Configure SSL between RDS and Weblogic / DMS endpoint

Background

Need to enable End to End encryption for connectivity between Apps to RDS DB.

On Oracle RDS side

When creating the Oracle instance, configure the Option group SSL setting like below.

On weblogic side

• After connection pool is created, update the below URL field. For example,

jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=<weblogic-host>)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=DEMOWLST)))

• In the connection Properties, add the following

user=wlsdbuser
databaseName=DEMOWLST
javax.net.ssl.trustStore=/prod/applc/wls/domain/base_domain/certs/trust.jks
javax.net.ssl.trustStoreType=JKS
javax.net.ssl.trustStorePassword=<password, default to Admin password>

Creating trusted JKS/Wallet

• To extract the RDS cert,

openssl s_client -showcerts -connect "{{ datasource.rdsHostName }}:{{ datasource.rdsSSLPort }}" </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/rds.pem

csplit -z -f tmpRDScert- /tmp/rds.pem '/-----BEGIN CERTIFICATE-----/' '{*}'

cp `ls -1 tmpRDScert-* | tail -1` /tmp/rdsRoot.pem

• To import the root cert to JKS keystore,

keytool -import -alias rds-rootcert -file /tmp/rdsRoot.pem -keystore /prod/applc/wls/domain/base_domain/certs/trust.jks -storepass {{ domain_password }} -noprompt

• To import the root cert to Oracle Wallet (DMS endpoint require this),

/prod/applc/wls/oracle_common/bin/orapki wallet create -wallet /tmp/ssl_wallet -auto_login_only
/prod/applc/wls/oracle_common/bin/orapki wallet add -wallet /tmp/ssl_wallet -trusted_cert -cert /tmp/rdsRoot.pem -auto_login_only

For Oracle DMS endpoint, you will need to select rds-oracle-wallet when enabling the SSL with “verify-ca” option and point the port to the SSL enabled port.