Redshift with SSL?

Based on documentation on how to configure Redshift via SSL as seen below. How would I “Connect Using the Server Certificate in Java”? Since based on the current suggestion in the doc we are “Connect Without Using the Server Certificate in Java”

URL parameters to be specified to ensure SSL connectivity:
sslfactory=org.postgresql.ssl.NonValidatingFactory
ssl=true

Reference: Here is the Redshift doc

I’m trying to find out if anyone has configured this for any of our customers, but haven’t heard anything yet.

Hi Alen,

Are you trying to secure the channel where the data is passed? Can you please let me know the use case?

our security team is enforcing control over connection to Redshift and requiring the use of AWS public key over SSL

We have not tested this internally, but plan to in near future.

One of our customers have configured it using postgre driver. What drive are you guys using?

Can you try those settings and let us know?

That is exactly how it is configured now which is considered “Connect Without Using the Server Certificate in Java” but our security team is requesting this to be “Connect Using the Server Certificate in Java”

Please read the section “To connect using a server certificate” under Connect Using the Server Certificate in Java in this AWS doc (http://docs.aws.amazon.com/redshift/latest/mgmt/connecting-ssl-support.html)

Does it have to have IAM role enabled or just SSL with Public key?

I believe this is what’s needed:

  • Download the AWS Redshift certificate (public key .pem file) from AWS - the location is in the AWS document you provided.

  • Use the keytool program to add the certificate to the SnapLogic Java truststore. The command would look something like this. The default password for the truststore is changeit.

keytool -importcert -alias “AWS_Redshift” -keystore “/opt/snaplogic/pkgs/jre1.8.0_45/lib/security/cacerts” -file “/root/redshift-ssl-ca-cert.pem”

  • Restart the SnapLogic JCC.

  • Add the “ssl=true” property to the JDBC connect string in the SnapLogic Redshift Account definition.

Exactly, and the catch is I only uses cloudplex. Can support help setting this up?

I’ve asked Support to look into it.

If cloudplex, then our DevOps will need to import the cert (the certificate chain or simply the intermediate cert of the Redshift instance region ) using the keytool command shown by PSAmmirata.

Thanks @mina I will add your comment to the ticket I already have

Sorry, it seems its currently not supported by our DevOps. I should have checked with them in advance.