Deep Security Manager (DSM) connects to AWS RDS PostgreSQL with SSL enforce

Product / Version includes:

Deep Security11.1 , Deep Security11.2 , Deep Security20.0 , Deep Security11.0 , Deep Security12.0 , Deep SecurityAll

Last updated: 2021/08/28

Solution ID: KA-0010286

Category: Configure , Troubleshoot , Deploy , Upgrade

Summary

When the PostgreSQL database is configured with enforced SSL connection, you may encounter database connection issues because the DSM cannot verify the certificate.

When the communication encryption is enabled for PostgreSQL database, by doing the following:

Open the \webclient\webapps\ROOT\WEB-INF\dsm.properties file in a text editor.
Add the following line:
database.PostgreSQL.connectionParameters=ssl=true

Deep Security uses the default Java runtime cacerts to verify the PostgreSQL server certificate. If the certificate is self-signed or from AWS RDS, it requires to import the cacerts. This file will be upgraded when the DSM is upgraded. It is recommended to do the following workaround to avoid this issue.

Use this workaround for Linux:

Download the AWS RDS certificate from this AWS user guide.
Copy the java runtime cacerts to /opt/dsm:
cp /opt/dsm/jre/lib/security/cacerts /opt/dsm/cacerts
Import certificate to /opt/dsm/cacerts:
/opt/dsm/jre/bin/keytool -import -alias rds-root -keystore /opt/dsm/cacerts -file rds-ca-2019-root.der -storepass <changeit>
Create a file named dsm_s.vmoptions in the /opt/dsm/ and add the following text in the file:
-Djavax.net.ssl.trustStore=/opt/dsm/cacerts
-Djavax.net.ssl.trustStorePassword=<changeit>

Use this workaround for Windows:

Download AWS RDS certificate from this AWS user guide.
Copy the java run time cacerts to C:\Program Files\Trend Micro\Deep Security Manager:
copy C:\Program Files\Trend Micro\Deep Security Manager\jre\lib\security\cacerts C:\Program Files\Trend Micro\Deep Security\cacerts
Import certificate to C:\Program Files\Trend Micro\Deep Security\cacerts:
C:\Program Files\Trend Micro\Deep Security Manager\jre\bin\keytool -import -alias rds-root -keystore C:\Program Files\Trend Micro\Deep Security\cacerts
-file rds-ca-2019-root.der -storepass <changeit>
Create a file named Deep Security Manager.vmoptions in the C:\Program Files\Trend Micro\Deep Security Manager and add the following text in the file:
-Djavax.net.ssl.trustStore to C:\Program Files\Trend Micro\Deep Security Manager\cacerts
-Djavax.net.ssl.trustStorePassword=<changeit>

The workaround provided is only applicable to DSM version 12.0 and below. For DSM 12.5, the JDBC PostgreSQL driver has been upgraded and has a different behavior.
When upgrading to DSM 11.x or 12.0, keep the encryption enabled during the upgrade by applying the vmoptions file for the DSM installer:
- For Linux, copy dsm_s.vmoptions to the same folder with DSM installer and rename it to your installer file name.
  For example, Manager-Linux-12.0.xxx.x64.sh.vmoptions
- For Windows, copy Deep Security Manager.vmoptions to the same folder with DSM installer and rename it to your installer file name.
  For example, Manager-Windows-12.0.xxx.x64.vmoptions

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Deep Security Manager (DSM) connects to AWS RDS PostgreSQL with SSL enforce

Deep Security Manager (DSM) connects to AWS RDS PostgreSQL with SSL enforce

Product / Version includes:

Summary