Tanzu for MySQL on Cloud Foundry 3.3

3.3 3.2 3.1

Using TLS

Last Updated February 24, 2025

This topic describes how developers can use TLS to secure the communication from their apps and local workstations to the VMware Tanzu for MySQL on Cloud Foundry service.

If your operator has configured TLS in the tile, new service instances have TLS activated by default. You can establish a TLS connection from your local workstation to a Tanzu for MySQL service instance.

For more information about how to establish a TLS connection, see Establish a TLS Connection to a Service Instance.

Mutual TLS (mTLS) is not supported in Tanzu for MySQL. Because of this, the server certificate does not validate apps. If an app presents a certificate to the MySQL server, the connection closes and a network error appears in the app logs. To resolve this issue, you must deactivate mTLS in your apps.

Establish a TLS connection to a service instance

You can use mysql to establish a TLS connection to a Tanzu for MySQL service instance that has TLS activated.

To establish a TLS connection to a service instance:

  1. Create a new service key for the service instance with TLS activated. For example:

    $ cf create-service-key my-service-instance my-tls-service-key
Creating service key my-tls-service-key for service instance my-service-instance as admin...
OK
$ cf service-key my-service-instance my-tls-service-key
 {
   "credentials": {
     "hostname": "27ce4cec-7d89-4e63-9a76-b8d9e4d57b61.mysql.service.internal",
     "jdbcUrl": "jdbc:mysql://27ce4cec-7d89-4e63-9a76-b8d9e4d57b61.mysql.service.internal:3306/service_instance_db?permitMysqlScheme&user=f3867aa9bab54fa89661fb53d3d79c66&password=lfeykm0nbrphh7h7&sslMode=VERIFY_IDENTITY&useSSL=true&requireSSL=true&enabledTLSProtocols=TLSv1.2&serverSslCert=/etc/ssl/certs/ca-certificates.crt",
     "name": "service_instance_db",
     "password": "lfeykm0nbrphh7h7",
     "port": 3306,
     "tls": {
       "cert": {
         "ca": "-----BEGIN CERTIFICATE-----\...n-----END CERTIFICATE-----\n"
       }
     },
     "uri": "mysql://f3867aa9bab54fa89661fb53d3d79c66:lfeykm0nbrphh7h7@27ce4cec-7d89-4e63-9a76-b8d9e4d57b61.mysql.service.internal:3306/service_instance_db?reconnect=true",
     "username": "f3867aa9bab54fa89661fb53d3d79c66"
   }
 }

    This procedure assumes that you are using cf CLI v8 or greater. Earlier cf CLI versions do not include the top-level credentials JSON key in their cf service-key response.

    If the service key does not have a CA certificate under tls.cert.ca, the service key might be stale. Create a new service key.

  2. Copy the contents of the CA certificate under tls.cert.ca and paste it into a file. For example:

    $ pbpaste > root.pem

  3. Record the values for username, password, and hostname.

  4. Use mysql to establish a TLS connection to the MySQL instance. Run the following command:

    mysql --host=HOSTNAME \
--user=USERNAME \
--password=PASSWORD \
--ssl-ca=root.pem \
--ssl-verify-server-cert

    Where:
    • HOSTNAME is the value for hostname previously retrieved.
    • USERNAME is the value for username previously retrieved.
    • PASSWORD is the value for password previously retrieved.

    For example:

    $ mysql --hostname=27ce4cec-7d89-4e63-9a76-b8d9e4d57b61.mysql.service.internal \
--user=f3867aa9bab54fa89661fb53d3d79c66 \
--password=lfeykm0nbrphh7h7 \
--ssl-ca=root.pem \
--ssl-verify-server-cert