Connecting to Amazon RDS Instances
To connect to an RDS instance over SSL, the Remote Agent's Java trust store must trust the Amazon RDS certificate authority that signed your instance's certificate.
Step 1. Identify the JDK the Remote Agent runs
On a standard install this is:
C:\Program Files\Seeq Server\jdk\files\lib\security\cacerts
If the agent is configured for remote upgrades, the running JDK can be located under the installation's data directory instead. Confirm the path by checking the command line of the running javaw.exe before importing. Importing into a JDK the agent does not run is a common cause of an import that appears to work but changes nothing.
Step 2. Back up the trust store
copy "C:\Program Files\Seeq Server\jdk\files\lib\security\cacerts" "C:\cacerts.backup"
Step 3. Download the certificate bundle for your region
curl -sS "https://truststore.pki.rds.amazonaws.com/us-east-1/us-east-1-bundle.pem" -o C:\rds-bundle.pem
Replace us-east-1 with your instance's region. The global bundle at https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem also works and covers all regions, but it contains over one hundred certificates.
Step 4. Import every certificate from the bundle
This will have to be done on every remote agent upgrade.
This PowerShell script splits the bundle and imports each certificate using the keytool that ships inside the agent's JDK. It requires no additional software.
powershell
$ks = "C:\Program Files\Seeq Server\jdk\files\lib\security\cacerts"
$kt = "C:\Program Files\Seeq Server\jdk\files\bin\keytool.exe"
$bundle = "C:\rds-bundle.pem"
$certs = [regex]::Matches((Get-Content $bundle -Raw), "(?s)-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----")
$i = 0
foreach ($c in $certs) {
$f = "C:\rds-ca-$i.pem"
Set-Content -Path $f -Value $c.Value -Encoding ascii
& $kt -import -trustcacerts -noprompt -alias "rds-ca-$i" -file $f -keystore $ks -storepass changeit
Remove-Item $f
$i++
}
Adjust the three paths at the top to match your install. The default trust store password is changeit.
Step 5. Restart the Remote Agent
The JVM reads cacerts once at startup. The new certificates take effect only after a full stop and start of the agent service, not a configuration reload.
Step 6. Verify
Confirm the import added entries:
keytool -list -keystore "C:\Program Files\Seeq Server\jdk\files\lib\security\cacerts" -storepass changeit | findstr rds
To confirm that the trust store can validate a specific instance, print the chain the server presents and check that its root appears in your trust store:
"C:\Program Files\Seeq Server\jdk\files\bin\keytool" -printcert -sslserver your-instance.your-region.rds.amazonaws.com:2484
Match by SHA-256 fingerprint, not by certificate name. AWS has issued more than one root sharing the same common name, so name matching is unreliable.
Requiring SSL for Oracle (TCPS)
Oracle does not use a connection flag for SSL the way MySQL and Postgres do. It runs SSL as a separate listener using the TCPS protocol on a dedicated port, by default 2484. Plain unencrypted connections continue on 1521.
Enable the SSL listener
Add the SSL option to the option group attached to the instance. The default option group cannot be edited, so create a custom option group for the correct engine edition and major version, add the SSL option to it, set SQLNET.SSL_VERSION to 1.2, then attach that option group to the instance. The instance listens on 2484 once the option becomes active. No reboot is required, but allow a few minutes for the option to apply.
Open the port
Add an inbound rule to the instance's security group allowing TCP 2484 from the Remote Agent.
Require SSL
Oracle on RDS has no server side force SSL parameter equivalent to rds.force_ssl. To require encryption, remove the inbound rule for 1521 so the only reachable listener is the encrypted one on 2484. This is network level enforcement. The database engine will still accept a plaintext session if something can reach 1521, so the security group is the control.
Configure the connection
The connector's Hostname and Port fields build a plain TCP URL. To use TCPS, set JdbcConnectionStringOverride with a full descriptor and leave Hostname, Port, and DatabaseName empty:
jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=your-instance.your-region.rds.amazonaws.com)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=your_service)))
Use SID rather than SERVICE_NAME if your instance is addressed by SID. A mismatch here produces an ORA-12514 listener error, which is separate from any SSL problem.
Known Issues and Limitations
-
Importing the RDS certificate bundle with a single
keytool -importcommand trusts only the first certificate in the file and silently ignores the rest. Import every certificate from the bundle. See Connecting to Amazon RDS Instances above. -
The SQL connector validates database TLS against the JDK
cacertstrust store. Certificates placed in the agent'skeys\trustedfolder are used for the agent to Seeq server connection but are not consulted for JDBC connections. -
Certificates imported into
cacertsare overwritten when the Remote Agent is upgraded. The import must be repeated after an upgrade. Plan for this when upgrading agents that connect to RDS over SSL.
Troubleshooting
PKIX path building failed: unable to find valid certification path to requested target
The agent does not trust the certificate authority that signed the server's certificate. Confirm three things in order: that you imported every certificate from the bundle rather than a single one, that you imported into the JDK the agent actually runs, and that the agent was fully restarted. Verify by matching the SHA-256 fingerprint of the server's root, from keytool -printcert -sslserver host:2484, against an entry in your trust store. Do not match by certificate name.
closing inbound before receiving peer's close_notify during the SSL handshake
The TCPS connection is pointed at the plaintext port. Confirm the descriptor uses PORT=2484, not 1521. Port 1521 does not speak TLS and drops the handshake.
The Network Adapter could not establish the connection with a long timeout against 2484
Nothing is listening on 2484. The SSL option is not active on the instance, or the security group does not allow 2484 from the agent. A timeout rather than a fast refusal usually means no listener exists yet. Confirm the SSL option shows as active on the instance, then confirm the port from the agent host, for example with Test-NetConnection host -Port 2484.