I want to use a Amazon Aurora Serverless with my spring boot applications. I need to encrypt the jdbc connection between my application and Aurora, unfortunately I didn’t find any documentation according this topic.
Have anybody any experience with this topic?
How can i encrypt jdbc connection?
Your Serverless cluster should already have the cert installed on it. You shouldn't need anything specific to talk TLS with the endpoint.
https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless.html#aurora-serverless.tls
You can use additional client side settings and enforce the mode of SSL verification as well. (Details in the doc link above)
Related
I'm currently having issues setting up the AWS Explorer plugin in DataGrip to recognise the Aurora Serverless Clusters (MySQL). I have set up credentials from IAM in the credentials file, and can access other AWS services (if I select the dropdown "Schemas", for example, I can see the list of schemas in my org) but clicking the RDS dropdown shows "empty", and doesn't even show the list of database engines. I have tried connecting with secrets manager and using the correct secret for the DB cluster but no luck. When I try and add the database cluster as a data source, it just hangs on "Introspecting" and then the endpoint for that cluster.
I found this issue on the aws-toolkit for jetbrains github https://github.com/aws/aws-toolkit-jetbrains/issues/2124
which mentions that it could be a driver problem. I have tried changing to the mySQL driver, and that hasn't seemed to fix it. DataGrip also seems to heavily encourage using the recommended Aurora MySQL driver.
Is this a bug with DataGrip, or AWS Explorer, or am I missing something obvious? Do I need to enable SSL CAs to get AWS Explorer the correct permissions?
Thanks!
EDIT: I have gone through the prerequisites listed on the AWS docs:
I have installed the AWS CLI and AWS SAM CLI
I have installed Docker (but I haven't set up any containers - I think this is
only needed if I'm running localhost?)
I'm running Windows 10.
Aurora serverless can't be accessed from the internet. From docs:
You must create your Aurora Serverless DB cluster in an Amazon Virtual Private Cloud (Amazon VPC). Aurora Serverless DB clusters are accessible only from an Amazon VPC and can't use a public IP address.
Thus, you need to setup VPN or some proxy (e.g. ssh tunnel through a bastion host) to be able to connect to Aurora serverless from outside of AWS.
I am trying to establish a SSL-encrypted connection to a my MySQL Docker service running on a AWS VPC (setup up by the Docker for AWS cloud formation template). The elastic load balancer is configured to redirect port 3306. There is no problem to connect to the container (e.g. by using MySQLWorkbench, mysql-client, ..) as long as SSL is not turned on (adding AWS's own certificates (ACM) or my custom certificates to the ELB listener). In case SSL is enabled, the client starts hanging / freezing, without returning a proper error. I added the ca-certs from ACM, generated my own certificates (with and without additonal key / cert for the client) but nothing seems to resolve my problem.
Now I am well aware of the fact, that this setup is not that usual. I guess the standard way of doing this is to configure the MySQL-Server itself. AFAIK, in this case only the connection between client and ELB is encrypted, but I do not understand why this causes a problem?
I am grateful for answers!
In MySQL's client/server protocol, the server talks first. It advertises its capabilities (including whether it supports SSL). Then the client requests that the connection switch to SSL mode. Only then does SSL negotiation take place.
For this reason, it is not possible to offload SSL in front of MySQL.
Your connection hangs because the client is waiting for the initial packet from the server, while the ELB is waiting for the client to start negotiating SSL -- because unlike the MySQL client/server protocol, the client talks first on standard SSL negotiation.
You have to have a certificate on the MySQL Server, and not on the ELB, for this to work.
An AWS Network Load Balancer is a more appropriate solution for exposing MySQL, but you still need the SSL cert on the MySQL Server itself.
Google Cloud SQL (MySQL) supports SSL Client Certificates for securing connections. I have gotten these working with the mysql CLI client and with MySQL-python without any drama, but Java's JDBC driver model seems to be significantly less flexible. I was able to get it working by importing the necessary keys and certificates into my keystore, but it does not appear that I can easily provide a specific certificate to use for a particular connection at runtime.
For my use storing all the certificates in a single keystore per JVM won't work, we have a multi-tenant environment with dozens of isolated client certificates. The PostgreSQL JDBC documentation offhandedly mentions it should be possible by implementing your own SSLSocketFactory (source):
Information on how to actually implement such a class is beyond the scope of this documentation. Places to look for help are the JSSE Reference Guide and the source to the NonValidatingFactory provided by the JDBC driver.
The Java SSL API is not very well known to the JDBC driver developers and we would be interested in any interesting and generally useful extensions that you have implemented using this mechanism. Specifically it would be nice to be able to provide client certificates to be validated by the server.
The only implementation I have seen is GoogleCloudPlatform/cloud-sql-mysql-socket-factory which on-the-fly queries the Google Cloud APIs to retreive emphemeral ssl client certificates. This is what I'm starting with, but I'm disheartened by the fact some basic socket properties (notably connectTimeout and socketTimeout) are not currently implemented.
Are there other SSLSocketFactory implementations I should be aware of? It seems like a generic implementation would be useful for multiple JDBC drivers (MySQL connector/J, PostgreSQL pgJDBC and Oracle offer some client cert support). That way JDBC connection strings could support client certificates as standardize parameters (base64 encoded?) just as usernames and passwords are currently included.
Background:
I have a DB cluster hosted in Softlayer
I utilize No Bluemix 'container' services
I utilize Spark and MessageHub Services in Bluemix
Question
- Please explain how I can securely connect the bluemix spark service to my DB cluster through a Site VPN connection?
- The UI for the Bluemix VPN indicates I have to specify a container or container group to connect - but how does that correspond to Spark/MessageHub Services? To my knowledge those are shared services, not containers or container groups.
VPNaaS on Bluemix currently supports services/applications running on Bluemix docker-containers.
You can try this out:-
If you have accessible JDBC connection to your database(since i am not sure which database you are accessing).
Depending on your database driver, you can enable ssl connection on the jdbc url.
jdbc://${env.hostname}:10000/default;ssl=true;sslTrustStore=./truststore.jks;trustStorePassword=mypassword;
Follow the guide from this post to import certificates if needed.
http://stackoverflow.duapp.com/questions/37109302/how-to-connect-to-remote-hive-running-on-biginsights-on-cloud-from-a-spark-as-a/37121741
Change the url with your database url(ex. postgres below)
df = sqlContext.load(source="jdbc",\
url="jdbc:postgresql://[publichost]:[port]/databasename",\
dbtable="[tablename]")
Thanks,
Charles.
I've just started working with AWS EC2 instances, and I want to migrate the MySQL DB on the EC2 to a RDS instance.
My question is about security, when I connect to my EC2 instance I use a security key (.pem) file to encrypt my connection from laptop to EC2. But when the EC2 connects to the RDS i believe it will be using port 3306 on the RDS and be unencrypted? Is this a security risk for my web application?
If this is a security risk what is the best practice for securely connecting the EC2 to the RDS?
Thanks!
https://aws.amazon.com/rds/faqs/
Can I encrypt connections between my application and my DB Instance using SSL?
Yes, however, this option is currently only supported for the MySQL, SQL Server, and PostgreSQL engines.
Amazon RDS generates an SSL certificate for each DB Instance. Once an encrypted connection is established, data transferred between the DB Instance and your application will be encrypted during transfer. If you require your data to be encrypted while “at rest” in the database, your application must manage the encryption and decryption of data. Also note that SSL support within Amazon RDS is for encrypting the connection between your application and your DB Instance; it should not be relied on for authenticating the DB Instance itself.
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MySQL.html#MySQL.Concepts.SSLSupport
You can setup rules in your security group to only allow connections to your rds instance from a pre-dfined list of ec2 ip's if you want (or any ips for that matter). AWS will reject any traffic trying to get to that RDS that is not in the list.