Configure SSL between RDS and Weblogic / DMS endpoint

Background
Need to enable End to End encryption for connectivity between Apps to RDS DB.
On Oracle RDS side
When creating the Oracle instance, configure the Option group SSL setting like below.
On weblogic side
  • After connection pool is created, update the below URL field. For example, 
    • jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=<weblogic-host>)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=DEMOWLST)))
  • In the connection Properties, add the following 
    • user=wlsdbuser
databaseName=DEMOWLST
javax.net.ssl.trustStore=/prod/applc/wls/domain/base_domain/certs/trust.jks
javax.net.ssl.trustStoreType=JKS
javax.net.ssl.trustStorePassword=<password, default to Admin password>
    Creating trusted JKS/Wallet
  • To extract the RDS cert, 
    • openssl s_client -showcerts -connect "{{ datasource.rdsHostName }}:{{ datasource.rdsSSLPort }}" </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/rds.pem

csplit -z -f tmpRDScert- /tmp/rds.pem '/-----BEGIN CERTIFICATE-----/' '{*}'

cp `ls -1 tmpRDScert-* | tail -1` /tmp/rdsRoot.pem
  • To import the root cert to JKS keystore, 
    • keytool -import -alias rds-rootcert -file /tmp/rdsRoot.pem -keystore /prod/applc/wls/domain/base_domain/certs/trust.jks -storepass {{ domain_password }} -noprompt
  • To import the root cert to Oracle Wallet (DMS endpoint require this), 
    • /prod/applc/wls/oracle_common/bin/orapki wallet create -wallet /tmp/ssl_wallet -auto_login_only
/prod/applc/wls/oracle_common/bin/orapki wallet add -wallet /tmp/ssl_wallet -trusted_cert -cert /tmp/rdsRoot.pem -auto_login_only
    For Oracle DMS endpoint, you will need to select rds-oracle-wallet when enabling the SSL with “verify-ca” option and point the port to the SSL enabled port.

    52

    Tags:

    AwsSslDmsEncryption

    This website collects cookies to deliver better user experience

    Configure SSL between RDS and Weblogic / DMS endpoint