3

I've created a Postgres database on Amazon RDS instance with SSL enabled. The instance can be accessed with command line using the cert file provided by Amazon (.pem). Now I want to connect to the database within a Spring Boot application. Did some research, it seems I have to install the cert in keystore with keytool command Import PEM into Java Key Store. So I ran the following commands to generate jks key.

 openssl x509 -outform der -in rds-combined-ca-bundle.pem -out aws-cert.der
 keytool -import -alias rds-key -keystore rds.jks -file aws-cert.der
 keytool -list -keystore rds.jks

I also ran command keytool -list -keystore rds.jks to list keystore for validation.

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

rds-key, Oct 16, 2017, trustedCertEntry,
Certificate fingerprint (SHA1): E8:11:88:56:E7:A7:CE:3E:5E:DC:9A:31:25:1B:93:AC:DC:43:CE:B0

After copying the rds.jks file to /src/main/resources, I added the following lines in application.properties for ssl:

server.ssl.enabled=true
server.ssl.key-alias=rds-key
server.ssl.key-password=xxx111
server.ssl.key-store=classpath:rds.jks
server.ssl.key-store-provider=SUN
server.ssl.key-store-type=JKS

However I got the error:

java.lang.IllegalArgumentException: java.io.IOException: Alias name [rds-key] does not identify a key entry

Why is the keystore not working?

ddd
  • 4,665
  • 14
  • 69
  • 125

2 Answers2

0

Configuring SSL keystore/truststore for spring boot application prepares the ssl context used by outbound/inbound https connections. You will need to configure the SSL socket factory differently for postgres db connections. Either use the implementation provided by postgres lib or create your own custom SSLSocketFactory class which prepares the ssl context using your rds specific keystore.

Please check out -> https://basildoncoder.com/blog/postgresql-jdbc-client-certificates.html

Suken Shah
  • 1,622
  • 14
  • 20
0

You are setting the wrong properties. The above properties enable SSL for the server. For the RDS SSL connection you need to setup the following properties:

javax.net.ssl.keyStorePassword = password
javax.net.ssl.trustStore = ./store_path.jks
javax.net.ssl.trustStoreType = JKS
victor m
  • 2,012
  • 2
  • 14
  • 23
  • Yes, the properties are wrong, but you want to be setting the keystore properties, not the truststore ones. You never want to put a private key into the truststore. Someone that knows the distinction may distribute the truststore thinking it only contains public information. – micker Sep 03 '19 at 15:56