Built-in Oracle DB - using JKS keystore to support certification validation

  • Thread starter Thread starter zhangz
  • Start date Start date
Z

zhangz

The Oracle DB instance hosted on AWS must have SSL enabled and be equipped with a valid certificate. For this purpose, a JKS keystore can be utilized, which accommodates both private key certificate entries and trusted certificate entries, encompassing those that are self-signed.



Here are the steps:
1. Follow the doc: JDBC - Connectors to upload required JAR libraries.

2. Viewing the CA for your DB instance:

  • You can view the details about the CA for a database by viewing the Connectivity & security tab in the console, as in the following image.
zhangz_0-1725500448932.png

  • The certificate bundles for all AWS Regions and GovCloud (US) Regions contain the following certificates:
· rds-ca-2019 intermediate and root certificates.​
· rds-ca-rsa2048-g1, rds-ca-rsa4096-g1, and rds-ca-ecc384-g1 root CA certificates. Your application trust store only needs to register the root CA certificate.​
3. Download Certificate from: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL.html#UsingWithRDS.SSL.CertificatesDownload based on the region where the Oracle DB instance is.
4. If the downloaded certificate .pem contains multiple certificates, we need to split them.



Script to split certificates from .pem file (using windows/powershell): Modify the pemFilePath and outputBasePath to the appropriate folder/path:​

Code: 
# Define the path to the input .pem file
$pemFilePath = "C:\home\javakeystore\ap-southeast-2-bundle.pem.pem"
 
# Define the base output path for the extracted certificates
$outputBasePath = "C:\home\javakeystore\certs"
 
# Read the content of the .pem file
$pemContent = Get-Content -Path $pemFilePath -Raw
 
# Split the content into individual certificates based on the delimiter
$certificates = $pemContent -split "(?=\-----BEGIN CERTIFICATE-----)"
 
# Counter for naming the output files
$counter = 1
 
# Iterate through each certificate block and write it to a separate file
foreach ($cert in $certificates) {
    if ($cert -match "-----BEGIN CERTIFICATE-----") {
        # Define the output file name
        $outputFilePath = "${outputBasePath}${counter}.pem"
       
        # Write the certificate content to the output file
        $cert | Out-File -FilePath $outputFilePath -Encoding ascii
 
        # Increment the counter for the next certificate
        $counter++
    }
}
In my case, above script will generate 5 pem files: 1.pem to 5.pem​
zhangz_1-1725500448934.png




5. Using following commands to convert each .pem file to .der: (you can use openssl in kudu site which is preinstalled)

Code: 
openssl x509 -outform der -in 1.pem -out cert1.der
openssl x509 -outform der -in 2.pem -out cert2.der
openssl x509 -outform der -in 3.pem -out cert3.der
openssl x509 -outform der -in 4.pem -out cert4.der
openssl x509 -outform der -in 5.pem -out cert5.der
6. Import all .der certificates into a key store file: Typing 'yes' if it prompts to trust the root CA. (you can use keytool in kudu site which is preinstalled)

Code: 
keytool -import -alias rds-root -keystore clientkeystore.jks -file cert1.der
keytool -import -alias rds-apsoutheast2 -keystore clientkeystore.jks -file cert2.der
keytool -import -alias rds-apsoutheast2-rsa2048 -keystore clientkeystore.jks -file cert3.der
keytool -import -alias rds-apsoutheast2-ecc384 -keystore clientkeystore.jks -file cert4.der
keytool -import -alias rds-apsoutheast2-rsa4096 -keystore clientkeystore.jks -file cert5.der
7. Verify the key store file we generated:
The sample output will be:

Code: 
Keystore type: jks
Keystore provider: SUN
 
Your keystore contains 5 entries
 
Alias name: rds-apsoutheast2
Creation date: Jul 25, 2024
Entry type: trustedCertEntry
 
Owner: CN=Amazon RDS ap-southeast-2 2019 CA, OU=Amazon RDS, O="Amazon Web Services, Inc.", L=Seattle, ST=Washington, C=US
Issuer: CN=Amazon RDS Root 2019 CA, OU=Amazon RDS, O="Amazon Web Services, Inc.", ST=Washington, L=Seattle, C=US
Serial number: 1246
Valid from: Mon Sep 16 19:53:47 UTC 2019 until: Thu Aug 22 17:08:50 UTC 2024
Certificate fingerprints:
       SHA1: D5:D4:51:83:D9:A3:AC:47:B0:0A:5A:77:D8:A0:79:A9:6A:3F:6D:96
       SHA256: 34:07:21:87:E3:53:8B:A4:7C:DD:4D:5C:BD:6E:06:44:8E:7E:CA:71:82:F9:2F:00:CD:66:27:C6:76:8A:B2:E1
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
 
Extensions:
 
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 73 5F 60 D8 BC CB 03 98   F4 2B 17 34 2E 36 5A A6  s_`......+.4.6Z.
0010: 60 FF BC 1F                                        `...
]
]
 
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]
 
#3: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]
 
#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C1 A6 69 68 29 9E F8 48   95 33 98 1C 8D E1 D9 49  ..ih)..H.3.....I
0010: 38 0E 9F 8A                                        8...
]
]
 
 
 
*******************************************
*******************************************
 
 
Alias name: rds-apsoutheast2-ecc384
Creation date: Jul 25, 2024
Entry type: trustedCertEntry
 
Owner: L=Seattle, CN=Amazon RDS ap-southeast-2 Root CA ECC384 G1, ST=WA, OU=Amazon RDS, O="Amazon Web Services, Inc.", C=US
Issuer: L=Seattle, CN=Amazon RDS ap-southeast-2 Root CA ECC384 G1, ST=WA, OU=Amazon RDS, O="Amazon Web Services, Inc.", C=US
Serial number: 4f998695abd0cc51ec07b855e8c9b2e9
Valid from: Mon May 24 20:50:15 UTC 2021 until: Sat May 24 21:50:15 UTC 2121
Certificate fingerprints:
       SHA1: E9:58:3A:FD:FD:A9:39:78:F5:0E:9D:FF:5E:62:2E:CC:A0:D0:3B:04
       SHA256: 02:A2:85:48:CC:C1:40:00:0E:50:91:1A:FA:46:77:85:0A:C9:36:35:E2:0A:D7:6F:82:2D:91:F5:03:24:E8:53
Signature algorithm name: SHA384withECDSA
Subject Public Key Algorithm: 384-bit EC (secp384r1) key
Version: 3
 
Extensions:
 
#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]
 
#2: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_CertSign
  Crl_Sign
]
 
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 6B 77 92 13 79 D7 C0 C2   B1 A8 E0 50 3D 51 A0 DA  kw..y......P=Q..
0010: 18 52 B7 AE                                        .R..
]
]
 
 
 
*******************************************
*******************************************
 
 
Alias name: rds-apsoutheast2-rsa2048
Creation date: Jul 25, 2024
Entry type: trustedCertEntry
 
Owner: L=Seattle, CN=Amazon RDS ap-southeast-2 Root CA RSA2048 G1, ST=WA, OU=Amazon RDS, O="Amazon Web Services, Inc.", C=US
Issuer: L=Seattle, CN=Amazon RDS ap-southeast-2 Root CA RSA2048 G1, ST=WA, OU=Amazon RDS, O="Amazon Web Services, Inc.", C=US
Serial number: 9111fcf35720d331c34c13e8169d309
Valid from: Mon May 24 20:42:33 UTC 2021 until: Tue May 24 21:42:33 UTC 2061
Certificate fingerprints:
       SHA1: 69:46:D7:9E:4C:5B:01:5E:BC:5F:BD:4C:2B:9E:24:D0:E0:7E:C5:28
       SHA256: 74:2D:B5:3F:2F:89:70:EC:4C:78:01:78:47:63:C5:19:D5:48:5B:19:70:23:EC:4B:B5:55:26:12:54:69:65:4A
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
 
Extensions:
 
#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]
 
#2: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_CertSign
  Crl_Sign
]
 
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 59 3C 50 99 A5 86 8C 45   4F 73 CF D7 63 EF 86 F6  Y<P....EOs..c...
0010: B3 1E 34 F8                                        ..4.
]
]
 
 
 
*******************************************
*******************************************
 
 
Alias name: rds-apsoutheast2-rsa4096
Creation date: Jul 25, 2024
Entry type: trustedCertEntry
 
Owner: L=Seattle, CN=Amazon RDS ap-southeast-2 Root CA RSA4096 G1, ST=WA, OU=Amazon RDS, O="Amazon Web Services, Inc.", C=US
Issuer: L=Seattle, CN=Amazon RDS ap-southeast-2 Root CA RSA4096 G1, ST=WA, OU=Amazon RDS, O="Amazon Web Services, Inc.", C=US
Serial number: 22e3b503c2ce9e673bcd9fef326dd3ac
Valid from: Mon May 24 20:46:18 UTC 2021 until: Sat May 24 21:46:18 UTC 2121
Certificate fingerprints:
       SHA1: 19:DC:ED:E6:ED:A2:20:90:44:B2:83:35:B1:2D:D2:44:2E:12:AC:2A
       SHA256: 8B:DE:3D:20:85:54:FB:74:09:DA:40:77:1C:9C:66:84:88:1D:AA:CC:E0:2C:2D:40:BE:75:D2:8D:E4:5C:52:31
Signature algorithm name: SHA384withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3
 
Extensions:
 
#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]
 
#2: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_CertSign
  Crl_Sign
]
 
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F8 CA CA 82 C5 A3 DE EF   2F A0 D4 A5 08 01 E9 EA  ......../.......
0010: BB C3 C0 83                                        ....
]
]
 
 
 
*******************************************
*******************************************
 
 
Alias name: rds-root
Creation date: Jul 25, 2024
Entry type: trustedCertEntry
 
Owner: CN=Amazon RDS Root 2019 CA, OU=Amazon RDS, O="Amazon Web Services, Inc.", ST=Washington, L=Seattle, C=US
Issuer: CN=Amazon RDS Root 2019 CA, OU=Amazon RDS, O="Amazon Web Services, Inc.", ST=Washington, L=Seattle, C=US
Serial number: c73467369250ae75
Valid from: Thu Aug 22 17:08:50 UTC 2019 until: Thu Aug 22 17:08:50 UTC 2024
Certificate fingerprints:
       SHA1: D4:0D:DB:29:E3:75:0D:FF:A6:71:C3:14:0B:BF:5F:47:8D:1C:80:96
       SHA256: F2:54:C7:D5:E9:23:B5:B7:51:0C:D7:9E:F7:77:7C:1C:A7:E6:4A:3C:97:22:E4:0D:64:54:78:FC:70:AA:D0:08
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
 
Extensions:
 
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 73 5F 60 D8 BC CB 03 98   F4 2B 17 34 2E 36 5A A6  s_`......+.4.6Z.
0010: 60 FF BC 1F                                        `...
]
]
 
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]
 
#3: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]
 
#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 73 5F 60 D8 BC CB 03 98   F4 2B 17 34 2E 36 5A A6  s_`......+.4.6Z.
0010: 60 FF BC 1F                                        `...
]
]
 
 
 
*******************************************
*******************************************



8. Upload jks file to Logic app standard kudu site: for example, to: C:\home\javakeystore\certs
zhangz_2-1725500448934.png


9. Adding a new App setting: JAVA_OPS


Key
Value

JAVA_OPS
-D"javax.net.ssl.trustStore=C:\home\site\wwwroot\clientkeystore.jks" -D"javax.net.ssl.trustStoreType=JKS" -D"javax.net.ssl.trustStorePassword=XXXXXX" -D"oracle.net.ssl_server_dn_match=TRUE"

The sample of JDBC connection string to Oracle DB after enable SSL:
jdbc:oracle:thin:@(DESCRIPTION= (ADDRESS=(PROTOCOL=XXXXX)(PORT=XXXXXX)(HOST=XXXXXXX))(CONNECT_DATA=(SERVICE_NAME=XXXXXX))(SECURITY=(SSL_SERVER_CERT_DN = "C=US,ST=Washington,L=Seattle,O=Amazon.com,OU=RDS,CN=XXXXXXXXX")))
Click to expand...

Continue reading...
 
Back
Top