|
|
@@ -11,38 +11,48 @@
|
|
|
|
|
|
# TLS Setup for RDS
|
|
|
|
|
|
-First need to update `dbconfig.xml` to tell it to use TLS and what root certs to use:
|
|
|
-
|
|
|
-```
|
|
|
- <url><![CDATA[jdbc:postgresql://jira.cm5pc4cb8hlj.us-east-1.rds.amazonaws.com:5432/jira?sslmode=verify-full&sslrootcert=/opt/atlassian/jira/rds-root-chain.pem]]></url>
|
|
|
-
|
|
|
```
|
|
|
-
|
|
|
-Then in `/opt/atlassian/jira/rds-root-chain.pem` you need the root cert(s) for RDS. Use something like this:
|
|
|
-
|
|
|
+curl https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem
|
|
|
+# Place output in /home/jira/.postgresql/root.crt
|
|
|
+vim /opt/jira-data/jira/dbconfig.xml
|
|
|
+# Add ?sslmode=verify-full to the <url>
|
|
|
```
|
|
|
-#!/bin/bash
|
|
|
|
|
|
-URLS="https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem"
|
|
|
-URLS="${URLS} https://s3.amazonaws.com/rds-downloads/rds-ca-2015-root.pem"
|
|
|
-URLS="${URLS} https://s3-us-gov-west-1.amazonaws.com/rds-downloads/rds-ca-us-gov-east-1-2017-root.pem"
|
|
|
-URLS="${URLS} https://s3-us-gov-west-1.amazonaws.com/rds-downloads/rds-ca-us-gov-west-1-2017-root.pem"
|
|
|
-
|
|
|
-rm rds-root-chain.pem
|
|
|
-
|
|
|
-for i in $URLS; do
|
|
|
- echo "# `basename $i`"
|
|
|
- curl -s $i
|
|
|
-done >> rds-root-chain.pem
|
|
|
-
|
|
|
-
|
|
|
-```
|
|
|
-see [https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html]()
|
|
|
|
|
|
-There is mention of ways with newer versions of the PostgreSQL JDBC driver to use the
|
|
|
-standard Java keystore for root certs. This does not work with the version of the JDBC
|
|
|
-driver skipping with Jira version 7.13, as the class needed is missing. (There's no
|
|
|
-DefaultJavaSSLFactory in `postresql-9.4.1212.jar`)
|
|
|
+~# TLS Setup for RDS - OUTDATED!!!
|
|
|
+~
|
|
|
+~First need to update `dbconfig.xml` to tell it to use TLS and what root certs to use:
|
|
|
+~
|
|
|
+~```
|
|
|
+~ <url><![CDATA[jdbc:postgresql://jira.cm5pc4cb8hlj.us-east-1.rds.amazonaws.com:5432/jira?sslmode=verify-full&sslrootcert=/opt/atlassian/jira/rds-root-chain.pem]]></url>
|
|
|
+~
|
|
|
+~```
|
|
|
+~
|
|
|
+~Then in `/opt/atlassian/jira/rds-root-chain.pem` you need the root cert(s) for RDS. Use something like this:
|
|
|
+~
|
|
|
+~```
|
|
|
+~#!/bin/bash
|
|
|
+~
|
|
|
+~URLS="https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem"
|
|
|
+~URLS="${URLS} https://s3.amazonaws.com/rds-downloads/rds-ca-2015-root.pem"
|
|
|
+~URLS="${URLS} https://s3-us-gov-west-1.amazonaws.com/rds-downloads/rds-ca-us-gov-east-1-2017-root.pem"
|
|
|
+~URLS="${URLS} https://s3-us-gov-west-1.amazonaws.com/rds-downloads/rds-ca-us-gov-west-1-2017-root.pem"
|
|
|
+~
|
|
|
+~rm rds-root-chain.pem
|
|
|
+~
|
|
|
+~for i in $URLS; do
|
|
|
+~ echo "# `basename $i`"
|
|
|
+~ curl -s $i
|
|
|
+~done >> rds-root-chain.pem
|
|
|
+~
|
|
|
+~
|
|
|
+~```
|
|
|
+~see [https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html]()
|
|
|
+~
|
|
|
+~There is mention of ways with newer versions of the PostgreSQL JDBC driver to use the
|
|
|
+~standard Java keystore for root certs. This does not work with the version of the JDBC
|
|
|
+~driver skipping with Jira version 7.13, as the class needed is missing. (There's no
|
|
|
+~DefaultJavaSSLFactory in `postresql-9.4.1212.jar`)
|
|
|
|
|
|
One handy trick:
|
|
|
|
Fred Damstra