DataSunrise is sponsoring AWS re:Invent 2024 in Las Vegas, please visit us in DataSunrise's booth #2158

This website stores cookies to collect information about how you interact with our website. To find out more visit our Privacy Policy.

  • Home
  • Guides
  • How to Set Up SSL Certificates for DataSunrise Database Proxy

How to Set Up SSL Certificates for DataSunrise Database Proxy

How to Migrate DataSunrise CloudFormation Template from Launch Configuration (LC) to Launch Template (LT) Resource in Auto Scaling Group How to Send DataSunrise Events to a Microsoft Teams Channel via Incoming Webhook using Subscribers How To Offload The Audit Database Data To AWS S3 And Read It Using AWS Athena Service How to Convert Trial or BYOL Configuration of DataSunrise to Hourly Billing Backend DB: PostgreSQL (RDS) or Aurora PostgreSQL How to Troubleshoot “Connection Was Terminated” or “Connection Terminated Unexpectedly” Errors in Applications Using DataSunrise Proxies Exploring DataSunrise’s Performance Under High Traffic Conditions DataSunrise’s Approach to Configuring Penalties for SQL Injection Detection How to Block Specific Hosts in DataSunrise for Enhanced Database Security Troubleshooting AWS Metering and Hourly Billing Issues in DataSunrise on AWS Marketplace Cloud Formation Modification Dynamic Data Masking with DataSunrise: Masking with Lua scripts How to Choose the Database for Audit Storage: A Performance Analysis How to Run pgbench Through DataSunrise Proxy on PostgreSQL 14 with SCRAM Authentication DataSunrise SSO Authentication Based on SAML (Okta) DataSunrise SSO Authentication Based on OpenID (Okta) How to Search for Sensitive Data in Images Hosted on AWS S3 How to Deploy DataSunrise with Terraform Template on Azure How to Integrate DataSunrise with SQL Server Always On Cluster How to Deploy DataSunrise in Microsoft Azure Using Azure Resource Manager How to Perform DataSunrise Static Data Masking for MongoDB How to Configure DB Audit Trailing for MS Azure MySQL How to Configure DB Audit Trailing for MS Azure PostgreSQL How to Configure DataSunrise to Mask Data for Amazon Athena How to Upgrade RHEL OS version of existing DataSunrise servers How to Integrate DataSunrise with AWS Database Activity Streams for Getting Auditing Results for AWS Aurora PostgreSQL How to Set Up SSL Certificates for DataSunrise Database Proxy Generating Reports in DataSunrise How to Hide Schemas From Users in Redshift AWS RDS PostgreSQL Audit Logs in DataSunrise How to Audit Administrative Actions in Your Oracle RDS and EC2 How to Check if DataSunrise Receives Traffic How To Remove a Procedure or a Function From a Database
Database Proxy SSL Certificates

The majority of databases support verification of server identity by using certificates. Thus a verifying procedure is performed during a connection to a server: if the certificate received from the server is authentic, a connection will be established; otherwise it will be considered as a man-in-the-middle attack. By default, this server certificate check can be enabled / disabled depending on the DBMS. However, we recommend enabling certificate check to keep your data safe.

For a direct connection between a database and a client application, a certificate check works as the follows:

client(CA-cert) <---> server(Server-cert, Server-key)
  • CA-cert – root certificate of the certification authority,
  • Server-key – server private key
  • Server-cert – server certificate signed by the CA.

Let’s take a look at MySQL as an example.

The MySQL client is aware of the CA certificate. There are Server-cert and Server-key on the server side. SSL mode can be enabled by the client. The default value of ssl_mode=prefer means that the server certificate authentication is disabled. Also the ssl_mode parameter can be set to:

  • Verify-CA (I want my data encrypted and I accept the overhead. I want to be sure that I am connecting to a server I trust)
  • Verify-Identity (I want my data encrypted and I accept the overhead. I want to be sure that I am connecting to a server I trust and that it’s the specified one)

Below is an example string used for establishing a direct connection with certificate check:

$mysql --host=localhost --port=3306 --user=root --ssl-ca=ca.pem --ssl_mode=VERIFY_CA
[root@3306][(none)]>

The following diagram shows the process of establishing a connection with DataSunrise certificate check enabled:

diagram

Datasunrise implements the end-to-end encryption functionality in a client-proxy-server chain.

Look at the diagram above: there are two connections. The first connection is established between a client and a DataSunrise proxy. DataSunrise proxy SSL configuration is used for the connection. To set it up, you need to have Proxy-key and Proxy-cert generated and signed by the CA certificate. It enables you to be sure that you are connecting to a genuine DataSunrise proxy.

The second connection is established between a DataSunrise proxy and a database server and its own SSL configuration is used. The DataSunrise proxy works as a client app here and also can verify a connection to an authentic server.

Please note that certificate authentication is an additional option for SSL encryption, it doesn’t work if SSL encryption is disabled.

It is also important that DataSunrise proxy is a transparent proxy and supports the encryption mode that is negotiated by the client and the database server. This means that it is impossible to encrypt only one connection in the chain. Datasunrise proxy can’t receive encrypted traffic from one end and send unencrypted traffic to another end and vice versa.

Here are the steps that enable you to set up an SSL certificate check in DataSunrise:

First connection

1. Navigate to ConfigurationSSL Key Groups and click Add Group

Add Group

2. Input your Proxy-cert and Proxy-key into the corresponding fields. For this, you need to choose the Proxy type.

Proxy type

3. Navigate to Configuration → Databases. Open your database Instance page and click the “pencil” icon to edit proxy settings.

Databases

4. Select your SSL Key Group in the Proxy Keys drop-down list and save the settings.

Proxy Keys

Second connection

1. Navigate to Configuration → SSL Key Group and click Add Group. Select Interface type and input your CA-cert into the CA field.

SSL Key Group

2. Navigate to Configuration → Databases, select your Instance and click the “pencil” icon to edit interface settings

Instance

3. You need to specify the group created in the first step, select certificate verification mode and save the settings.

certificate verification
  • Don’t verify – certificate check will not be performed,
  • Verify CA only – server’s CA certificate will be verified,
  • Verify CA and Identity – server’s CA certificate and server’s hostname in the certificate will be verified.

Having completed the steps above, connecting to a proxy triggers certificate check for the two servers and eliminates the possibility of MITM attacks.

$mysql --host=localhost --port=3307 --user=root --ssl-ca=CA_Proxy.crt --ssl_mode=VERIFY_IDENTITY
[root@3307][(none)]>

Did this guide help you?

Contact Us