Appendix C. Using Databases Over SSL

Unbound CASPClosedUnbound’s Crypto Asset Security Platform (“CASP”) provides the advanced technology and the architecture to secure crypto asset transactions. can use PostgreSQL or MySQL (installed via RDS) over SSLClosedSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network.. The following instructions explain how to set up the environment.

C.1 RDS PostgreSQL Over SSL

C.1.1 Step 1: Create an RDS parameter group

  1. In the RDS console, create new parameter groups.
    1. In the RDS console, click Parameter groups.
    2. Click Create parameter group.
    3. In the screen that opens, enter a group name and description. The Parameter group family should be set to postgres9.6.
    4. Click Create.
  2. Click the name of your parameter group.
  3. Click Edit parameters.
  4. Under Parameters, search for rds.force_ssl.
  5. Change this parameter value to 1.
  6. Click Save changes.

C.1.2 Step 2: Update your RDS instance

  1. Find your RDS instance, then click on the name.
  2. Click Modify.
  3. In the Database options section, change the DB parameter group to the one created above.
  4. Click Continue at the bottom of the screen.
  5. Reboot the instance by clicking Actions, then Reboot.

C.1.3 Step 3: Configure PostgreSQL

Update the PostgreSQL configuration. See the Amazon documentation for more information.

  1. Log into PostgreSQL on your RDS server.

    2. For example:

    psql -h server.us-east-1.rds.amazonaws.com -p 5432 -U sa -d casp

  2. Update the configuration by running each of the following commands.

    3. create extension sslinfo;
    select ssl_is_used();
    select ssl_cipher();

  3. Exit the RDS server.

C.1.4 Step 4: Configure SSL

  1. Try and log into your RDS server.

    2. psql -h server.us-east-1.rds.amazonaws.com -p 5432 -U sa -d casp

    You get an error message like this one:

    psql: FATAL: no pg_hba.conf entry for host "18.208.181.219", user "sa", database "casp", SSL off

  2. Download the certificate:

    3. wget https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem

  3. Copy the certificate into the PostgreSQL folder.

    4. sudo cp rds-combined-ca-bundle.pem /root/.postgresql/root.crt

C.1.5 Step 5: Configure CASP

Update the CASP configuration file.

  1. In casp.conf, locate the PostgreSQL database URL line.

    2. For example:

    database.url=jdbc:postgresql://localhost:5432/casp

  2. Add “?ssl=true” to the URL.

    3. For example:

    database.url=jdbc:postgresql://localhost:5432/casp?ssl=true

  3. Restart CASPClosedUnbound’s Crypto Asset Security Platform (“CASP”) provides the advanced technology and the architecture to secure crypto asset transactions..

    4. sudo service casp.tomcat restart

C.1.6 Step 6: Check the SSL connection

Log into the RDS server.

psql -h server.us-east-1.rds.amazonaws.com -p 5432 -U sa -d casp

The response looks like:

psql (11.2, server 9.6.3)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.
casp=>

You are now successfully logged into PostgreSQL on your RDS server using an SSLClosedSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. connection.

C.2 RDS MySQL Over SSL

Unbound CASPClosedUnbound’s Crypto Asset Security Platform (“CASP”) provides the advanced technology and the architecture to secure crypto asset transactions. can use MySQL (installed via RDS) over SSLClosedSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network.. The following instructions explain how to set up the environment.

C.2.1 Step 1: Configure the certificate

  1. Download the certificate.

    2. wget https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem

  2. Convert the certificate format from pem to der.

    3. openssl x509 -outform der -in rds-combined-ca-bundle.pem -out rds-combined-ca-bundle.der

  3. Add the certificate to the security/cacerts folder for Java via keytool.

    4. sudo keytool -import -alias rds-combined-ca-bundle -keystore <JAVA HOME>/lib/security/cacerts -file rds-combined-ca-bundle.der
    Enter keystore password: <Keystore Password>
    Trust this certificate? [no]: yes

C.2.2 Step 2: Configure CASP

Update the CASP configuration file.

  1. In casp.conf, locate the MySQL database URL line.

    2. For example:

    database.url=jdbc:mysql://localhost:3306/casp

  2. Add the SSLClosedSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. flags to the URL.

    3. For example:

    database.url=jdbc:mysql://<SERVER NAME:3306/casp?useSSL=true

    If you have an in-house CA and/or domain verification is required:

    database.url=jdbc:mysql://<SERVER NAME:3306/casp?useSSL=true&verifyServerCertificate=true&trustCertificateKeyStorePassword=<Keystore Password>

  3. Restart CASPClosedUnbound’s Crypto Asset Security Platform (“CASP”) provides the advanced technology and the architecture to secure crypto asset transactions..

    4. sudo service casp.tomcat restart

C.2.3 Step 3: Check the SSL connection

Log into the RDS server.

mysql -h <SERVER NAME> -p5432 -u sa casp --ssl-ca=rds-combined-ca-bundle.pem --ssl-mode=VERIFY_IDENTITY

After logging in, execute \s to view the connection parameters. Verify that the SSLClosedSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. field shows that a cipher is in use.

The response looks like:

MySQL [casp]> \s
--------------
mysql Ver 15.1 Distrib 10.2.18-MariaDB, for Linux (x86_64) using readline 5.1
Connection id:          667
Current database:       casp
Current user:           sa@31.154.180.82
SSL:                    Cipher in use is AES256-SHA
Current pager:          stdout
Using outfile:          ''
Using delimiter:        ;
Server:                 MySQL
Server version:         8.0.15 Source distribution
Protocol version:       10
Connection:             servername.rds.amazonaws.co via TCP/IP
Server characterset:    utf8mb4
Db     characterset:    utf8mb4
Client characterset:    utf8
Conn. characterset:    utf8
TCP port:               3306
Uptime:                 2 hours 8 min 6 sec
Threads: 3 Questions: 6587 Slow queries: 0 Opens: 1078 Flush tables: 2 Open tables: 488 Queries per second avg: 0.857

You are now successfully logged into MySQL on your RDS server using an SSLClosedSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. connection.