To satisfy HIPAA requirements, protected health information (PHI) should be encrypted in transmission. The Healthcare Blocks MySQL Database Service is configured to support TLS (SSL)-enabled connections from external clients. Every virtual server includes a certificate bundle that can be used to sign requests to the database service.

Connecting with the mysql shell

mysql -h DATABASE_URL -u USERNAME -D DATABASE --ssl-ca=/etc/ssl/hcb_ca.pem -p

Connecting from a PHP app

$db = mysqli_init();
$db->ssl_set(NULL, NULL, '/etc/ssl/hcb_ca.pem', NULL, NULL);
$link = mysqli_real_connect ($db, 'DATABASE_URL', 'USERNAME', 'PASSWORD', 'DATABASE_NAME', 3306, NULL, MYSQLI_CLIENT_SSL);

In Dokku environments, you can create a volume mount from the virtual machine to the container so that the certificate bundle does not need to be copied into your source code:

dokku storage:mount my-app-name /etc/ssl:/ssl

Notice that /etc/ssl is mounted as /ssl inside the container. This avoids overwriting the default /etc/ssl that exists inside the container and includes third-party certificates. Thus, Dokku PHP apps should set the path as follows:

$db->ssl_set(NULL, NULL, '/ssl/hcb_ca.pem', NULL, NULL);

Note: if you run into any permissions issues related to the PEM file, you will need to set the owner to that of the user/group id's associated with the running processes inside your container:

chown -R 32767:32767 /etc/ssl/hcb_ca.pem