On a recent project we had to connect to AWS Aurora postgres 10.6 version of the database in SSL mode using JDBC and Java 11 JRE. When the Aurora cluster is setup, we can force all connections to use SSL by using the options group settings (
forceSSL=true), establishing secure connection from the application to the database is not as easy as it looks.
Here are the steps we took to make this work.
- AWS provides certificates that you can download Certs. These cannot be used directly.
- Convert the
.pemfile downloaded about to a
.derfile using openssl
openssl x509 -outform der -in your-cert.pem -out your-cert.crt
- Copy the converted
- Now import the
.derfile using the
keytool -importcert -file $JAVA_HOME/lib/security/rds-combined-ca-bundle.crt -cacerts -storepass mypassword alias awsaurora -noprompt
After this step the certificate is in the JVM SSL Factory, the JVM has access to the certificate,
- Since there is a bug in the postgres JDBC driver (it does not access the default Java SSL Factory), we have to provide that in the JDBC connection string as shown below.
ssl=true turns on SSL connection and
sslfactory=org.postgresql.ssl.DefaultJavaSSLFactory tells the JDBC driver where to look for the certificate. Its always a good practice to set the currentSchema to some value as the default will be public which is not a good idea, in the above setting we have