MySQL

Prerequisites for Onboarding MySQL

  • Ensure that the target IP address is reachable from the AppViewX Cloud Connector, and confirm that the required port is open.
  • Configure the MySQL server language to English.
  • Verify that the MySQL instance is correctly configured with servers and is running.
  • Ensure that the user has read and write for the .cnf and the associated certificate files defined in the configuration. Certificates without the required permissions cannot be detected from their configured paths.
  • No profile will be created if the .cnf file does not contain the [mysqld].
  • Confirm that all commands required for MySQL management are enabled on the server.
  • Provide the directory path containing the .cnf file as the Config Path during device onboarding.
  • The OpenSSL toolkit is required for generating the private key and CSR on the target device. Therefore, ensure that the OpenSSL package is installed on the Linux machine.
  • Ensure that the SFTP package is installed and active to facilitate device addition for uploading the certificate to target location.
  • Do not restrict SFTP sessions. If the system allows only one connection at a time, push operations may fail. To avoid this, update /etc/security/limits.conf to allow up to five connections:
    sftptest hard nproc 5
  • Ensure the Linux server language is set to English and that the sudo prompt follows the standard format:
    [sudo] password for <your_username>:
  • If you are using an external credential for authentication, ensure that the hostname or IP address used for device communication is configured in the corresponding external Credential Vault.
  • AppViewX retrieves passwords from the Password Vault for discovering and parsing password-protected certificates. It attempts to parse certificates using each password until successful. Add all relevant passwords to the vault for discovery and parsing.
  • If onboarding for other Linux-based vendors fails, check if bracketed paste mode is enabled using:
    bind -V | grep enable-bracketed-paste
    If enabled, disable it for all users by adding the following to /etc/inputrc and /etc/bashrc:
    set enable-bracketed-paste off
  • If onboarding fails due to a host key algorithm mismatch during SSH communication, enable the appropriate algorithms on either the client or server system. Many modern systems disable deprecated algorithms by default, so manually re-enable them in the SSH configuration file:
    /etc/ssh/ssh_config

Onboarding MySQL

  1. Go to (Menu) > CERT+ > ADMINISTRATION > Device Management.
    By default, the ADC tab opens.
  2. Click the Server tab.
  3. Click the (Add) icon.
  4. Select MySQL logo from the Vendors list.
  5. In the Server Details section, enter details as mentioned below.
    Table 1. Server Details - Field Description Table
    Fields Description
    *Server name Enter a unique name for the designated MySQL server that is to be onboarded
    *IP address/ FQDN Enter the valid IP address or fully qualified domain name (FQDN) for device communication and integration with the MySQL server.
    Data center Choose the desired data center.
    Onboarding Group Select the onboarding group to assign the device.
    Note: Devices without an assigned group are automatically mapped to the Default group during migration, onboarding, and when edited without existing group mappings.
    Communication mode Select the SSH or SSM protocol to be used for communication between the AppViewX node and the MySQL server.
    *SSH Port Retain the value 22; it is the default port used for the SSH communication mode. (The field is not displayed for SSM communication mode.)
    Cert sync Choose from any of the following:
    • Managed - AppViewX performs the config fetch operations and the certificates are discovered and managed in the inventory. CLM actions (push & bind, rollback etc.) can be performed on them.
    • Monitored - AppViewX performs the config fetch operations and the certificates are downloaded in the inventory in the read-only state. CLM actions cannot be performed on them.
    • Ignored - AppViewX only performs the config fetch operations for the devices. There is no certificate discovery performed.
    *: Mandatory fields
  6. In the Credentials section, select/enter the details as indicated below. The credentials entered in this section are used to authenticate the session between the AppViewX node and the MySQL server device.
    If Communication mode = SSH the fields are as follows:
    Table 2. Credentials - Field Description Table
    Fields Description
    *Credential Type Select the credential type from the dropdown.
    • Manual entry (default)
    • Credential List - AppViewX
    • Credential List - Thycotic
    • Credential List - BeyondTrust
    • SSH
    Note:
    • If Credential list - Appviewx is selected, the *Credentials list dropdown field is displayed. Select any of the preconfigured credential values.
    • If SSH is selected, enter the *Username, *Upload key file, and enter the Passphrase for authentication.
    *Username Enter the designated username for authentication.. (field displayed for manual entry and SSH)
    *Password Enter the secure password. (field displayed for manual entry only)
    *: Mandatory fields
    If Communication mode = SSM the fields are as follows:
    Table 3. Credentials - Field Description Table
    Fields Description
    *Credential Type Select the credential type from the dropdown.
    • Manual entry (default)
    • Credential List - cloudAccount
    Note: If Credential list - cloudAccount is selected, the *Account name dropdown field is displayed. Select any of the preconfigured credential values.
    *Access key Enter the access key to login to the EC2 instance of the AWS cloud machine.
    *Secret key Enter the secret key to login to the EC2 instance of the AWS cloud machine.
    *: Mandatory fields
  7. In the Vendor Specific Details section, select/enter the details as indicated below.
    If Communication mode = SSH the fields are as follows:
    Table 4. Vendor Specific Details - Field Description Table
    Fields Description
    Config path Provide the MySQL .cnf file absolute path. if no value provided, then the application try to check for the .cnf file in the /etc folder.
    *: Mandatory fields
    If Communication mode = SSM the fields are as follows:
    Table 5. Vendor Specific Details - Field Description Table
    Fields Description
    Config path Provide the MySQL .cnf file absolute path. if no value provided, then the application try to check for the .cnf file in the /etc folder.
    *Region Enter the geographic region of the AWS instance.

    Example: us-east-2
    *Instance id Enter the unique identifier for an EC2 instance in AWS.

    It is required to perform actions or execute commands on a specific EC2 instance

    Example: i-02573cafcftext
    *SSM document name Enter the name of the SSM document that contains the script or action to be executed on the EC2 instance.

    Example: AWS-RunShellScript is an SSM document that allows you to execute shell scripts on EC2 instances.
    *SSM document version Specify the version of the SSM document to be executed.

    Example: 1
    *S3 bucket name Enter the S3 bucket name used to store command output or logs executed in the EC2 instance.

    Example: avxdiscoverydocument-c2
    Proxy required Select the checkbox to enable the secure proxy service.
  8. In the Certificate details section, enter the details as indicated below.
    Table 6. Certificate Details - Field Description Table
    Fields Description
    Certificate location Enter the actual directory/path where certificates are stored in the Linux server.

    Example: /cert/files

    Note: The certificates defined in the MySQL.cnf file location, along with any additional certificates located in the /var/lib/mysql/ folder will be discovered. Additionally, if the user has provided any custom certificate details during onboarding, the discovery process will include certificates from that directory as well.

    A certificate profile will be automatically created based on the MySQL configuration.
    *: Mandatory fields
  9. Click Add.
    The certificate location will be listed in the table.
  10. (optional step) Click the (Delete) icon, if you want to delete the certificate details from the list.
  11. Click Save.
    The MySQL device is added successfully.

Validating the Device

After the device is onboarded successfully, follow the steps to validate the device communication with AppViewX:
  1. Go to ADMINISTRATION > Device Management.
    By default, the ADC tab opens.
  2. Click the Server tab.
    The Server Inventory page is displayed.
  3. Check that the device name appears in the inventory (Name column) with the specified CertSync status (Status Column).
    The status column will have the value Managed/Monitored/Ignored based on the CertSync status if the connection is successful or displays Failed/Unresolved in case of failure.
  4. From the Status column, click the Managed/Monitored.
    Device Status Log pop-up is displayed.
  5. Expand each value in the pop-up to know the Device communication, Device Version, Instance Information, and Certificate Discovery From Device.

Supported Features

  1. On-Demand or scheduled Certificate Discovery
  2. CSR Generation at the end device.
    • The OpenSSL toolkit is required on the target device for private key and CSR generation. Ensure it is installed and accessible on the Linux machine.
  3. Securely storage of the private key in encrypted form on the endpoint during CSR generation and decrypts it into plain text only when the push operation explicitly requires it.
  4. Discovery of additional non profile certificates.
  5. Nightly config sync job.
  6. Authentication support using manual entry, SSH, SSM, and external vaults.
  7. Supports both On-Premise MySQL and SSM instance.
  8. Pre and post-scripts enabled for push action.
  9. Trust certificate push.
  10. Encryption of the private certificate until the it is pushed.

Supported Cerificates Types for Push

  • PEM
  • CRT
  • CER
The custom certificate discovery directory supports the following certificate formats:
  • PEM
  • CRT
  • CER
  • p7c
  • p7b
  • jks
  • pfx
  • p12
  • der

Limitations

  1. The system does not support discovery using relative path profiles.
  2. The system does not support sudo or dzdo.
  3. Non-interactive service account to perform CLM operations. (Users must switch to Service account from SSH.)
  4. Service restart support remains disabled.

Commands for CLM Operations

Operation Command Description
Config fetch mysql --version Fetchs the MySQL version details.
Discovery cat /etc/my.cnf Reads the MySQL configuration.
find {directory} -name '.crt' -o -name '.cer' -o -name '.p7c' -o -name '.p7b' -o -name '.key' -o -name '.jks' -o -name '.pem' -o -name '.pfx' -o -name '.der' -o -name '.p12' Discovers certificates from the MySQL profile certificate directory as well as from the directory specified by the user in the device onboarding page.
SFTP download Using SFTP, downloads the identified certificates.
CSR Generation at endpoint bash Set the session shell to bash
bind 'set enable-bracketed-paste off' Disables the bracketed-paste configuration for the current session
whoami Captures the current username.
export LANG=en_US.UTF-8 Sets the default session language to English.
mkdir -p {csr_location} ; touch {csr_location} Checks if the target directory is editable
SFTP upload Using SFTP, uploads csr.cnf file to the target location
openssl req -nodes -newkey rsa:2048 -sha256 -days 365 -keyout '/etc/mysqltest.key' -out '/etc/mysqltest.csr' -subj '/C=/ST=/L=/O=/OU=/CN=mysqltest/emailAddress=/' -config '/etc//csr_1761734621433.cnf' && openssl enc -aes-256-cbc -e -in '/etc/mysqltest.key' -out '/etc/mysqltest.txt' -pass ##### -f '/etc/mysqltest.key' This command is used to generate CSR for RSA as the key type and key that will be encrypted.
openssl req -nodes -new -sha256 -days 365 -key '/etc/mysqltest.key' -out '/etc/mysqltest.csr' -subj '/C=/ST=/L=/O=/OU=/CN=mysqltest/emailAddress=/' -config '/etc//csr_1761734965298.cnf' && openssl enc -aes-256-cbc -e -in '/etc/mysqltest.key' -out '/etc/mysqltest.txt' -pass ##### -f '/etc/mysqltest.key' This command is used to generate CSR for EC or ECDSA as the key type.
cat '/etc/mysqltest.csr' Reads the CSR content.
rm -rf '/etc/mysqltest.csr' Removes the CSR file.
Push Cert Backup
cat /etc/my.cnf Reads the MySQL configuration
cat {cert} Reads the existing profile certificates.
Push EndPoint enrolled certificate
find {private_key_location.key} Checks if the private key is already in decrypted format.
set +o history Dissables history.
openssl enc -aes-256-cbc -d -in '{keyFileName}.txt' -out '{keyFileName}.key' -pass pass:{keyEncPassCode} Decrypt the endpoint enrolled private key.
set -o history Enables history.
openssl pkey -pubout -in {keyLocation} | openssl md5 Calculates the MD5 to check compatibility.
Certificate Push
mkdir -p {push_path} ; touch {push_path} Checks if the target directory is editable.
SFTP upload Using SFTP, uploads the certificates to the target location.

What's Next

Once you have onboarded and validated the device connection, you are ready to proceed with the any of the following certificate actions: