Notes on Installation:

1. The DISA MYSQL STIG has syntax errors in the cipher strings they require, which caused the server to not start up with SSL support.

2. They have the tls_ciphersuites comma separated, where-as they should be colon separated in the configuration.

3. The database user has to be created without a password, just specifying SSL is required. To do this, you have to temporarily disable password validation since it prevents creation of a user without a password.

MySQL Server

1. Add the openssl-perl package to support CRL download script, enter:

   yum --setopt=install_weak_deps=False install openssl-perl

   
   
   

2. Run the steps for dod_crl.sh script: dod_crl.sh script

3. File System Commands

   mkdir -p /var/lib/mysql/tls chown -R mysql:mysql /var/lib/mysql/tls/ chmod -R 750 /var/lib/mysql/tls/ chcon -u system_u -R /var/lib/mysql/tls/

   
   
   

4. Add the server cert, key and CA bundle to /var/lib/mysql/tls/

   1. https://dev.mysql.com/doc/refman/8.0/en/creating-ssl-files-using-openssl.html

   2. https://dev.mysql.com/doc/refman/8.0/en/creating-ssl-rsa-files-using-mysql.html

   3. Note that when installing for GSMO the certificates that were auto created by the MySQL install had to be manually overwritten with the new certs to get the server to use them.

5. Certs should be owned by mysql:mysql with 640 perms

6. Key should be owned by mysql:mysql with 600 perms

7. Add the following to /etc/my.cnf

   ssl_fips_mode = ON ssl_ca = /var/lib/mysql/tls/jitc-ca-bundle.pem ssl_cert = /var/lib/mysql/tls/path-to-server.pem ssl_key = /var/lib/mysql/tls/path-to-server.key ssl_crlpath = /etc/pki/tls/crl/ require_secure_transport = ON tls_version = TLSv1.2,TLSv1.3 ssl_cipher = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:AES128-GCM-SHA256:AES128-SHA256 tls_ciphersuites = TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_128_CCM_8_SHA256

   
   
   

8. Restart the MySQL server and login as root

   
   
   

9. Please note the following values must be substituted with valid data:
   
   SERVER_NAME

   From MySQL cmdline as root

   
   
   

MySQL Client

1. Add the openssl-perl package to support CRL download script, enter:

   
   
   

2. Run the steps for dod_crl.sh script. dod_crl.sh script

3. Example client connection from mysql client:

   
   
   

PHP/PDO Connection

PCR-360 Config

1. Here is how to get the driver_options parameters to use based on the PHP PDO parameters they map to.

   
   
   

2. Apply the PCR-360 configuration with an empty password, and set the correct options for the SSL Key, Cert and CA plus the Cipher to use.

   
   
   

3. With all of that in place, the PCR360 commands to create the SQL scripts that build the database should work
   
   

   1. For the GSMO install, the FAPOLICY was preventing the application from using the certificates. This lead to a MySQL connection error. They had to update the fapolicy to allow this.
      
      

      
      
      

Loading the Database Tables: