My question deals with enabling SSL security with MySQL JDBC connector. Following the documentation in section 5.5.6 and 20.3.4.5 of the MySQL Manual (and other related documentation), I am able to enable basic SSL capability. However, I would like to enable more robust option of requiring server validation and, more importantly, have the server (mysqld) verify the client. By configuring the MySQL server to validate the client, it means that the client (JDBC connector) needs to have configured the client key/cert to use for authentication purposes. The J/Connector documentation indicates you must set the clientCertificateKeyStoreUrl and trustCertificateKeyStoreUrl appropriately, which makes sense. Also, note that JSSE will only "handle" a single key and trust store per JVM. This is generally OK as the Java keystores can handle storage of multiple keys - identified by an "alias". It makes sense that JSSE does this - as in many instances you may want to have the "system" (admin) set up key/trust stores and not allow any old user to configure.

My question is this - given that I may already have a keystore I am using for other purposes (e.g., Secure LDAP access) and I am running under a single JVM of an Application Server, can I add the necessary MySQL client key/cert to that existing keystore. Since I see no way of configuring, in J/Connector, the unique "alias" to use for my related (clinet) key, I fear that the current implementation assumes only a single key in the configured keystore. The documentation in 20.3.4.5 and elsewhere does use the alias "mysqlClientCertificate" in the examples of using Java keytool, but nowhere does anything say that use of this specific alias is required.

In a similar vein, this would also be useful if running several apps under a single AS and you want to configure connectors for those apps to different DBs each with different credentials for security purposes...

Any info on the use/capability of the connector to deal with multiple keys in a single keystore would be appreciated.