Menu
Amazon Redshift
Management Guide (API Version 2012-12-01)

Configure Security Options for Connections

Amazon Redshift supports Secure Sockets Layer (SSL) connections to encrypt data and server certificates to validate the server certificate that the client connects to.

Connect Using SSL

To support SSL connections, Amazon Redshift creates and installs an AWS Certificate Manager (ACM) issued SSL certificate on each cluster. The set of Certificate Authorities that you must trust in order to properly support SSL connections can be found at https://s3.amazonaws.com/redshift-downloads/redshift-ca-bundle.crt. If the certificate bundle doesn't download, right-click the previous link and choose Save link as....

Important

Amazon Redshift has changed the way that we manage SSL certificates. You might need to update your current trust root CA certificates to continue to connect to your clusters using SSL. For more information, see Transitioning to ACM Certificates for SSL Connections.

By default, cluster databases accept a connection whether it uses SSL or not. To configure your cluster to require an SSL connection, set the require_SSL parameter to true in the parameter group that is associated with the cluster.

Amazon Redshift supports the Elliptic Curve Diffie—Hellman Ephemeral (ECDHE) key agreement protocol. With ECDHE, the client and server each have an elliptic curve public-private key pair that is used to establish a shared secret over an insecure channel. You do not need to configure anything in Amazon Redshift to enable ECDHE; if you connect from a SQL client tool that uses ECDHE to encrypt communication between the client and server, Amazon Redshift will use the provided cipher list to make the appropriate connection. For more information, see Elliptic Curve Diffie—Hellman on Wikipedia and Ciphers on the OpenSSL website.

Using SSL and Trust CA Certificates in ODBC

If you connect using the latest Amazon Redshift ODBC drivers (version 1.3.7.1000 or later), you can skip this section. To download the latest drivers, see Configure an ODBC Connection.

You might need to update your current trust root CA certificates to continue to connect to your clusters using SSL. For more information, see Transitioning to ACM Certificates for SSL Connections.

The Amazon Redshift certificate authority bundle is stored at https://s3.amazonaws.com/redshift-downloads/redshift-ca-bundle.crt. If the certificate bundle doesn't download, right-click the previous link and choose Save link as.... The expected MD5 checksum number is e7a76d62fc7775ac54cfc4d21e89d36b. The sha256 checksum is e77daa6243a940eb2d144d26757135195b4bdefd345c32a064d4ebea02b9f8a1. You can use the Md5sum program (on Linux operating systems) or other tool (on Windows and Mac OS X operating systems) to verify that the certificate that you downloaded matches this expected MD5 checksum number.

ODBC DSNs contain an sslmode setting that determines how to handle encryption for client connections and server certificate verification. Amazon Redshift supports the following sslmode values from the client connection:

  • disable

    SSL is disabled and the connection is not encrypted.

  • allow

    SSL is used if the server requires it.

  • prefer

    SSL is used if the server supports it. Amazon Redshift supports SSL, so SSL is used when you set sslmode to prefer.

  • require

    SSL is required.

  • verify-ca

    SSL must be used and the server certificate must be verified.

  • verify-full

    SSL must be used. The server certificate must be verified and the server hostname must match the hostname attribute on the certificate.

To determine whether SSL is used and server certificates are verified in a connection between the client and the server, you need to review the sslmode setting for your ODBC DSN on the client and the require_SSL setting for the Amazon Redshift cluster on the server. The following table describes the encryption result for the various client and server setting combinations:

sslmode (client) require_SSL (server) Result
disable false The connection is not encrypted.
disable true The connection cannot be made because the server requires SSL and the client has SSL disabled for the connection.
allow true The connection is encrypted.
allow false The connection is not encrypted.
prefer or require true The connection is encrypted.
prefer or require false The connection is encrypted.
verify-ca true The connection is encrypted and the server certificate is verified.
verify-ca false The connection is encrypted and the server certificate is verified.
verify-full true The connection is encrypted and the server certificate and hostname are verified.
verify-full false The connection is encrypted and the server certificate and hostname are verified.

Connect Using the Server Certificate with ODBC on Microsoft Windows

If you want to connect to your cluster using SSL and the server certificate, you need to download the certificate to your client computer or Amazon EC2 instance, and then configure the ODBC DSN.

  1. Download the Amazon Redshift Certificate Authority Bundle to your client computer at the lib folder in your driver installation directory, and save the file as root.crt.

  2. Open ODBC Data Source Administrator, and add or edit the system DSN entry for your ODBC connection. For SSL Mode, select verify-full unless you use a DNS alias. If you use a DNS alias, select verify-ca. Then click Save.

    For more information about configuring the ODBC DSN, see Configure an ODBC Connection.

Using SSL and Server Certificates in Java

SSL provides one layer of security by encrypting data that moves between your client and cluster. Using a server certificate provides an extra layer of security by validating that the cluster is an Amazon Redshift cluster. It does so by checking the server certificate that is automatically installed on all clusters that you provision. For more information about using server certificates with JDBC, go to Configuring the Client in the PostgreSQL documentation.

Connect Using Trust CA Certificates in Java

If you connect using the latest Amazon Redshift JDBC drivers (version 1.2.8.1005 or later), you can skip this section. To download the latest drivers, see Configure a JDBC Connection.

Important

Amazon Redshift has changed the way that we manage SSL certificates. You might need to update your current trust root CA certificates to continue to connect to your clusters using SSL. For more information, see Transitioning to ACM Certificates for SSL Connections.

To connect using trust CA certificates

You can use redshift-keytool.jar to import CA certificates in the Redshift Certificate Authority bundle into a Java TrustStore or your private TrustStore.

  1. If you use the Java command line -Djavax.net.ssl.trustStore option, remove it from command line, if possible.

  2. Download the redshift-keytool.jar

  3. Do one of the following:

    • To import Redshift Certificate Authority bundle into a Java TrustStore, run the following command.

      Copy
      java -jar redshift-keytool.jar -s
    • To import Redshift Certificate Authority bundle into your private TrustStore, run the following command:

      Copy
      java -jar redshift-keytool.jar -k <your_private_trust_store> -p <keystore_password>