Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add global cert #569

Closed
wants to merge 2 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ public class DocumentDbConnectionProperties extends Properties {

private static final Logger LOGGER = LoggerFactory.getLogger(DocumentDbConnectionProperties.class.getName());
private static final Pattern WHITE_SPACE_PATTERN = Pattern.compile("^\\s*$");
private static final String ROOT_2019_PEM_RESOURCE_FILE_NAME = "/rds-ca-2019-root.pem";
private static final String GLOBAL_BUNDLE_PEM_RESOURCE_FILE_NAME = "/global-bundle.pem";
private static final String ROOT_2021_PEM_RESOURCE_FILE_NAME = "/rds-prod-root-ca-2021.pem";
public static final String HOME_PATH_PREFIX_REG_EXPR = "^~[/\\\\].*$";
public static final int FETCH_SIZE_DEFAULT = 2000;
Expand Down Expand Up @@ -1431,9 +1431,9 @@ void appendEmbeddedAndOptionalCaCertificates(final List<Certificate> caCertifica
}
}
// Load embedded CA root certificates.
try (InputStream pem2019ResourceAsStream = getClass().getResourceAsStream(ROOT_2019_PEM_RESOURCE_FILE_NAME);
try (InputStream globalBundleResourceAsStream = getClass().getResourceAsStream(GLOBAL_BUNDLE_PEM_RESOURCE_FILE_NAME);
InputStream pem2021ResourceAsStream = getClass().getResourceAsStream(ROOT_2021_PEM_RESOURCE_FILE_NAME)) {
caCertificates.addAll(CertificateUtils.loadCertificate(pem2019ResourceAsStream));
caCertificates.addAll(CertificateUtils.loadCertificate(globalBundleResourceAsStream));
caCertificates.addAll(CertificateUtils.loadCertificate(pem2021ResourceAsStream));
}
}
Expand Down
3,028 changes: 3,028 additions & 0 deletions src/main/resources/global-bundle.pem

Large diffs are not rendered by default.

24 changes: 0 additions & 24 deletions src/main/resources/rds-ca-2019-root.pem

This file was deleted.

46 changes: 23 additions & 23 deletions src/markdown/setup/connection-string.md

Large diffs are not rendered by default.

4 changes: 2 additions & 2 deletions src/markdown/setup/setup.md
Original file line number Diff line number Diff line change
Expand Up @@ -36,12 +36,12 @@ If you are connecting to a TLS-enabled cluster, you may want to specify the Amaz
on your connection string. By default, an Amazon RDS Certificate Authority root certificate has been embedded in the
JDBC driver JAR file which should work when connecting to Amazon DocumentDB clusters using SSL/TLS encryption. However,
if you want to provide a new Amazon RDS Certificate Authority root certificate, follow the directions below:
1. [Download the root CA certificate](https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem)
1. [Download the root CA certificate](https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem)
2. It is recommended to relocate the file to your user's home directory: `$HOME` for Windows or `~` for MacOS/Linux.
3. Add the `tlsCAFile` option to your [JDBC connection string](connection-string.md). For example:

~~~
jdbc:documentdb://localhost:27017/<database-name>?tlsAllowInvalidHostnames=true&tlsCAFile=rds-ca-2019-root.pem
jdbc:documentdb://localhost:27017/<database-name>?tlsAllowInvalidHostnames=true&tlsCAFile=global-bundle.pem
~~~

To determine whether your cluster is TLS-enabled, you can
Expand Down
4 changes: 2 additions & 2 deletions src/markdown/support/troubleshooting-guide.md
Original file line number Diff line number Diff line change
Expand Up @@ -119,8 +119,8 @@ The online security resources may give a pointer how to fix this.
See [Specifying the Amazon RDS Certificate Authority Certificate File](../setup/setup.md#specifying-the-amazon-rds-certificate-authority-certificate-file).
1. Copy the file to your home directory.
1. Provide the root certificate file name in the connection.
- Tableau: *TLS Certificate Authority File (Optional)* : `~/rds-ca-2019-root.pem`
- DbVisualizer: `jdbc:documentdb://localhost:27017/test?tls=true&tlsAllowInvalidHostnames=true&tlsCAFile=~/rds-ca-2019-root.pem`
- Tableau: *TLS Certificate Authority File (Optional)* : `~/global-bundle.pem`
- DbVisualizer: `jdbc:documentdb://localhost:27017/test?tls=true&tlsAllowInvalidHostnames=true&tlsCAFile=~/global-bundle.pem`

### Invalid hostname
#### What to look for:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ public void testValidProperties() {
properties.setTlsAllowInvalidHostnames("true");
properties.setTlsEnabled("true");
properties.setRetryReadsEnabled("true");
properties.setTlsCAFilePath("src/main/resources/rds-ca-2019-root.pem");
properties.setTlsCAFilePath("src/main/resources/global-bundle.pem");
properties.setSshUser("SSHUSER");
properties.setSshHostname("SSHHOST");
properties.setSshPrivateKeyFile("~/.ssh/test-file-name.pem");
Expand All @@ -89,7 +89,7 @@ public void testValidProperties() {
Assertions.assertTrue(properties.getTlsEnabled());
Assertions.assertTrue(properties.getTlsAllowInvalidHostnames());
Assertions.assertTrue(properties.getRetryReadsEnabled());
Assertions.assertEquals("src/main/resources/rds-ca-2019-root.pem",
Assertions.assertEquals("src/main/resources/global-bundle.pem",
properties.getTlsCAFilePath());
Assertions.assertEquals("SSHUSER", properties.getSshUser());
Assertions.assertEquals("SSHHOST", properties.getSshHostname());
Expand All @@ -109,7 +109,7 @@ public void testValidProperties() {
+ "&scanLimit=100"
+ "&replicaSet=rs0"
+ "&tlsAllowInvalidHostnames=true"
+ "&tlsCAFile=src%2Fmain%2Fresources%2Frds-ca-2019-root.pem"
+ "&tlsCAFile=src%2Fmain%2Fresources%2Fglobal-bundle.pem"
+ "&sshUser=SSHUSER"
+ "&sshHost=SSHHOST"
+ "&sshPrivateKeyFile=%7E%2F.ssh%2Ftest-file-name.pem"
Expand Down Expand Up @@ -241,7 +241,7 @@ public void testSetPropertiesFromConnectionString() throws SQLException {
"&" + DocumentDbConnectionProperty.REPLICA_SET.getName() + "=" + "rs0" +
"&" + DocumentDbConnectionProperty.TLS_ENABLED.getName() + "=" + "true" +
"&" + DocumentDbConnectionProperty.TLS_ALLOW_INVALID_HOSTNAMES.getName() + "=" + "true" +
"&" + DocumentDbConnectionProperty.TLS_CA_FILE.getName() + "=" + "~/rds-ca-2019-root.pem" +
"&" + DocumentDbConnectionProperty.TLS_CA_FILE.getName() + "=" + "~/global-bundle.pem" +
"&" + DocumentDbConnectionProperty.LOGIN_TIMEOUT_SEC.getName() + "=" + "4" +
"&" + DocumentDbConnectionProperty.RETRY_READS_ENABLED.getName() + "=" + "true" +
"&" + DocumentDbConnectionProperty.METADATA_SCAN_METHOD.getName() + "=" + "random" +
Expand Down Expand Up @@ -419,11 +419,11 @@ void testAppendEmbeddedAndOptionalCaCertificates() throws SQLException, IOExcept
.getPropertiesFromConnectionString(info, connectionString, DOCUMENT_DB_SCHEME);
final List<Certificate> caCertificates = new ArrayList<>();
properties.appendEmbeddedAndOptionalCaCertificates(caCertificates);
Assertions.assertEquals(2, caCertificates.size());
Assertions.assertEquals(122, caCertificates.size());
caCertificates.clear();
properties.setTlsCAFilePath("src/main/resources/rds-ca-2019-root.pem");
properties.setTlsCAFilePath("src/main/resources/global-bundle.pem");
properties.appendEmbeddedAndOptionalCaCertificates(caCertificates);
Assertions.assertEquals(3, caCertificates.size());
Assertions.assertEquals(243, caCertificates.size());
caCertificates.clear();
properties.setTlsCAFilePath("invalid-path.pem");
Assertions.assertThrows(SQLException.class,
Expand All @@ -447,7 +447,7 @@ void testBuildSshConnectionProperties() throws SQLException {
properties.setTlsAllowInvalidHostnames("true");
properties.setTlsEnabled("true");
properties.setRetryReadsEnabled("true");
properties.setTlsCAFilePath("src/main/resources/rds-ca-2019-root.pem");
properties.setTlsCAFilePath("src/main/resources/global-bundle.pem");
properties.setSshUser("SSHUSER");
properties.setSshHostname("SSHHOST");
properties.setSshPrivateKeyFile("~/.ssh/test-file-name.pem");
Expand Down
4 changes: 2 additions & 2 deletions tableau-connector/build.sh
Original file line number Diff line number Diff line change
Expand Up @@ -19,12 +19,12 @@ docker build -t taco-builder $CURRENT_FOLDER
echo "Assembling Tableau Connector"
docker run -d -it --name=taco-builder --mount type=bind,source=$TARGET_FOLDER,target=/output taco-builder
echo "Copying Tableau Connector"
docker exec taco-builder sh -c "cp /tableau-sdk/connector-plugin-sdk/connector-packager/packaged-connector/documentdbjdbc.taco /output"
docker exec taco-builder sh -c "cp /tableau-sdk/connector-plugin-sdk/connector-packager/packaged-connector/*.taco /output"
echo "Verifying Tableau Connector"
docker exec taco-builder sh -c "ls -l /output"
docker exec taco-builder pwd
echo "Extracting Tableau Connector"
docker cp taco-builder:/output/documentdbjdbc.taco $TARGET_FOLDER
docker cp taco-builder:/output/*.taco $TARGET_FOLDER
echo "Checking Resulting TACO FILE in $TARGET_FOLDER"
ls -l $TARGET_FOLDER
docker stop taco-builder
Expand Down
Loading