Monitor SSL-enabled MySQL on Amazon RDS

To monitor a MySQL instance that uses SSL connections, enable MySQL in SSL mode, consulting the online documentation appropriate to your deployment.

Download the files shown below as they are required to complete this procedure:

  • ca.pem
  • server-cert.pem
  • server-key.pem
  • client-cert.pem
  • client-cert.key

Run the following commands at the command line. Substitute URLs and other information from your deployment for the placeholders in the examples.

  1. Test your local SSL connection: 
    mysql -h ec2-11-111-111-11.us-west-2.compute.amazonaws.com -u Testssl --ssl-ca=/etc/certs/ca.pem --ssl-cert=/etc/certs/server-cert.pem --ssl-key=/etc/certs/server-key.pem -p
  2. Verify the remote connection: 
    mysql -h ec2-11-111-111-11.us-west-2.compute.amazonaws.com -u Testssl --ssl-ca=/home/appdynamics/cert/ca.pem --ssl-cert=/home/appdynamics/cert/client-cert.pem --ssl-key=/home/appdynamics/cert/client-key.pem -p
  3. Import the ca.pem file to the default truststore: 
    sudo keytool -importcert -alias MySQLCACert -file ca.pem -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit
    Remember: Do not forget the password, as you need it in step 7.
  4. Convert the client key and certificate files to a PKCS #12 archive: 
    openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem -name "mysqlclient" -passout pass:changeit -out client-keystore.p12
  5. Import the client key and certificate into a Java keystore: 
    sudo keytool -importkeystore -srckeystore client-keystore.p12 -srcstoretype pkcs12 -srcstorepass changeit -destkeystore $JAVA_HOME/jre/lib/security/cacerts -deststoretype JKS -deststorepass changeit
  6. Verify that the certificate was added: 
    keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass mypassword
  7. Start the db-agent after ensuring that the following properties are added: 
    /<full path to application JRE>/bin/java -jar -Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.keyStore=$JAVA_HOME/jre/lib/security/cacerts -Djavax.net.ssl.keyStorePassword=changeit db-agent.jar
  8. In the Controller, create a new collector for MySQL
    • In the Create New Collector panel, add the connection property with named useSSL with value true.
    • Alternatively, you can also use the following custom connection string: 
      jdbc:mysql://<RDS-Hostname>:<RDS-Port>/database?useSSL=true