Prerequisites

Before you start installing API Portal, you must have the following:

  • RHEL 7 or CentOS 7 installation.
  • MySQL 5.6 or later, or MariaDB 5.5.50 or later. For more details, see MySQL documentation or MariaDB documentation.
  • A MySQL client or a MariaDB client configured if database is on a remote host.
  • Basic understanding on MySQL or MariaDB database configuration.

For details how to install a database using yum, see the following:

API Portal also requires PHP 5.4 and Apache 2.4. Installing API Portal also installs both of these, if they are missing.

The minimum hardware requirements are:

  • 2 Ghz Dual Core Intel Core or AMD Opteron or faster
  • 8 GB RAM
  • 40 GB free disk space

Secure the connection between API Portal and database

You must secure the connection between your API Portal installation and a remote MySQL or MariaDB database. To prepare the database for this, perform the following steps:

After you have configured the database for the secure connection, you are prompted during the API Portal installation to use the secure connection.

Generate certificates and enable SSL in the database

To generate the SSL-RSA certificates and enable SSL in the MySQL or MariaDB server, connect to your database server and perform the following steps:

  1. Generate RSA certificates
  2. Enable secure connection in the database
  3. Configure TLS authentication modes

Generate RSA certificates

You must first create the database server and the client certificate and key files. During the process, you must respond to several prompts from the Open SSL commands:

  • To generate test files, press Enter to all prompts.
  • To generate files for production use, provide actual (non-empty) responses.
Note   Enter different domain names for the CA and the client-server certificate.
  1. To create the RSA certificates, enter the following commands in the given order, and respond to any prompts you receive:
  2. > openssl genrsa 2048

    > ca-key.pem

    > openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem

    > openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem

    > openssl rsa -in server-key.pem -out server-key.pem

    > openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

    > openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem

    > openssl rsa -in client-key.pem -out client-key.pem

    > openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

  3. To verify the generated certificate, enter the following command:
  4. > openssl verify -CAfile ca.pem server-cert.pem client-cert.pem

Enable secure connection in the database

To enable secure connection in the MySQL or MariaDB server-side configuration, do the following:

  1. To start the database server so that it permits clients to connect securely, use options that identify the certificate and key files the server uses when establishing a secure connection:
    • --ssl-ca identifies the Certificate Authority (CA) certificate.
    • --ssl-cert identifies the server public key certificate. This can be sent to the client and authenticated against the CA certificate the client has.
    • --ssl-key identifies the server private key.
  2. Edit the /etc/my.cnf file as follows to configure the certificates:
  3. [mysqld]ssl-ca=/<path>/ca.pemssl-cert=/<path>/server-cert.pemssl-key=/<path>/server-key.pem

    Replace the <path> placeholders with the path to your certificates.

  4. Save the file and restart the database server:
  5. > service mysqld restart

Verify the database server settings

After configuring the database server with certificates, you need to make sure SSL is enabled on the server side.

  1. Log in to the database server as the root user:
  2. > MySQL -u root –p <password>

  3. Enter the following command:
  4. > show variables like '%ssl%';

You should get output similar to the one below:

Example output for the MySQL settings

Configure TLS authentication modes

MariaDB and MySQL 5.7 supports one-way and two-way authentication modes. Authentication modes are handled based on the User Grant.

  • One-way (Server CA) authentication: One-way authentication mode expects the client to provide a CA file generated in the database server.
  • Two-way (mutual) authentication: Two-way authentication mode expects the client to provide both the CA and the client certificates generated in the database server.

Configure one-way authentication

To enable one-way authentication, create a user with the option REQUIRE SSL.

  1. Log in to the database server as the root user and enter the following:
  2. > CREATE USER '<user name>'@’%’ IDENTIFIED BY '<password>' REQUIRE SSL;

    > GRANT ALL PRIVILEGES ON *.* TO '<user name>'@'%' WITH GRANT OPTION;

    > FLUSH PRIVILEGES;

    Replace the placeholders with the user name and password you want to use.

  3. Copy the ca.pem CA certificate to the machine where you installed API Portal. For example:
  4. /etc/mysql/certs/ca.pem

  5. To test the connection between the database client and server, enter the following:
  6. > MySQL --ssl-ca=/etc/mysql/certs/ca.pem -h xxx.xxx.xxx.xxx --port="3306" -u <user name> --password="<password>"

Configure two-way (mutual) authentication

To enable two-way authentication, create a user with the option REQUIRE X509.

  1. Log in to the database server as the root user and enter the following:
  2. > CREATE USER '<user name>'@’%’ IDENTIFIED BY '<password>' REQUIRE X509L;

    > GRANT ALL PRIVILEGES ON *.* TO '<user name>'@'%' WITH GRANT OPTION;

    > FLUSH PRIVILEGES;

    Replace the placeholders with the user name and password you want to use.

  3. Copy the following client certificates to the machine where you installed API Portal:
    • client-key.pem
    • client-cert.pem
    • ca.pem

    Copy the certificates to, for example, the following folder:

    /etc/mysql/certs/ca.pem

  4. To test the connection between database client and server, enter the following:
  5. > MySQL --ssl-ca=/etc/mysql/certs/ca.pem --ssl-cert=/etc/mysql/certs/client-cert.pem --ssl-key=/etc/mysql/certs/client-key.pem -h xxx.xxx.xxx.xxx --port="3306" -u <user name> --password="<password>"

Related Links