Home NewsX Built-in Oracle DB – using JKS keystore to support certification validation

Built-in Oracle DB – using JKS keystore to support certification validation

by info.odysseyx@gmail.com
0 comment 4 views


Oracle DB instances hosted on AWS must have SSL enabled and a valid certificate. For this purpose, you can utilize a JKS keystore, which holds both private key certificate entries and trusted certificate entries, including self-signed entries.

here ~is step:

2. View CA of DB instance:

  • Details about the CA in the database can be viewed by checking: Connectivity and Security Displays tabs in the console as shown in the image below.
jangz_0-1725500448932.png

  • Certificate bundles for all AWS regions and the GovCloud (US) region contain the following certificates:

· rds-ca-2019 Intermediate and root certificates.

· rds-ca-rsa2048-g1, rds-ca-rsa4096-g1and rds-ca-ecc384-g1 Root CA certificate. The application trust store only needs to register the root CA certificate.

4. The downloaded certificate .pem contains: A large number of You need to share the certificate.

Script to split Certificate from .pem file(In use Windows/Powershell): modify pem file path and Output Default Path to appropriate Folder/Path:

# Define the path to the input .pem file
$pemFilePath = "C:\home\javakeystore\ap-southeast-2-bundle.pem.pem"
 
# Define the base output path for the extracted certificates
$outputBasePath = "C:\home\javakeystore\certs"
 
# Read the content of the .pem file
$pemContent = Get-Content -Path $pemFilePath -Raw
 
# Split the content into individual certificates based on the delimiter
$certificates = $pemContent -split "(?=\-----BEGIN CERTIFICATE-----)"
 
# Counter for naming the output files
$counter = 1
 
# Iterate through each certificate block and write it to a separate file
foreach ($cert in $certificates) {
    if ($cert -match "-----BEGIN CERTIFICATE-----") {
        # Define the output file name
        $outputFilePath = "${outputBasePath}${counter}.pem"
       
        # Write the certificate content to the output file
        $cert | Out-File -FilePath $outputFilePath -Encoding ascii
 
        # Increment the counter for the next certificate
        $counter++
    }
}

In my case, the above script creates 5 pem files named 1.pem to 5.pem.

jangz_1-1725500448934.png

5. Use the following command: Convert each .pem To file .more: (You can use openssl pre-installed on the kudu site)

openssl x509 -outform der -in 1.pem -out cert1.der
openssl x509 -outform der -in 2.pem -out cert2.der
openssl x509 -outform der -in 3.pem -out cert3.der
openssl x509 -outform der -in 4.pem -out cert4.der
openssl x509 -outform der -in 5.pem -out cert5.der

6. Import all .der certificates into the keystore file. When prompted to trust the root CA, type ‘Yes’.. (You can use the pre-installed keytool on the kudu site)

keytool -import -alias rds-root -keystore clientkeystore.jks -file cert1.der
keytool -import -alias rds-apsoutheast2 -keystore clientkeystore.jks -file cert2.der
keytool -import -alias rds-apsoutheast2-rsa2048 -keystore clientkeystore.jks -file cert3.der
keytool -import -alias rds-apsoutheast2-ecc384 -keystore clientkeystore.jks -file cert4.der
keytool -import -alias rds-apsoutheast2-rsa4096 -keystore clientkeystore.jks -file cert5.der

7. Check the generated keystore file.

Sample output is as follows:

Keystore type: jks
Keystore provider: SUN
 
Your keystore contains 5 entries
 
Alias name: rds-apsoutheast2
Creation date: Jul 25, 2024
Entry type: trustedCertEntry
 
Owner: CN=Amazon RDS ap-southeast-2 2019 CA, OU=Amazon RDS, O="Amazon Web Services, Inc.", L=Seattle, ST=Washington, C=US
Issuer: CN=Amazon RDS Root 2019 CA, OU=Amazon RDS, O="Amazon Web Services, Inc.", ST=Washington, L=Seattle, C=US
Serial number: 1246
Valid from: Mon Sep 16 19:53:47 UTC 2019 until: Thu Aug 22 17:08:50 UTC 2024
Certificate fingerprints:
       SHA1: D5:D4:51:83:D9:A3:AC:47:B0:0A:5A:77:D8:A0:79:A9:6A:3F:6D:96
       SHA256: 34:07:21:87:E3:53:8B:A4:7C:DD:4D:5C:BD:6E:06:44:8E:7E:CA:71:82:F9:2F:00:CD:66:27:C6:76:8A:B2:E1
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
 
Extensions:
 
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 73 5F 60 D8 BC CB 03 98   F4 2B 17 34 2E 36 5A A6  s_`......+.4.6Z.
0010: 60 FF BC 1F                                        `...
]
]
 
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]
 
#3: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]
 
#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C1 A6 69 68 29 9E F8 48   95 33 98 1C 8D E1 D9 49  ..ih)..H.3.....I
0010: 38 0E 9F 8A                                        8...
]
]
 
 
 
*******************************************
*******************************************
 
 
Alias name: rds-apsoutheast2-ecc384
Creation date: Jul 25, 2024
Entry type: trustedCertEntry
 
Owner: L=Seattle, CN=Amazon RDS ap-southeast-2 Root CA ECC384 G1, ST=WA, OU=Amazon RDS, O="Amazon Web Services, Inc.", C=US
Issuer: L=Seattle, CN=Amazon RDS ap-southeast-2 Root CA ECC384 G1, ST=WA, OU=Amazon RDS, O="Amazon Web Services, Inc.", C=US
Serial number: 4f998695abd0cc51ec07b855e8c9b2e9
Valid from: Mon May 24 20:50:15 UTC 2021 until: Sat May 24 21:50:15 UTC 2121
Certificate fingerprints:
       SHA1: E9:58:3A:FD:FD:A9:39:78:F5:0E:9D:FF:5E:62:2E:CC:A0:D0:3B:04
       SHA256: 02:A2:85:48:CC:C1:40:00:0E:50:91:1A:FA:46:77:85:0A:C9:36:35:E2:0A:D7:6F:82:2D:91:F5:03:24:E8:53
Signature algorithm name: SHA384withECDSA
Subject Public Key Algorithm: 384-bit EC (secp384r1) key
Version: 3
 
Extensions:
 
#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]
 
#2: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_CertSign
  Crl_Sign
]
 
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 6B 77 92 13 79 D7 C0 C2   B1 A8 E0 50 3D 51 A0 DA  kw..y......P=Q..
0010: 18 52 B7 AE                                        .R..
]
]
 
 
 
*******************************************
*******************************************
 
 
Alias name: rds-apsoutheast2-rsa2048
Creation date: Jul 25, 2024
Entry type: trustedCertEntry
 
Owner: L=Seattle, CN=Amazon RDS ap-southeast-2 Root CA RSA2048 G1, ST=WA, OU=Amazon RDS, O="Amazon Web Services, Inc.", C=US
Issuer: L=Seattle, CN=Amazon RDS ap-southeast-2 Root CA RSA2048 G1, ST=WA, OU=Amazon RDS, O="Amazon Web Services, Inc.", C=US
Serial number: 9111fcf35720d331c34c13e8169d309
Valid from: Mon May 24 20:42:33 UTC 2021 until: Tue May 24 21:42:33 UTC 2061
Certificate fingerprints:
       SHA1: 69:46:D7:9E:4C:5B:01:5E:BC:5F:BD:4C:2B:9E:24:D0:E0:7E:C5:28
       SHA256: 74:2D:B5:3F:2F:89:70:EC:4C:78:01:78:47:63:C5:19:D5:48:5B:19:70:23:EC:4B:B5:55:26:12:54:69:65:4A
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
 
Extensions:
 
#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]
 
#2: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_CertSign
  Crl_Sign
]
 
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 59 3C 50 99 A5 86 8C 45   4F 73 CF D7 63 EF 86 F6  Y

8. Upload the jks file to the Logic App Standard Kudu site. yes, Recipient: C:\home\javakeystore\certs

jangz_2-1725500448934.png

9. Add new app settings: java_ops

-D”javax.net.ssl.truststore=C:\home\site\wwwroot\clientkeystore.jks” -D”javax.net.ssl.truststoretype=JKS” -D”javax.net.ssl.truststorepassword=XXXXXX” -D”oracle.net.ssl_server_dn_match=TRUE”

Sample JDBC connection string to Oracle DB after enabling SSL:

jdbc:oracle:thin:@(description= (address= (protocol=XXXXXXXX)(port=XXXXXX)(host=XXXXXXXXX))(connection_data=(service_name=XXXXXX))(Security=(SSL_SERVER_CERT_DN = “C=US,ST=Washington,L=Seattle,O=Amazon.com,OU=RDS,CN=XXXXXXXXX“)))





Source link

You may also like

Leave a Comment

Our Company

Welcome to OdysseyX, your one-stop destination for the latest news and opportunities across various domains.

Newsletter

Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Laest News

@2024 – All Right Reserved. Designed and Developed by OdysseyX