Built-in Oracle DB – using JKS keystore to support certification validation by info.odysseyx@gmail.com September 9, 2024 written by info.odysseyx@gmail.com September 9, 2024 0 comment 4 views 4 Oracle DB instances hosted on AWS must have SSL enabled and a valid certificate. For this purpose, you can utilize a JKS keystore, which holds both private key certificate entries and trusted certificate entries, including self-signed entries. here ~is step: 2. View CA of DB instance: Details about the CA in the database can be viewed by checking: Connectivity and Security Displays tabs in the console as shown in the image below. Certificate bundles for all AWS regions and the GovCloud (US) region contain the following certificates: · rds-ca-2019 Intermediate and root certificates. · rds-ca-rsa2048-g1, rds-ca-rsa4096-g1and rds-ca-ecc384-g1 Root CA certificate. The application trust store only needs to register the root CA certificate. 4. The downloaded certificate .pem contains: A large number of You need to share the certificate. Script to split Certificate from .pem file(In use Windows/Powershell): modify pem file path and Output Default Path to appropriate Folder/Path: # Define the path to the input .pem file $pemFilePath = "C:\home\javakeystore\ap-southeast-2-bundle.pem.pem" # Define the base output path for the extracted certificates $outputBasePath = "C:\home\javakeystore\certs" # Read the content of the .pem file $pemContent = Get-Content -Path $pemFilePath -Raw # Split the content into individual certificates based on the delimiter $certificates = $pemContent -split "(?=\-----BEGIN CERTIFICATE-----)" # Counter for naming the output files $counter = 1 # Iterate through each certificate block and write it to a separate file foreach ($cert in $certificates) { if ($cert -match "-----BEGIN CERTIFICATE-----") { # Define the output file name $outputFilePath = "${outputBasePath}${counter}.pem" # Write the certificate content to the output file $cert | Out-File -FilePath $outputFilePath -Encoding ascii # Increment the counter for the next certificate $counter++ } } In my case, the above script creates 5 pem files named 1.pem to 5.pem. 5. Use the following command: Convert each .pem To file .more: (You can use openssl pre-installed on the kudu site) openssl x509 -outform der -in 1.pem -out cert1.der openssl x509 -outform der -in 2.pem -out cert2.der openssl x509 -outform der -in 3.pem -out cert3.der openssl x509 -outform der -in 4.pem -out cert4.der openssl x509 -outform der -in 5.pem -out cert5.der 6. Import all .der certificates into the keystore file. When prompted to trust the root CA, type ‘Yes’.. (You can use the pre-installed keytool on the kudu site) keytool -import -alias rds-root -keystore clientkeystore.jks -file cert1.der keytool -import -alias rds-apsoutheast2 -keystore clientkeystore.jks -file cert2.der keytool -import -alias rds-apsoutheast2-rsa2048 -keystore clientkeystore.jks -file cert3.der keytool -import -alias rds-apsoutheast2-ecc384 -keystore clientkeystore.jks -file cert4.der keytool -import -alias rds-apsoutheast2-rsa4096 -keystore clientkeystore.jks -file cert5.der 7. Check the generated keystore file. Sample output is as follows: Keystore type: jks Keystore provider: SUN Your keystore contains 5 entries Alias name: rds-apsoutheast2 Creation date: Jul 25, 2024 Entry type: trustedCertEntry Owner: CN=Amazon RDS ap-southeast-2 2019 CA, OU=Amazon RDS, O="Amazon Web Services, Inc.", L=Seattle, ST=Washington, C=US Issuer: CN=Amazon RDS Root 2019 CA, OU=Amazon RDS, O="Amazon Web Services, Inc.", ST=Washington, L=Seattle, C=US Serial number: 1246 Valid from: Mon Sep 16 19:53:47 UTC 2019 until: Thu Aug 22 17:08:50 UTC 2024 Certificate fingerprints: SHA1: D5:D4:51:83:D9:A3:AC:47:B0:0A:5A:77:D8:A0:79:A9:6A:3F:6D:96 SHA256: 34:07:21:87:E3:53:8B:A4:7C:DD:4D:5C:BD:6E:06:44:8E:7E:CA:71:82:F9:2F:00:CD:66:27:C6:76:8A:B2:E1 Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 Extensions: #1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 73 5F 60 D8 BC CB 03 98 F4 2B 17 34 2E 36 5A A6 s_`......+.4.6Z. 0010: 60 FF BC 1F `... ] ] #2: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:0 ] #3: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ Key_CertSign Crl_Sign ] #4: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: C1 A6 69 68 29 9E F8 48 95 33 98 1C 8D E1 D9 49 ..ih)..H.3.....I 0010: 38 0E 9F 8A 8... ] ] ******************************************* ******************************************* Alias name: rds-apsoutheast2-ecc384 Creation date: Jul 25, 2024 Entry type: trustedCertEntry Owner: L=Seattle, CN=Amazon RDS ap-southeast-2 Root CA ECC384 G1, ST=WA, OU=Amazon RDS, O="Amazon Web Services, Inc.", C=US Issuer: L=Seattle, CN=Amazon RDS ap-southeast-2 Root CA ECC384 G1, ST=WA, OU=Amazon RDS, O="Amazon Web Services, Inc.", C=US Serial number: 4f998695abd0cc51ec07b855e8c9b2e9 Valid from: Mon May 24 20:50:15 UTC 2021 until: Sat May 24 21:50:15 UTC 2121 Certificate fingerprints: SHA1: E9:58:3A:FD:FD:A9:39:78:F5:0E:9D:FF:5E:62:2E:CC:A0:D0:3B:04 SHA256: 02:A2:85:48:CC:C1:40:00:0E:50:91:1A:FA:46:77:85:0A:C9:36:35:E2:0A:D7:6F:82:2D:91:F5:03:24:E8:53 Signature algorithm name: SHA384withECDSA Subject Public Key Algorithm: 384-bit EC (secp384r1) key Version: 3 Extensions: #1: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:2147483647 ] #2: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Key_CertSign Crl_Sign ] #3: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 6B 77 92 13 79 D7 C0 C2 B1 A8 E0 50 3D 51 A0 DA kw..y......P=Q.. 0010: 18 52 B7 AE .R.. ] ] ******************************************* ******************************************* Alias name: rds-apsoutheast2-rsa2048 Creation date: Jul 25, 2024 Entry type: trustedCertEntry Owner: L=Seattle, CN=Amazon RDS ap-southeast-2 Root CA RSA2048 G1, ST=WA, OU=Amazon RDS, O="Amazon Web Services, Inc.", C=US Issuer: L=Seattle, CN=Amazon RDS ap-southeast-2 Root CA RSA2048 G1, ST=WA, OU=Amazon RDS, O="Amazon Web Services, Inc.", C=US Serial number: 9111fcf35720d331c34c13e8169d309 Valid from: Mon May 24 20:42:33 UTC 2021 until: Tue May 24 21:42:33 UTC 2061 Certificate fingerprints: SHA1: 69:46:D7:9E:4C:5B:01:5E:BC:5F:BD:4C:2B:9E:24:D0:E0:7E:C5:28 SHA256: 74:2D:B5:3F:2F:89:70:EC:4C:78:01:78:47:63:C5:19:D5:48:5B:19:70:23:EC:4B:B5:55:26:12:54:69:65:4A Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 Extensions: #1: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:2147483647 ] #2: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Key_CertSign Crl_Sign ] #3: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 59 3C 50 99 A5 86 8C 45 4F 73 CF D7 63 EF 86 F6 Y 8. Upload the jks file to the Logic App Standard Kudu site. yes, Recipient: C:\home\javakeystore\certs 9. Add new app settings: java_ops -D”javax.net.ssl.truststore=C:\home\site\wwwroot\clientkeystore.jks” -D”javax.net.ssl.truststoretype=JKS” -D”javax.net.ssl.truststorepassword=XXXXXX” -D”oracle.net.ssl_server_dn_match=TRUE” Sample JDBC connection string to Oracle DB after enabling SSL: jdbc:oracle:thin:@(description= (address= (protocol=XXXXXXXX)(port=XXXXXX)(host=XXXXXXXXX))(connection_data=(service_name=XXXXXX))(Security=(SSL_SERVER_CERT_DN = “C=US,ST=Washington,L=Seattle,O=Amazon.com,OU=RDS,CN=XXXXXXXXX“))) Source link Share 0 FacebookTwitterPinterestEmail info.odysseyx@gmail.com previous post **Exciting Inside Sales Executive Opportunities at Careoxy Healthcare Services in Karol Bagh, Delhi** next post Most widely used SharePoint Framework ISVs from the Store – August 2024 You may also like Get to know Microsoft 365 Copilot in Microsoft OneDrive October 4, 2024 Connecting to Azure Cache for Redis with Entra ID in Azure Government October 4, 2024 Modern Charts in Microsoft Access is GA! October 4, 2024 Cowrie honeypot and its Integration with Microsoft Sentinel. October 4, 2024 Improved Accessibility ribbon in PowerPoint for Windows and Mac October 4, 2024 Introducing the Use Cases Mapper workbook October 4, 2024 Leave a Comment Cancel Reply Save my name, email, and website in this browser for the next time I comment.