On a recent project we had to connect to AWS Aurora postgres 10.6 version of the database in SSL mode using JDBC and Java 11 JRE. When the Aurora cluster is setup, we can force all connections to use SSL by using the options group settings (forceSSL=true
), establishing secure connection from the application to the database is not as easy as it looks.
Here are the steps we took to make this work.
- AWS provides certificates that you can download Certs. These cannot be used directly.
- Convert the
.pem
file downloaded to a.der
file using openssl
openssl x509 -outform der -in your-cert.pem -out your-cert.crt
- Copy the converted
.der
file to$JAVA_HOME/lib/security
folder - Now import the
.der
file using thekeytool
command.
keytool -importcert -file $JAVA_HOME/lib/security/rds-combined-ca-bundle.crt -cacerts -storepass mypassword alias awsaurora -noprompt
After this step the certificate is in the JVM SSL Factory, the JVM has access to the certificate,
- Since there is a bug in the postgres JDBC driver (it does not access the default Java SSL Factory), we have to provide that in the JDBC connection string as shown below.
jdbc:postgresql://server-url:5432/database-name?currentSchema=application-schema&ssl=true&sslfactory=org.postgresql.ssl.DefaultJavaSSLFactory
The setting ssl=true
turns on SSL connection and sslfactory=org.postgresql.ssl.DefaultJavaSSLFactory
tells the JDBC driver where to look for the certificate. Its always a good practice to set the currentSchema to some value as the default will be public which is not a good idea, in the above setting we have currentSchema=application-schema