Step to configure in-transit network configure in Oracle AWS RDS

Leave a reply

To configure in-transit network encryption for Oracle in AWS RDS, you use SSL/TLS. This ensures that data transmitted between your application and the RDS Oracle instance is encrypted. Below are the steps to set it up.

1. Understand AWS RDS SSL Support for Oracle

AWS RDS for Oracle supports SSL/TLS encryption using certificates provided by Amazon. This removes the need to manage certificates manually but requires proper configuration on both client and server sides.

2. Obtain the RDS SSL Certificate

AWS provides public certificates to enable SSL/TLS encryption. Download the appropriate RDS certificate bundle from AWS:

  1. Visit the AWS RDS SSL Certificates page.
  2. Download the latest certificate bundle for your region:
    • For Linux/Unix systems:
wget https://truststore.pki.rds.amazonaws.com/global-bundle.pem -O rds-global-ca-bundle.pem
  • For Windows: Use a browser to download the .pem file.

Place the certificate file in a secure location on the client machine (e.g., /etc/ssl/certs/rds-global-ca-bundle.pem).

To configure in-transit network encryption for Oracle in AWS RDS, you use SSL/TLS. This ensures that data transmitted between your application and the RDS Oracle instance is encrypted. Below are the steps to set it up.

1. Understand AWS RDS SSL Support for Oracle

AWS RDS for Oracle supports SSL/TLS encryption using certificates provided by Amazon. This removes the need to manage certificates manually but requires proper configuration on both client and server sides.

2. Obtain the RDS SSL Certificate

AWS provides public certificates to enable SSL/TLS encryption. Download the appropriate RDS certificate bundle from AWS:

  1. Visit the AWS RDS SSL Certificates page.
  2. Download the latest certificate bundle for your region:
    • For Linux/Unix systems:bashCopy codewget https://truststore.pki.rds.amazonaws.com/global-bundle.pem -O rds-global-ca-bundle.pem
    • For Windows: Use a browser to download the .pem file.
  3. Place the certificate file in a secure location on the client machine (e.g., /etc/ssl/certs/rds-global-ca-bundle.pem).

3. Modify the Oracle RDS Instance Settings

By default, AWS RDS Oracle supports SSL/TLS connections, but you may need to ensure it is enabled:

  1. Log in to the AWS Management Console.
  2. Navigate to RDS > Databases and select your Oracle RDS instance.
  3. Check the Security group assigned to the instance and ensure port 1521 is open for your client IP or VPC.
  4. Under Connectivity & security, verify that the SSL/TLS option is available.

4. Configure the Oracle Client

Option 1: Use sqlnet.ora for SSL Configuration

  1. Locate or create the sqlnet.ora file in your Oracle client’s $ORACLE_HOME/network/admin directory.
  2. Add the following SSL parameters:
SQLNET.ENCRYPTION_CLIENT = REQUIRED
SQLNET.ENCRYPTION_TYPES_CLIENT = (AES256, AES192, AES128)
SQLNET.CRYPTO_CHECKSUM_CLIENT = REQUIRED
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT = (SHA256)
SSL_SERVER_DN_MATCH = TRUE
SSL_VERSION = 1.2

3. Ensure the certificate is referenced:

SSL_CACERT_PATH = /path/to/rds-global-ca-bundle.pem
SSL_CACERT = rds-global-ca-bundle.pem

Option 2: Modify the Connection String

Update your Oracle connection string to use SSL. For example:

(DESCRIPTION=
  (ADDRESS=(PROTOCOL=tcps)(HOST=<RDS_ENDPOINT>)(PORT=1521))
  (CONNECT_DATA=(SID=<DB_SID>))
  (SECURITY=(SSL_SERVER_CERT_DN_MATCH=TRUE))
)

Replace:

  • <RDS_ENDPOINT>: Your RDS instance endpoint (found in the AWS Console).
  • <DB_SID>: The SID of your Oracle database.

5. Test the Encrypted Connection

To verify that the connection is encrypted:

  1. Log into the database using sqlplus or another Oracle client:
sqlplus username/password@"(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=<RDS_ENDPOINT>)(PORT=1521))(CONNECT_DATA=(SID=<DB_SID>))(SECURITY=(SSL_SERVER_CERT_DN_MATCH=TRUE)))"

2. Query the session encryption status:

SELECT SYS_CONTEXT('USERENV', 'NETWORK_PROTOCOL') AS PROTOCOL,
       SYS_CONTEXT('USERENV', 'NETWORK_ENCRYPTION') AS ENCRYPTION_STATUS
FROM DUAL;

Protocol: Should show tcps for encrypted connections.Encryption Status: Should confirm encryption is enabled.

6. Enforce SSL Connections

To ensure only encrypted connections are allowed:

  1. Log in to your Oracle RDS instance as an administrator.
  2. Set the following parameter in the Oracle initialization file:
ALTER SYSTEM SET sqlnet.encryption_client = REQUIRED SCOPE=BOTH;

3. Modify your database users to require SSL:

ALTER USER username REQUIRE SSL;

7. Application Configuration

Ensure your application uses SSL in its database connection settings. For example, in JDBC:

Properties props = new Properties();
props.setProperty("user", "your_username");
props.setProperty("password", "your_password");
props.setProperty("oracle.net.ssl_server_dn_match", "true");
props.setProperty("javax.net.ssl.trustStore", "/path/to/rds-global-ca-bundle.pem");

Connection conn = DriverManager.getConnection("jdbc:oracle:thin:@tcps://<RDS_ENDPOINT>:1521/<DB_SID>", props);

8. Monitor and Verify

You can use AWS CloudWatch or Oracle’s diagnostic tools to verify encrypted connections.

Let me know if you need clarification on any step!

Leave a Reply