Connecting with MySQL or MariaDB Client
This page describes specific database client requirements when connecting to databases using the MySQL database protocol.
Supported Protocol Versions
PrivX supports MySQL database protocol version 10. This protocol version is the latest and is used by MySQL client/server versions 5.7.x and 8.0.x.
MySQL-compatible database clients have to cover two criteria:
- They have to accept SSL connections (depending on the client, the option might be
preferred/required/if available
). If set in certificate verification mode, use the DB-proxy CA certificate provided by PrivX on the connection instructions page from the PrivX database connection graphical interface. - They have to have the
mysql_clear_password
authentication plugin enabled (it is often disabled by default). Graphical clients that do not offer the option to enable the plugin might enable it on SSL connections automatically. This is necessary when PrivX manages the target database user credentials and needs to be able to authenticate the database connection with PrivX user's password.
Depending on the client, this shell commands look differently, some examples below (assuming the tunnel running on the local port 3306 and the user dbuser
):
# MySQL 8 client using environment variable
LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN=1 mysql -u dbuser -h 127.0.0.1 -P 3306 -p
# MySQL 8 client using command argument
mysql --enable-cleartext-plugin -u dbuser -h 127.0.0.1 -P 3306 -p
# MySQL 8 client with explicit certificate validation
LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN=1 mysql -u dbuser -h 127.0.0.1 -P 3306 --ssl-mode=VERIFY_IDENTITY --ssl-ca=db-proxy.pem -p
# MariaDB 5.5 client (aliased as mysql)
mysql --ssl --default-auth mysql_clear_password -u dbuser -h 127.0.0.1 -P 3306 -p
Supported Configurations
MySQL databases can be configured as host DB service to PrivX in three different ways:
Protocol: MySQL and Account Type: Explicit
With this configuration:
- PrivX authenticates the database client connection with PrivX user password
- PrivX injects the target database user credentials to the protocol stream
- PrivX session records the decrypted MySQL protocol stream after authentication phase has completed
- mysql client is required to use TLS and
mysql_clear_password
authentication plugin
Protocol: MySQL and Account Type: User-defined
With this configuration:
- PrivX forwards end user provided target database user credentials to database server
- PrivX session records the decrypted MySQL protocol stream after authentication phase has completed
- mysql client is required to use TLS
Protocol: Passthrough and Account Type: User-defined
With this configuration:
- PrivX forwards unmodified raw protocol stream
- End user provided target database user credentials are sent in the protocol stream
- PrivX session records raw protocol stream. If the database client and server use TLS, the session recording will contain encrypted protocol stream. If the database client and server use unencrypted connections, any client provided database user credentials may end up in the session recordings, unless proper value for Skip Audit (Bytes) is configured to host DB service.
Enabling TLS Server Certificate Validation
To connect mysql client to target database through PrivX using sslmode=VERIFY_IDENTITY:
- Copy "PrivX Database Proxy CA" certificate from PrivX UI under Monitoring -> Certificates and store the CA certificate to a file (for example privx-db-proxy-ca.pem)
- Configure mysql client to verify server TLS certificate and to trust the CA:
LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN=1 mysql -u dbuser -h 127.0.0.1 -P 3306 \
--ssl-mode=VERIFY_IDENTITY --ssl-ca=privx-db-proxy-ca.pem