Using Java to establish a secure connection to MySQL Amazon RDS (SSL/TLS)

When you run the below command and are asked for the password you should type "changeit". That is the default password for the keystore

keytool -import -alias mysqlServerCACert -file file_location.pem -keystore truststore

Next, make sure the mysql user you are using is configured to require SSL as below

GRANT ALL PRIVILEGES ON test.* TO 'root'@'localhost' REQUIRE SSL;

Next, make sure the rds bundle which you downloaded from https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem is imported on the default java cacerts of the app server which is trying to connect to the AWS RDS.

Lastly, you need append the below three properties with value 'true' to your mysql url

?verifyServerCertificate=true&useSSL=true&requireSSL=true

Eg:

final String url = "jdbc:mysql://mysql_rds_enpoint:port/db_name?verifyServerCertificate=true&useSSL=true&requireSSL=true";

Hope this helps!

Java keytool only imports one certificate at a time, but the RDS combined CA bundle has many CA certificates. You will need to import each certificate in the bundle separately. When you try to import the bundle, it is only importing one certificate, which may not be the root CA that you need to trust the RDS instance.

On linux you can split the pem with the CSPLIT tool:

csplit -b %02d.pem -z rds-combined-ca-bundle.pem /-----BEGIN/ {*}

Then you must import each pem into your keystore separately.

Using Java to establish a secure connection to MySQL Amazon RDS (SSL/TLS)

Tags:

Mysql

Java

Ssl

Amazon Web Services

Amazon Rds

Related

Recent Posts