DEV Community

Arun Kumar for AWS Community Builders

Posted on

Configure SSL between RDS and Weblogic / DMS endpoint

Background

Need to enable End to End encryption for connectivity between Apps to RDS DB.

On Oracle RDS side

When creating the Oracle instance, configure the Option group SSL setting like below.

1

On weblogic side

  • After connection pool is created, update the below URL field. For example,
jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=<weblogic-host>)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=DEMOWLST)))
Enter fullscreen mode Exit fullscreen mode
  • In the connection Properties, add the following
user=wlsdbuser
databaseName=DEMOWLST
javax.net.ssl.trustStore=/prod/applc/wls/domain/base_domain/certs/trust.jks
javax.net.ssl.trustStoreType=JKS
javax.net.ssl.trustStorePassword=<password, default to Admin password>
Enter fullscreen mode Exit fullscreen mode

2

Creating trusted JKS/Wallet

  • To extract the RDS cert,
openssl s_client -showcerts -connect "{{ datasource.rdsHostName }}:{{ datasource.rdsSSLPort }}" </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/rds.pem

csplit -z -f tmpRDScert- /tmp/rds.pem '/-----BEGIN CERTIFICATE-----/' '{*}'

cp `ls -1 tmpRDScert-* | tail -1` /tmp/rdsRoot.pem
Enter fullscreen mode Exit fullscreen mode
  • To import the root cert to JKS keystore,
keytool -import -alias rds-rootcert -file /tmp/rdsRoot.pem -keystore /prod/applc/wls/domain/base_domain/certs/trust.jks -storepass {{ domain_password }} -noprompt
Enter fullscreen mode Exit fullscreen mode
  • To import the root cert to Oracle Wallet (DMS endpoint require this),
/prod/applc/wls/oracle_common/bin/orapki wallet create -wallet /tmp/ssl_wallet -auto_login_only
/prod/applc/wls/oracle_common/bin/orapki wallet add -wallet /tmp/ssl_wallet -trusted_cert -cert /tmp/rdsRoot.pem -auto_login_only
Enter fullscreen mode Exit fullscreen mode

For Oracle DMS endpoint, you will need to select rds-oracle-wallet when enabling the SSL with โ€œverify-caโ€ option and point the port to the SSL enabled port.

Top comments (0)