Cloud Techies
Published in

Cloud Techies

Configure SSL between RDS and Weblogic / DMS endpoint

Background:

Need to enable End to End encryption for connectivity between Apps to RDS DB.

On Oracle RDS side:

When creating the Oracle instance, configure the Option group SSL setting like below.

On weblogic side:

  • After connection pool is created, update the below URL field. For example,
jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=<weblogic-host>)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=DEMOWLST)))
  • In the connection Properties, add the following
user=wlsdbuser
databaseName=DEMOWLST
javax.net.ssl.trustStore=/prod/applc/wls/domain/base_domain/certs/trust.jks
javax.net.ssl.trustStoreType=JKS
javax.net.ssl.trustStorePassword=<password, default to Admin password>

Creating trusted JKS/Wallet

  • To extract the RDS cert,
openssl s_client -showcerts -connect "{{ datasource.rdsHostName }}:{{ datasource.rdsSSLPort }}" </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/rds.pem

csplit -z -f tmpRDScert- /tmp/rds.pem '/-----BEGIN CERTIFICATE-----/' '{*}'

cp `ls -1 tmpRDScert-* | tail -1` /tmp/rdsRoot.pem
  • To import the root cert to JKS keystore,
keytool -import -alias rds-rootcert -file /tmp/rdsRoot.pem -keystore /prod/applc/wls/domain/base_domain/certs/trust.jks -storepass {{ domain_password }} -noprompt
  • To import the root cert to Oracle Wallet (DMS endpoint require this),
/prod/applc/wls/oracle_common/bin/orapki wallet create -wallet /tmp/ssl_wallet -auto_login_only
/prod/applc/wls/oracle_common/bin/orapki wallet add -wallet /tmp/ssl_wallet -trusted_cert -cert /tmp/rdsRoot.pem -auto_login_only

For Oracle DMS endpoint, you will need to select rds-oracle-wallet when enabling the SSL with “verify-ca” option and point the port to the SSL enabled port.

--

--

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Arun Kumar

Cloud Architect | AWS, GCP, Azure, Python, Kubernetes, Terraform, Ansible