabled in the MySQL instance, use these instructions to configure Code Insight.

To configure Code Insight when the MySQL instance is not enabled for SSL, do the following:

  1. Shut down Tomcat if it is running (see Starting and Stopping Tomcat).

  2. In the Code Insight installation directory, navigate to the tomcat/bin/config/core.db.properties file.

  3. Locate the following line (and uncomment it if necessary):

    db.url=jdbc:mysql://<DB_HOST>:<DB_PORT>/<DB_NAME>?autoReconnect=true

  4. Append &amp;useSSL=false to the line:

    db.url=jdbc:mysql://<DB_HOST>:<DB_PORT>/<DB_NAME>?autoReconnect=true&amp;useSSL=false

  5. Start up Tomcat to establish a connection between Code Insight and the MySQL instance.