Seeq Knowledge Base

Connecting to Oracle Amazon RDS Instances with SSL

Connecting to Amazon RDS Instances

To connect to an RDS instance over SSL, the Remote Agent's Java trust store must trust the Amazon RDS certificate authority that signed your instance's certificate.

Step 1. Identify the JDK the Remote Agent runs

On a standard install this is:

C:\Program Files\Seeq Server\jdk\files\lib\security\cacerts

If the agent is configured for remote upgrades, the running JDK can be located under the installation's data directory instead. Confirm the path by checking the command line of the running javaw.exe before importing. Importing into a JDK the agent does not run is a common cause of an import that appears to work but changes nothing.

Step 2. Back up the trust store

copy "C:\Program Files\Seeq Server\jdk\files\lib\security\cacerts" "C:\cacerts.backup"

Step 3. Download the certificate bundle for your region

curl -sS "https://truststore.pki.rds.amazonaws.com/us-east-1/us-east-1-bundle.pem" -o C:\rds-bundle.pem

Replace us-east-1 with your instance's region. The global bundle at https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem also works and covers all regions, but it contains over one hundred certificates.

Step 4. Import every certificate from the bundle

This will have to be done on every remote agent upgrade.

This PowerShell script splits the bundle and imports each certificate using the keytool that ships inside the agent's JDK. It requires no additional software.

powershell

$ks = "C:\Program Files\Seeq Server\jdk\files\lib\security\cacerts"
$kt = "C:\Program Files\Seeq Server\jdk\files\bin\keytool.exe"
$bundle = "C:\rds-bundle.pem"

$certs = [regex]::Matches((Get-Content $bundle -Raw), "(?s)-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----")
$i = 0
foreach ($c in $certs) {
    $f = "C:\rds-ca-$i.pem"
    Set-Content -Path $f -Value $c.Value -Encoding ascii
    & $kt -import -trustcacerts -noprompt -alias "rds-ca-$i" -file $f -keystore $ks -storepass changeit
    Remove-Item $f
    $i++
}

Adjust the three paths at the top to match your install. The default trust store password is changeit.

Step 5. Restart the Remote Agent

The JVM reads cacerts once at startup. The new certificates take effect only after a full stop and start of the agent service, not a configuration reload.

Step 6. Verify

Confirm the import added entries:

keytool -list -keystore "C:\Program Files\Seeq Server\jdk\files\lib\security\cacerts" -storepass changeit | findstr rds

To confirm that the trust store can validate a specific instance, print the chain the server presents and check that its root appears in your trust store:

"C:\Program Files\Seeq Server\jdk\files\bin\keytool" -printcert -sslserver your-instance.your-region.rds.amazonaws.com:2484

Match by SHA-256 fingerprint, not by certificate name. AWS has issued more than one root sharing the same common name, so name matching is unreliable.

Requiring SSL for Oracle (TCPS)

Oracle does not use a connection flag for SSL the way MySQL and Postgres do. It runs SSL as a separate listener using the TCPS protocol on a dedicated port, by default 2484. Plain unencrypted connections continue on 1521.

Enable the SSL listener

Add the SSL option to the option group attached to the instance. The default option group cannot be edited, so create a custom option group for the correct engine edition and major version, add the SSL option to it, set SQLNET.SSL_VERSION to 1.2, then attach that option group to the instance. The instance listens on 2484 once the option becomes active. No reboot is required, but allow a few minutes for the option to apply.

Open the port

Add an inbound rule to the instance's security group allowing TCP 2484 from the Remote Agent.

Require SSL

Oracle on RDS has no server side force SSL parameter equivalent to rds.force_ssl. To require encryption, remove the inbound rule for 1521 so the only reachable listener is the encrypted one on 2484. This is network level enforcement. The database engine will still accept a plaintext session if something can reach 1521, so the security group is the control.

Configure the connection

The connector's Hostname and Port fields build a plain TCP URL. To use TCPS, set JdbcConnectionStringOverride with a full descriptor and leave Hostname, Port, and DatabaseName empty:

jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=your-instance.your-region.rds.amazonaws.com)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=your_service)))

Use SID rather than SERVICE_NAME if your instance is addressed by SID. A mismatch here produces an ORA-12514 listener error, which is separate from any SSL problem.

Known Issues and Limitations

  • Importing the RDS certificate bundle with a single keytool -import command trusts only the first certificate in the file and silently ignores the rest. Import every certificate from the bundle. See Connecting to Amazon RDS Instances above.

  • The SQL connector validates database TLS against the JDK cacerts trust store. Certificates placed in the agent's keys\trusted folder are used for the agent to Seeq server connection but are not consulted for JDBC connections.

  • Certificates imported into cacerts are overwritten when the Remote Agent is upgraded. The import must be repeated after an upgrade. Plan for this when upgrading agents that connect to RDS over SSL.

Troubleshooting

PKIX path building failed: unable to find valid certification path to requested target

The agent does not trust the certificate authority that signed the server's certificate. Confirm three things in order: that you imported every certificate from the bundle rather than a single one, that you imported into the JDK the agent actually runs, and that the agent was fully restarted. Verify by matching the SHA-256 fingerprint of the server's root, from keytool -printcert -sslserver host:2484, against an entry in your trust store. Do not match by certificate name.

closing inbound before receiving peer's close_notify during the SSL handshake

The TCPS connection is pointed at the plaintext port. Confirm the descriptor uses PORT=2484, not 1521. Port 1521 does not speak TLS and drops the handshake.

The Network Adapter could not establish the connection with a long timeout against 2484

Nothing is listening on 2484. The SSL option is not active on the instance, or the security group does not allow 2484 from the agent. A timeout rather than a fast refusal usually means no listener exists yet. Confirm the SSL option shows as active on the instance, then confirm the port from the agent host, for example with Test-NetConnection host -Port 2484.