Configuring authentication and SSL - Amazon Redshift

Configuring authentication and SSL

To protect data from unauthorized access, Amazon Redshift data stores require all connections to be authenticated using user credentials. Some data stores also require connections to be made over the Secure Sockets Layer (SSL) protocol, either with or without one-way authentication.

The Amazon Redshift JDBC driver version 2.1 provides full support for these authentication protocols.

The SSL version that the driver supports depends on the JVM version that you are using. For information about the SSL versions that are supported by each version of Java, see Diagnosing TLS, SSL, and HTTPS on the Java Platform Group Product Management Blog.

The SSL version used for the connection is the highest version that is supported by both the driver and the server, which is determined at connection time.

Configure the Amazon Redshift JDBC driver version 2.1 to authenticate your connection according to the security requirements of the Redshift server that you are connecting to.

You must always provide your Redshift user name and password to authenticate the connection. Depending on whether SSL is enabled and required on the server, you might also need to configure the driver to connect through SSL. Or you might use one-way SSL authentication so that the client (the driver itself) verifies the identity of the server.

You provide the configuration information to the driver in the connection URL. For more information about the syntax of the connection URL, see Building the connection URL.

SSL indicates TLS/SSL, both Transport Layer Security and Secure Sockets Layer. The driver supports industry-standard versions of TLS/SSL.

Using user name and password only

If the server you are connecting to doesn't use SSL, then you only need to provide your Redshift user name and password to authenticate the connection.

To configure authentication using your Redshift user name and password only
  1. Set the UID property to your Redshift user name for accessing the Amazon Redshift server.

  2. Set the PWD property to the password corresponding to your Redshift user name.

Using SSL without identity verification

If the server you are connecting to uses SSL but doesn't require identity verification, then you can configure the driver to use a non-validating SSL factory.

To configure an SSL connection without identity verification
  1. Set the UID property to your Redshift user name for accessing the Amazon Redshift server.

  2. Set the PWD property to the password corresponding to your Redshift user name.

  3. Set the SSLFactory property to com.amazon.redshift.ssl.NonValidatingFactory.

Using one-way SSL authentication

If the server you are connecting to uses SSL and has a certificate, then you can configure the driver to verify the identity of the server using one-way authentication.

One-way authentication requires a signed, trusted SSL certificate for verifying the identity of the server. You can configure the driver to use a specific certificate or access a TrustStore that contains the appropriate certificate. If you don't specify a certificate or TrustStore, then the driver uses the default Java TrustStore (typically either jssecacerts or cacerts).

To configure one-way SSL authentication
  1. Set the UID property to your Redshift user name for accessing the Amazon Redshift server.

  2. Set the PWD property to the password corresponding to your Redshift user name.

  3. Set the SSL property to true.

  4. Set the SSLRootCert property to the location of your root CA certificate.

  5. If you aren't using one of the default Java TrustStores, then do one of the following:

    • To specify a server certificate, set the SSLRootCert property to the full path of the certificate.

    • To specify a TrustStore, do the following:

      1. Use the keytool program to add the server certificate to the TrustStore that you want to use.

      2. Specify the TrustStore and password to use when starting the Java application using the driver. For example:

        -Djavax.net.ssl.trustStore=[TrustStoreName] -Djavax.net.ssl.trustStorePassword=[TrustStorePassword] -Djavax.net.ssl.trustStoreType=[TrustStoreType]
  6. Choose one:

    • To validate the certificate, set the SSLMode property to verify-ca.

    • To validate the certificate and verify the host name in the certificate, set the SSLMode property to verify-full.

Configuring IAM authentication

If you are connecting to a Amazon Redshift server using IAM authentication, set the following properties as part of your data source connection string.

For more information on IAM authentication, see Identity and access management in Amazon Redshift.

To use IAM authentication, use one of the following connection string formats:

Connection string Description

jdbc:redshift:iam:// [host]:[port]/[db]

A regular connection string. The driver infers the ClusterID and Region from the host.

jdbc:redshift:iam:// [cluster-id]: [region]/[db]

The driver retrieves host information, given the ClusterID and Region.

jdbc:redshift:iam:// [host]/[db]

The driver defaults to port 5439, and infers ClusterID and Region from the host. Depending on the port you selected when creating, modifying or migrating the cluster, allow access to the selected port.

Specifying profiles

If you are using IAM authentication, you can specify any additional required or optional connection properties under a profile name. By doing this, you can avoid putting certain information directly in the connection string. You specify the profile name in your connection string using the Profile property.

Profiles can be added to the AWS credentials file. The default location for this file is: ~/.aws/credentials

You can change the default value by setting the path in the following environment variable: AWS_CREDENTIAL_PROFILES_FILE

For more information about profiles, see Working with AWS Credentials in the AWS SDK for Java.

Using instance profile credentials

If you are running an application on an Amazon EC2 instance that is associated with an IAM role, you can connect using the instance profile credentials.

To do this, use one of the IAM connection string formats in the preceding table, and set the dbuser connection property to the Amazon Redshift user name that you are connecting as.

For more information about instance profiles, see Access Management in the IAM User Guide.

Using credential providers

The driver also supports credential provider plugins from the following services:

  • Active Directory Federation Service (ADFS)

  • JSON Web Tokens (JWT) Service

  • Microsoft Azure Active Directory (AD) Service and Browser Microsoft Azure Active Directory (AD) Service

  • Okta Service

  • PingFederate Service

  • Browser SAML for SAML services such as Okta, Ping, or ADFS

If you use one of these services, the connection URL needs to specify the following properties:

  • Plugin_Name – The fully-qualified class path for your credentials provider plugin class.

  • IdP_Host: – The host for the service that you are using to authenticate into Amazon Redshift.

  • IdP_Port – The port that the host for the authentication service listens at. Not required for Okta.

  • User – The user name for the idp_host server.

  • Password – The password associated with the idp_host user name.

  • DbUser – The Amazon Redshift user name you are connecting as.

  • SSL_Insecure – Indicates whether the IDP server certificate should be verified.

  • Client_ID – The client ID associated with the user name in the Azure AD portal. Only used for Azure AD.

  • Client_Secret – The client secret associated with the client ID in the Azure AD portal. Only used for Azure AD.

  • IdP_Tenant – The Azure AD tenant ID for your Amazon Redshift application. Only used for Azure AD.

  • App_ID – The Okta app ID for your Amazon Redshift application. Only used for Okta.

  • App_Name – The optional Okta app name for your Amazon Redshift application. Only used for Okta.

  • Partner_SPID – The optional partner SPID (service provider ID) value. Only used for PingFederate.

If you are using a browser plugin for one of these services, the connection URL can also include:

  • Login_URL –The URL for the resource on the identity provider's website when using the Security Assertion Markup Language (SAML) or Azure AD services through a browser plugin. This parameter is required if you are using a browser plugin.

  • Listen_Port – The port that the driver uses to get the SAML response from the identity provider when using the SAML or Azure AD services through a browser plugin .

  • IdP_Response_Timeout – The amount of time, in seconds, that the driver waits for the SAML response from the identity provider when using the SAML or Azure AD services through a browser plugin.

For information on additional connection string properties, see Options for JDBC driver version 2.1 configuration.