Configuring a distributed EOP installation to use a TLS encrypted connection to Amazon RDS

  • Updated

Objective

Connect your distributed EOP installation to an Amazon RDS database instance, via an encrypted TLS connection.

Process

  1. Create a TrustStore containing certificates employed by Amazon RDS as detailed here.
  2. Copy this TrustStore file to each of your EOP nodes in a location that the contrast-server process will be able to read them from (e.g. under <CONTRAST_INSTALL_DIR>)
  3. Configure the JDBC URL on each of your EOP nodes to require SSL (TLS), by modifying the value of the jdbc.url parameter in the database.properties file using the encrypted properties editor as documented here) as follows:
jdbc:mysql://your_rds_url:3306/teamserver?useUnicode=yes&characterEncoding=UTF-8&requireSSL=true&useSSL=true&trustCertificateKeyStoreUrl=file:///path/to/rds-truststore.jks&trustCertificateKeyStorePassword=changeit
Note: Due to the ESAPI encryption of the database properties file, some special characters are not supported in the TrustStore password.  Please avoid using # or & characters in the password for this reason.

Please replace:

  • your_rds_url with the URL to your RDS instance
  • file:///path/to/rds-truststore.jks with the full path to the location you placed the truststore file in step 2
  • changeit with the password you specified in step 1

Quit and save the changes. Restart your contrast-server process.

Note: If restricting the database to only accept TLSv1.2 connections it may be necessary (depending on the Java version in use) to additionally force that protocol in the connection string (jdbc.url).  For EOP installations lower than 3.8.10 you can do so by adding enabledTLSProtocols=TLSv1.2.  For EOP versions 3.8.10 or greater (which use the mariadb driver) use enabledSslProtocolSuites=TLSv1.2.

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request