By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Using Flyway to connect to Aurora MySQL using a TLS connection

0

Hello,

I've been struggling with this for a while, so thought I would ask here to see if anyone has had any similar experiences. This entire configuration works without the TLS connection.

Flyway is a Java based tool delivered in a container. In order to connect to Aurora MySQL via TLS, it is necessary to load the published ca bundle into the keystore in the container. My approach is to use a new entrypoint.sh script tp perform this action, along the lines of:

#!/bin/bash
set -euo pipefail

echo "Adding RDS Cert"

keytool -keystore /flyway/keystore -alias "AWS RDS Aurora" -noprompt -trustcacerts -storepass "myStorePassword" -importcert -file rds-combined-ca-bundle.pem
keytool -list  -keystore /flyway/keystore -storepass "myStorePassword"
export JAVA_ARGS='-Djavax.net.ssl.trustStore="/flyway/keystore" -Djavax.net.ssl.trustStorePassword="myStorePassword"'

flyway $@

This shows that the certificates are loaded into the keystore. But then, I get this error when trying to connect:

SQL State  : 08000
Error Code : -1
Message    : Could not connect to address=(host=flare-cluster-dev.cluster-csj2gx7fvppg.us-west-2.rds.amazonaws.com)(port=3306)(type=master) : Could not connect to flare-cluster-dev.cluster-csj2gx7fvppg.us-west-2.rds.amazonaws.com:3306 : No X509TrustManager implementation available

Everything I have found online regarding the error concerns the potential issue that the program can't find the keystore. However, I also can't seem to find any indication that I am doing something incorrectly in the process.

Wondering if anyone has any suggestions. Thanks.

Topics
Migration & ModernizationAnalyticsDatabase
Tags
Amazon Relational Database ServiceAmazon AuroraAurora MySQL
Language
English
CajunD
asked 16 days ago308 views
2 Answers
0

Hi

I assume The JAVA_ARGS environment variable is likely not being passed correctly. Instead of setting JAVA_ARGS and then running flyway $@, use the exec command to directly execute Flyway with the environment variables. This ensures the variables are inherited by the Java process.

You can check updated script and try it out

#!/bin/bash
set -euo pipefail

echo "Adding RDS Cert"

keytool -keystore /flyway/keystore -alias "AWS RDS Aurora" -noprompt -trustcacerts -storepass "myStorePassword" -importcert -file rds-combined-ca-bundle.pem
keytool -list  -keystore /flyway/keystore -storepass "myStorePassword"

export JAVA_ARGS="-Djavax.net.ssl.trustStore=/flyway/keystore -Djavax.net.ssl.trustStorePassword=myStorePassword"

exec java $JAVA_ARGS -jar /flyway/flyway.jar $@
profile picture
EXPERT
GK
answered 15 days ago
0

Thanks for this, my thinking is along the same lines.

However, I don't have a .jar file in the container:

drwxr-xr-x 1 root root    88 May 15 16:13 .
drwxr-xr-x 1 root root    31 May 15 16:13 ..
drwxr-xr-x 3 root root    47 Mar 14 11:02 assets
drwxr-xr-x 2 root root    33 Mar 14 11:02 conf
drwxr-xr-x 4 root root  4096 Mar 14 11:02 drivers
-rwxr-xr-x 1 root root  1108 May 15 16:12 entrypoint.sh
-rwxr-xr-x 1 2000 2000  1177 Mar 14 10:29 flyway
-rw-r--r-- 1 2000 2000  1007 Mar 14 10:30 flyway.cmd
-rw-r--r-- 1 root root  1430 May 15 16:13 keystore
drwxr-xr-x 7 root root  4096 Mar 14 11:02 lib
drwxr-xr-x 2 root root    56 Mar 14 11:02 licenses
-rw-r--r-- 1 root root 43888 May 15 16:13 rds-combined-ca-bundle.pem
-rw-r--r-- 1 2000 2000  1186 Mar 14 10:27 README.txt
drwxr-xr-x 2 root root  4096 Mar 14 11:02 rules
drwxr-xr-x 3 root root    24 May 15 16:13 sql

And the environment looks OK:

HOSTNAME=7ebfc5988612
LANGUAGE=en_US:en
JAVA_HOME=/opt/java/openjdk
PWD=/flyway
JAVA_ARGS=-Djava.security.egd=file:/dev/../dev/urandom -Djavax.net.ssl.trustStore="/flyway/keystore" -Djavax.net.ssl.trustStorePassword="myStorePassword"
HOME=/root
LANG=en_US.UTF-8
FLYWAY_USER=admin
SHLVL=1
FLYWAY_PASSWORD=84M7f6u%A29Ruj#wsGtv
LC_ALL=en_US.UTF-8
PATH=/flyway:/opt/java/openjdk/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
JAVA_VERSION=jdk-17.0.10+7
_=/usr/bin/env

I'm now thinking that the env when run from the entrypoint.sh command is different than the -e vars being sent to the docker command. Going to try a few more approaches.

Thanks again.

CajunD
answered 4 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content