Amazon Redshift
Management Guide (API Version 2012-12-01)
Did this page help you?  Yes | No |  Tell us about it...
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.

Configure Security Options for Connections

Amazon Redshift supports secure sockets layer (SSL) connections to encrypt data and server certificates to validate the server certificate that the client connects to.

Connect Using SSL

To support SSL connections, Amazon Redshift creates and installs a self-signed SSL certificate on each cluster. The public key is stored at https://s3.amazonaws.com/redshift-downloads/redshift-ssl-ca-cert.pem. When you download this certificate on Windows operating systems or Linux operating systems, the file ends with the .pem extension. When you download this certificate on Mac OS X operating systems, the file ends with the .cer extension. The expected MD5 checksum number is 1314113b03bf3e6c49ea0b1d2dc03121. You can use the Md5sum program (on Linux operating systems) or other tool (on Windows and Mac OS X operating systems) to verify that the certificate that you downloaded matches this expected MD5 checksum number.

Important

SSL support in Amazon Redshift is strictly for encrypting the connection between your client and your cluster; it should not be relied on for authenticating the server. To authenticate the server, install the public key (.pem file) for the SSL certificate on your client and use the key to connect to your clusters.

By default, cluster databases accept a connection whether it uses SSL or not. To configure your cluster to require an SSL connection, set the require_ssl parameter to true in the parameter group that is associated with the cluster. For information about modifying a parameter group, see Modifying a Parameter Group.

Amazon Redshift supports the Elliptic Curve Diffie—Hellman Ephemeral (ECDHE) key agreement protocol. With ECDHE, the client and server each have an elliptic curve public-private key pair that is used to establish a shared secret over an insecure channel. You do not need to configure anything in Amazon Redshift to enable ECDHE; if you connect from a SQL client tool that uses ECDHE to encrypt communication between the client and server, Amazon Redshift will use the provided cipher list to make the appropriate connection. For more information, see Elliptic Curve Diffie—Hellman on Wikipedia and Ciphers on the OpenSSL website.

Using SSL and Server Certificates in ODBC

ODBC DSNs contain an sslmode setting that determines how to handle encryption for client connections and server certificate verification. Amazon Redshift supports the following sslmode values from the client connection:

  • disable

    SSL is disabled and the connection is not encrypted.

  • allow

    SSL is used if the server requires it.

  • prefer

    SSL is used if the server supports it. Amazon Redshift supports SSL, so SSL is used when you set sslmode to prefer.

  • require

    SSL is required.

  • verify-ca

    SSL must be used and the server certificate must be verified.

Amazon Redshift does not support verify-full. For more information about sslmode options, see SSL Support in the PostgreSQL documentation.

To determine whether SSL is used and server certificates are verified in a connection between the client and the server, you need to review the sslmode setting for your ODBC DSN on the client and the require_ssl setting for the Amazon Redshift cluster on the server. The following table describes the encryption result for the various client and server setting combinations:

sslmode (client)require_ssl (server)Result
disablefalseThe connection is not encrypted.
disabletrueThe connection cannot be made because the server requires SSL and the client has SSL disabled for the connection.
allowtrueThe connection is encrypted.
allowfalseThe connection is not encrypted.
prefer or requiretrueThe connection is encrypted.
prefer or requirefalseThe connection is encrypted.
verify-catrueThe connection is encrypted and the server certificate is verified.
verify-cafalseThe connection is encrypted and the server certificate is verified.

Connect Using the Server Certificate with ODBC on Microsoft Windows

If you want to connect to your cluster using SSL and the server certificate, you need to download the certificate to your client computer or Amazon EC2 instance, and then configure the ODBC DSN.

  1. Download the Amazon Redshift server certificate to your client computer at %APPDATA%\postgresql\, and save the file as root.crt.

  2. Open ODBC Data Source Administrator, and add or edit the system DSN entry for your ODBC connection. For SSL Mode, select verify-ca and then click Save.

    For more information about configuring the ODBC DSN, see Configure an ODBC Connection.

Connect Without Using the Server Certificate with ODBC

If you want to connect to your cluster without using the Amazon Redshift server certificate, you can configure your ODBC DSN to use one of the following SSL modes: allow, prefer, or require. With these settings, the connection will use SSL but will not verify the server certificate.

Using SSL and Server Certificates in Java

SSL provides one layer of security by encrypting data that moves between your client and cluster. Using a server certificate provides an extra layer of security by validating that the cluster is an Amazon Redshift cluster. It does so by checking the server certificate that is automatically installed on all clusters that you provision. For more information about using server certificates with JDBC, go to Configuring the Client in the PostgreSQL documentation.

Connect Using the Server Certificate in Java

This section explains how to add the Amazon Redshift certificate to a Java keystore. The instructions assume that the Java installation indicated by your JAVA_HOME environment variable is used by the client you use to connect to your cluster. Additionally, we recommend that you run the commands in the task as root user.

To connect using a server certificate

Use the keytool program to add the Amazon Redshift certificate to the Java system truststore on your client computer or Amazon EC2 instance. At a command prompt, use the following command:

${JAVA_HOME}/bin/keytool -keystore ${JAVA_HOME}/lib/security/cacerts -import -alias <alias> -file <certificate_filename>

Where <alias> is any user-provided string value and <certificate_filename> is the full path to the certificate file that you downloaded from https://s3.amazonaws.com/redshift-downloads/redshift-ssl-ca-cert.pem.

You will be prompted to enter and re-enter a password that will be used for working with the keystore. The default password for the cacerts keystore is changeit, although you should use whatever password belongs to the keystore if you have changed it.

If you do not have access to the cacerts keystore in the command above, you can create your own truststore by using the following command:

${JAVA_HOME}/bin/keytool -keystore <keystore_name> -alias <alias> -import -file <certificate_filename>

Where <keystore_name> is the keystore that your client application uses, and <alias> and <certificate_filename> correspond to the descriptions as previously described. You will be prompted to enter and re-enter a password that will be used for working with the keystore. Make note of this password for later use.

Then, when you start your Java application you must specify this keystore and password to use:

java -Djavax.net.ssl.trustStore=keystore_name -Djavax.net.ssl.trustStorePassword=password com.mycompany.MyApp

If you have problems with adding the certificate to your truststore, you can review log information for errors. If you use SQL Workbench/J for the Amazon Redshift Getting Started Guide and other related exercises in the Amazon Redshift documentation, go to Configuration Directory in the SQL Workbench/J documentation to find where logs are stored. If you are using a different client tool, refer to the documentation that accompanies your tool to find where logs are stored.

Specify the following properties in your connection string:

  • Property name: ssl

  • Property value: true

For example, in SQL Workbench/J, you can specify the connection string with the ssl=true parameter in the JDBC URL:

jdbc:postgresql://examplecluster.abc123xyz789.us-west-2.redshift.amazonaws.com:5439/dev?ssl=true

For more information about JDBC connections, see Obtain the JDBC URL

In Java code you can specify the connection string as follows:

Connection conn = null;
Properties props = new Properties();
props.setProperty("ssl", "true");
conn = DriverManager.getConnection(<jdbc-connection-string>, props);
            

For a full Java example using SSL, see Connecting to a Cluster by Using Java

Connect Without Using the Server Certificate in Java

If you do not use the server certificate, you can still connect to your Amazon Redshift cluster; however, your client will not be able to validate that it is connecting to an Amazon Redshift cluster. If you don't use the certificate, you can still connect by using SSL.

To connect without using a server certificate

Specify the following properties in your connection string:

  • Property name: sslfactory

  • Property value: org.postgresql.ssl.NonValidatingFactory

The following is an example connection string for SQL Workbench/J:

jdbc:postgresql://examplecluster.abc123xyz789.us-west-2.redshift.amazonaws.com:5439/dev?ssl=true&sslfactory=org.postgresql.ssl.NonValidatingFactory

For more information about JDBC connections, see Obtain the JDBC URL

In Java code you can specify the connection string as follows:

Connection conn = null;
Properties props = new Properties();
props.setProperty("ssl", "true");
props.setProperty("sslfactory", "org.postgresql.ssl.NonValidatingFactory");
conn = DriverManager.getConnection(<jdbc-connection-string>, props);