For GCP managed SQL databases: we want to enable SSL/TLS using a common client cert across all our GCP databases. From reviewing the official google docs (https://cloud.google.com/sql/docs/mysql/configure-ssl-instance), it seems the server certificate is not customizable and we require a different client certificate for each database instance.
Is there any solution where we can use a common client cert for multiple database instances?
Related
I have 2 aws accounts having their own RDS instances(not publicly accessible) with db engine as postgresql 12.5. I downloaded RDS certificate from "https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem".
I am using JDBC(postgresql driver) with properties ssl=true and sslrootcert="path to above certificate" to establish secure connections.
My questions:
This certificate is same for both aws accounts which have different names, so how does it work , Does ssl hand shake verifies that client(jdbc connection) is talking to rds.amazonaws.com or the actual RDS instance which has separate name ?
RDS certificates are replaced every 5 years, i.e. applications also have to update the certificate every 5 years or sooner than that once new certificate is available from RDS, is this correct ?
Q1.
Yes, its same for all accounts. You can download it from docs here. Its about the instances as explained in the docs:
Using a server certificate provides an extra layer of security by validating that the connection is being made to an Amazon RDS DB instance.
Q2.
You can update before actual expiration few months before. Last year it happened as explained here:
The server's certificates are each different. Each server sends its own cert when you ask to establish a SSL connection to it. The thing you download is the cert for the authority which signs each of the server certs. You (Or your JDBC) use it to verify that the per-server certs are genuine.
How do we create client certificate to get validated by aws document db?In aws docs https://docs.aws.amazon.com/documentdb/latest/developerguide/connect_programmatically.html#connect_programmatically-tls_enabled, it is mentioned only about one way ssl i.e.,clients authenticating server certificate.I didn't find information regarding two way ssl supported by aws document db.Can anyone help on this?
Amazon DocumentDB does not support using client certificates to connect to your cluster. Are you looking for client-side certificates to be used by the server for authentication? Amazon DocumentDB only supports SCRAM based authentication.
I'm running a managed PostgreSQL database, which has SSL encryption turned on by the service provider. This is all working fine.
Now I need to obtain some information on the algorithms used for SSL (and key length, etc.). How I get this as a client (similar to how you can inspect certificates for web pages in Firefox)?
Best
Lars
I'm having some mongodb connection securtity concerns for my env.
Here is my environment:
one ECS hosted on cloud that has a public IP but no domain and no ssl certificate neither.
installed mongodb service on this ECS that needs username/password to authenticate
only specific IPs in the whitelist can access the ECS/mongodb
I'm wondering if the data transfer between this mongodb and my local pc is safe or not?
Will the data be encrpyted during the transmission or just plain text so that everyone on the internet can catch and read it? (As I don't have https so it's not using TLS/SSL)
Can canyone explain the machanism or give some some doc links?
Thanks!
As your not using SSL, your data on fly is not encrypted. You need to use TLS/SSL to encrypt the network transmission. You must have the TLS/SSL certificates as PEM files, which are concatenated certificate containers
In addition to encrypting connections, TLS/SSL allows for authentication using certificates, both for client authentication and for internal authentication of members of replica sets and sharded clusters
I'm trying to connect to a postgres database on Google Cloud SQL from Safe FME, a GUI-based desktop application that can connect to postgres databases. It supports SSL but Google Cloud SQL apparently requires the use of "TLS Client Authentication" to connect: providing a specific client key and certificate that you download from the Google Cloud Platform dashboard.
Other hosted postgres providers let you connect simply by ticking the "Use SSL" checkbox. Is there a way to do this with Google Cloud SQL? I want a secure connection but it seems like a lot of software doesn't support the "TLS Client Authentication" way of connecting.
SSL protocols have been considered deprecated as of 2015 (source), so for the best security you should stick to TLS. (MySQL doesn't use SSL anymore for the reason - this is not specific to Cloud SQL). You can create a SSL/TLS cerificate for your Cloud SQL instance by following the instructions here.
If you have and outdated application that doesn't support a version of TLS that is compatible with Postgres, you can always use the Cloud SQL proxy to encrypt connections.