Is two way ssl possible with aws document db? - mongodb

Does AWS DocumentDB support authenticating clients with SSL?I've downloaded rds-combined-ca-bundle.pem and got rds-truststore.jks by following the aws link "https://docs.aws.amazon.com/documentdb/latest/developerguide/connect_programmatically.html#connect_programmatically-tls_enabled".Specifying it in truststore,I can successfully connect to document db.
For two way ssl,I've created keystore using self-signed certificate following the link https://docs.mongodb.com/manual/appendix/security/appendixA-openssl-ca/. I'm able to connect to documentdb by specifying any keystore,even by specifying rds-truststore.jks in both truststore and keystore also.

Amazon DocumentDB doesn't support x509 certificate based authentication, only username/password authentication.
As the service is continually improving, stay tuned for new releases .

Related

AWS RDS SSL - Does ssl server certificates different for each and every RDS instance or same?

I have 2 aws accounts having their own RDS instances(not publicly accessible) with db engine as postgresql 12.5. I downloaded RDS certificate from "https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem".
I am using JDBC(postgresql driver) with properties ssl=true and sslrootcert="path to above certificate" to establish secure connections.
My questions:
This certificate is same for both aws accounts which have different names, so how does it work , Does ssl hand shake verifies that client(jdbc connection) is talking to rds.amazonaws.com or the actual RDS instance which has separate name ?
RDS certificates are replaced every 5 years, i.e. applications also have to update the certificate every 5 years or sooner than that once new certificate is available from RDS, is this correct ?
Q1.
Yes, its same for all accounts. You can download it from docs here. Its about the instances as explained in the docs:
Using a server certificate provides an extra layer of security by validating that the connection is being made to an Amazon RDS DB instance.
Q2.
You can update before actual expiration few months before. Last year it happened as explained here:
The server's certificates are each different. Each server sends its own cert when you ask to establish a SSL connection to it. The thing you download is the cert for the authority which signs each of the server certs. You (Or your JDBC) use it to verify that the per-server certs are genuine.

Create custom server CA for GCP databases

For GCP managed SQL databases: we want to enable SSL/TLS using a common client cert across all our GCP databases. From reviewing the official google docs (https://cloud.google.com/sql/docs/mysql/configure-ssl-instance), it seems the server certificate is not customizable and we require a different client certificate for each database instance.
Is there any solution where we can use a common client cert for multiple database instances?

Does aws documentdb validate mongodb client certificate for two way ssl?

How do we create client certificate to get validated by aws document db?In aws docs https://docs.aws.amazon.com/documentdb/latest/developerguide/connect_programmatically.html#connect_programmatically-tls_enabled, it is mentioned only about one way ssl i.e.,clients authenticating server certificate.I didn't find information regarding two way ssl supported by aws document db.Can anyone help on this?
Amazon DocumentDB does not support using client certificates to connect to your cluster. Are you looking for client-side certificates to be used by the server for authentication? Amazon DocumentDB only supports SCRAM based authentication.

PostgreSQL SSL setup DigitalOcean

I am trying to connect pgAdmin to digitalOcean. However I am getting this error:
I add the certificate but digital ocean didn't provided me a key file.
Where could I find it?
This Is how I add the certificate file.
Thank you,
Jonathan Prieto
I think that the certificate that DigitalOcean provided is for the “Root certificate” field.
It is to verify the server, not to authenticate the client.
With the default configuration of libpq you don't need the certificate at all, and SSL is used only to encrypt the communication.
You need to create this private key with openssl command.
Unfortunately client certificate setup is not documented in the PostgreSQL official documentation.
The best documentation that I have found is the following:
https://info.crunchydata.com/blog/ssl-certificate-authentication-postgresql-docker-containers.
You should try to adapt "Step 4: Generating the Client Key and Certificate" to your configuration.

MongoDB connection security

I'm having some mongodb connection securtity concerns for my env.
Here is my environment:
one ECS hosted on cloud that has a public IP but no domain and no ssl certificate neither.
installed mongodb service on this ECS that needs username/password to authenticate
only specific IPs in the whitelist can access the ECS/mongodb
I'm wondering if the data transfer between this mongodb and my local pc is safe or not?
Will the data be encrpyted during the transmission or just plain text so that everyone on the internet can catch and read it? (As I don't have https so it's not using TLS/SSL)
Can canyone explain the machanism or give some some doc links?
Thanks!
As your not using SSL, your data on fly is not encrypted. You need to use TLS/SSL to encrypt the network transmission. You must have the TLS/SSL certificates as PEM files, which are concatenated certificate containers
In addition to encrypting connections, TLS/SSL allows for authentication using certificates, both for client authentication and for internal authentication of members of replica sets and sharded clusters