Amazing world about data

Developer, ThoughtWorker, Data Architect and Data Specialist

2 minutes read

On a recent project we had to connect to AWS Aurora postgres 10.6 version of the database in SSL mode using JDBC and Java 11 JRE. When the Aurora cluster is setup, we can force all connections to use SSL by using the options group settings (forceSSL=true), establishing secure connection from the application to the database is not as easy as it looks.

Here are the steps we took to make this work.

  • AWS provides certificates that you can download Certs. These cannot be used directly.
  • Convert the .pem file downloaded about to a .der file using openssl
openssl x509 -outform der -in your-cert.pem -out your-cert.crt
  • Copy the converted .der file to $JAVA_HOME/lib/security folder
  • Now import the .der file using the keytool command.
keytool -importcert -file $JAVA_HOME/lib/security/rds-combined-ca-bundle.crt -cacerts -storepass mypassword alias awsaurora -noprompt

After this step the certificate is in the JVM SSL Factory, the JVM has access to the certificate,

  • Since there is a bug in the postgres JDBC driver (it does not access the default Java SSL Factory), we have to provide that in the JDBC connection string as shown below.

The setting ssl=true turns on SSL connection and sslfactory=org.postgresql.ssl.DefaultJavaSSLFactory tells the JDBC driver where to look for the certificate. Its always a good practice to set the currentSchema to some value as the default will be public which is not a good idea, in the above setting we have currentSchema=application-schema

Recent posts


See more