Connect to AWS RDS using SSL Certificate

Document created by ruchika_yadav Employee on Mar 2, 2016Last modified by Adam Arrowsmith on Mar 2, 2016
Version 2Show Document
  • View in full screen mode

How to connect to Amazon RDS - postgres using SSL certificate?

Please note that the certificate setup part is common for connecting to any AWS RDS database over SSL.

 

 

If using Cloud Atom-

We have imported the AWS certificate into our keystore. To make the SSL connection to AWS PostGres instance users will have to append the parameter ssl=true to their connection string. Example connection string is shown below :

 

 

jdbc:postgresql://<instance_endpoint>:<port_no>/<db_name>?ssl=true

 

 

If using Local Atom-

 

 

1. Place the jdbc driver in ATOM_HOME/userlib/database directory (Create one if not present). You can download the driver from https://jdbc.postgresql.org/download.html

 

 

2. The Amazon RDS Root certificate needs to be installed into the java keystore. The certificate provided by amazon at http://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem contains multiple certificates You will need to extract the Amazon RDS Root CA cert and place this into the keystore.

 

 

The first step is to convert the certificate to DER format what Java understands :

Command : openssl x509 -outform der -in certificate.pem -out certificate.der

 

Next import the certificate into java keystore -

Command: eytool -import -alias your-alias -keystore cacerts -file certificate.der

 

 

3. Have the connection URL in database connector as jdbc:postgresql://<instance_end_point>:<instance_port_no>/<db_name>?ssl=true

 

 

4. The connection now uses SSL for communication with PostgreSQL DB instance.

 

 

Way to verify if connection is SSL:

 

1. Set -Djavax.net.debug=all in ATOM_HOME/bin/atom.vmoptions. Restart the atom.

On running the process you can now monitor the SSL communication along with the SSL Handshake being performed.

When providing a keystore which does not have the right certificate you can see the following error.

[com.sun.net.ssl.internal.ssl.SSLSocketImpl handleException] ASyncMPollExecutor-thread-1, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 

 

2. Another way to verify is as mentioned at http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_PostgreSQL.html#PostgreSQL.Concepts.General.SSL

Create a process where the operation is to get the value of ssl_is_used field. If this value is returned t(true) the connection is SSL.

Also, when you do not put any SSL parameters in the connection URL the connection would successfully take place; only it would not be using SSL. This can be verified by observing f in way specified above.

6 people found this helpful

Attachments

    Outcomes