---
title: JDBC over SSL
description: The following topic only applies if you have set up a JDBC repository, as described in Select a repository
component: pingidm
version: 8.1
page_id: pingidm:install-guide:jdbc-repos-ssl
canonical_url: https://docs.pingidentity.com/pingidm/8.1/install-guide/jdbc-repos-ssl.html
keywords: ["Installation", "JDBC", "SSL"]
---

# JDBC over SSL

|   |                                                                                                                                    |
| - | ---------------------------------------------------------------------------------------------------------------------------------- |
|   | The following topic only applies if you have set up a JDBC repository, as described in [Select a repository](chap-repository.html) |

This procedure assumes that you have already set up your JDBC repository, as described in the previous sections. The exact steps to connect to a JDBC repository over SSL depend on your repository. This procedure describes the steps for a MySQL 8 repository. If you are using a different JDBC repository, use the corresponding documentation for that repository, and adjust the steps accordingly.

1. Change the `jdbcUrl` property in your repository connection configuration file (`conf/datasource.jdbc-default.json`).

   The exact value of the `jdbcUrl` property will depend on your JDBC database, and on the version of your JDBC driver:

   > **Collapse: Configuration for MySQL with JDBC Driver Version 8.0.12 or Earlier**
   >
   > ```none
   > "jdbcUrl" : "jdbc:mysql://&{openidm.repo.host}:&{openidm.repo.port}/openidm?allowMultiQueries=true&characterEncoding=utf8&useSSL=true&verifyServerCertificate=true&requireSSL=true"
   > ```

   > **Collapse: Configuration for MySQL with JDBC Driver Version 8.0.13 or Later**
   >
   > ```none
   > "jdbcUrl" : "jdbc:mysql://&{openidm.repo.host}:&{openidm.repo.port}/openidm?allowMultiQueries=true&characterEncoding=utf8&sslMode=VERIFY_CA&requireSSL=true"
   > ```

   |   |                                                               |
   | - | ------------------------------------------------------------- |
   |   | For Azure MySQL, JDBC Driver Version 8.0.17+ is **required**. |

2. Create and verify the SSL certificate and key files required to support encrypted connections to the JDBC repository.

   For MySQL 8, use one of the procedures in the [MySQL docs](https://dev.mysql.com/doc/refman/8.0/en/creating-ssl-rsa-files.html).

3. Configure the JDBC repository to use encrypted connections.

   For MySQL 8, follow the [MySQL docs](https://dev.mysql.com/doc/refman/8.0/en/using-encrypted-connections.html).

4. Check that the connection to the database is over SSL by running a command similar to the following:

   ```
   mysql -u root -P 3306 -p
   mysql> show variables like "%have_ssl%";
   +---------------+-------+
   | Variable_name | Value |
   +---------------+-------+
   | have_ssl      | YES   |
   +---------------+-------+
   1 row in set (0.00 sec)
   ```

5. Convert your MySQL client key and certificate files to a PKCS #12 archive. For example:

   ```
   openssl pkcs12 -export \
   -in client-cert.pem \
   -inkey client-key.pem \
   -name "mysqlclient" \
   -passout pass:changeit \
   -out client-keystore.p12
   ```

6. Import the `client-keystore.p12` into the IDM keystore:

   ```
   keytool \
   -importkeystore \
   -srckeystore client-keystore.p12 \
   -srcstoretype pkcs12 \
   -srcstorepass changeit \
   -destkeystore /path/to/openidm/security/keystore.jceks \
   -deststoretype jceks \
   -deststorepass changeit
   ```

   |   |                                                                                                                                                                                                                                                                                                                                                                                                                    |
   | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
   |   | For AWS RDS MySQL **and** Azure MySQL, no client certificates are provided. In this case, you must create an empty keystore for client certificates, and add the following to the `jdbcUrl` property in your repository connection configuration file (`conf/datasource.jdbc-default.json `):```none
   &clientCertificateKeyStoreUrl=file:/opt/idm/security/empty.jks&clientCertificateKeyStorePassword=changeit
   ``` |

7. Import your MySQL CA certificate into the IDM truststore.

   ```
   keytool \
   -importcert \
   -trustcacerts \
   -file ca-cert.pem \
   -alias "DB cert" \
   -keystore /path/to/openidm/security/truststore
   ```

   You are prompted for a keystore password. You must use the same password as is shown in your `resolver/boot.properties` file. The default truststore password is:

   ```
   openidm.truststore.password=changeit
   ```

   After entering a keystore password, you are prompted with the following question. Assuming you have included an appropriate `ca-cert.pem` file, enter `yes`.

   ```
   Trust this certificate? [no]:
   ```

8. Open your project's `conf/system.properties` file. Add the following line to that file. If appropriate, substitute the path to your own truststore:

   ```
   # Set the truststore
   javax.net.ssl.trustStore=&{idm.install.dir}/security/truststore
   ```

   Even if you are setting up this instance of IDM as part of a [cluster](chap-cluster.html), you must configure this initial truststore. After this instance joins a cluster, the SSL keys in this particular truststore are replaced.