SSL Connection to AWS Aurora

Creating secure connection to the AWS aurora involves multiple steps

Posted by     Pramod Sadalage on Monday, July 15, 2019

On a recent project we had to connect to AWS Aurora postgres 10.6 version of the database in SSL mode using JDBC and Java 11 JRE. When the Aurora cluster is setup, we can force all connections to use SSL by using the options group settings (forceSSL=true), establishing secure connection from the application to the database is not as easy as it looks.

Here are the steps we took to make this work.

  • AWS provides certificates that you can download Certs. These cannot be used directly.
  • Convert the .pem file downloaded to a .der file using openssl
openssl x509 -outform der -in your-cert.pem -out your-cert.crt
  • Copy the converted .der file to $JAVA_HOME/lib/security folder
  • Now import the .der file using the keytool command.
keytool -importcert -file $JAVA_HOME/lib/security/rds-combined-ca-bundle.crt -cacerts -storepass mypassword alias awsaurora -noprompt

After this step the certificate is in the JVM SSL Factory, the JVM has access to the certificate,

  • Since there is a bug in the postgres JDBC driver (it does not access the default Java SSL Factory), we have to provide that in the JDBC connection string as shown below.
jdbc:postgresql://server-url:5432/database-name?currentSchema=application-schema&ssl=true&sslfactory=org.postgresql.ssl.DefaultJavaSSLFactory

The setting ssl=true turns on SSL connection and sslfactory=org.postgresql.ssl.DefaultJavaSSLFactory tells the JDBC driver where to look for the certificate. Its always a good practice to set the currentSchema to some value as the default will be public which is not a good idea, in the above setting we have currentSchema=application-schema