Amazon RDS, Postgres, JDBC, and SSL

Phew! That title’s a mouthful.

I’ve been working on a new product for a few weeks now, and I decided to use a PostgreSQL database running on Amazon RDS. Since my web service is not running on EC2, I had to ensure that the Postgres instance had a public IP address, and that it only accepted SSL connections. The web service that will be connecting to the database is written in Java, using Ratpack.

It took a bit of fiddling to figure out what the right setup was, so I figured I’d write it up.

Configure RDS

The RDS documentation is pretty clear on how to set up the Postgres instance to only accept SSL connections.

First, create a parameter group:

Give it a name:

Note that “Group Name” can’t have spaces in it.

Now select the group you just created, and click on “Edit Parameters”:

Now search for “rds.force_ssl”, and modify the value of the parameter to 1.

Now navigate to the instances tab, select your instances, click on the “Instance Actions” button, and then select “Modify”.

Next, in the “Database Options” section, select the “DB Parameter Group” you just created. Then continue and modify your instance.

You now need to reboot your instance:

You’re now done configuring your RDS instance to only accept SSL connections.

Certificate

Now to connect to your database from the JVM, you’ll have to first add RDS’ certificate to your keystore.

To do this, first download the certificate from Amazon. Once you’ve got it downloaded, you need to convert it into a format that can be imported by your keystore.

To do that, run:

Once that’s done, you can import it into your keystore.

On macOS, run:

On Ubuntu, run:

You’ll be prompted for a keystore password. Enter “changeit”.

Note that your path to JDK may be different — modify it as necessary.

JDBC

The final step is configuring JDBC to use SSL. Here’s how I’m doing that:

Note the call to dataSource.setSSL(true).

Et voilà, you’re all set!

Originally published at gopalkri.com on August 24, 2016.