API Gateway: Warning message "Establishing SSL connection without server's identity verification is not recommened." seen in SSG logs.

book

Article ID: 143994

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

This article will discuss the ways in which this issue may manifest. The log entry below will be seen in the SSG log file repeatedly. It is present to remind administrators to use certificate validation whenever possible if SSL is used in the connection.

WARNING 77 STDERR: Fri Oct 11 08:17:00 CEST 2019 WARN: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default if explicit option isn't set. For compliance with existing applications not using SSL the verifyServerCertificate property is set to 'false'. You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for server certificate verification.


 

Cause

This can be caused by a Gateway that is configured in some way for MySQL SSL connections when certificate verification is not enabled.

Environment

This article applies to all supported versions of API Gateway.

Resolution

To resolve this issue, it will be either (or both) of the items below:

If SSG MySQL connections are SSL-enabled:

  • If SSL is required and the SSG configuration is set to use SSL connections to the local MySQL database server on the Gateway appliance, then ensure the steps in the documentation are followed for allowing server certificate verification. If those steps are not completed, then the warning message may continue to appear.
  • If SSL is not required, then ensure that anything noted in the steps in the documentation for MySQL & SSL setup is removed from the configuration so that none of the SSL-enablement steps are present in the configuration. The presence of any of those steps when SSL is not required may make the connection assume it's using SSL still and thus the warning message will be present.

If a JDBC MySQL connection (localhost) is SSL-enabled:

  • If SSL is required, then ensure that the backend MySQL database supports SSL, and that all appropriate items have been configured on the backend DB server.
  • If SSL is not required, then append the following string to your JDBC URL, particularly if it's pointing to localhost: ?verifyServerCertificate=false&useSSL=false
    • Example URL: jdbc:mysql://localhost:3306/ssg?verifyServerCertificate=false&useSSL=false

At the end of either step, be sure to restart the SSG service with the following command on each node in the cluster: service ssg restart