User guide

ManualsBrandsAmazon ManualsComputer equipmentRedshift

161

162

163

164

165

166

167

168

169

170

Resultrequire_SSL

(server)

sslmode (cli-

ent)

The connection is encrypted and the server certificate is verified.falseverify-ca

Connect Using the Server Certificate with ODBC on Microsoft Windows

If you want to connect to your cluster using SSL and the server certificate, you need to download the

certificate to your client computer or Amazon EC2 instance, and then configure the ODBC DSN.

1. Download the Amazon Redshift server certificate to your client computer at

%APPDATA%\Roaming\postgresql\, and save the file as root.crt.

2. Open ODBC Data Source Administrator, and add or edit the system DSN entry for your ODBC

connection. For SSL Mode, select verify-ca and then click Save.

For more information about configuring the ODBC DSN, see Configure an ODBC Connection (p.144).

Connect Without Using the Server Certificate with ODBC

If you want to connect to your cluster without using the Amazon Redshift server certificate, you can

configure your ODBC DSN to use one of the following SSL modes: allow, prefer, or require.With these

settings, the connection will use SSL but will not verify the server certificate.

Using SSL and Server Certificates in Java

SSL provides one layer of security by encrypting data that moves between your client and cluster. Using

a server certificate provides an extra layer of security by validating that the cluster is an Amazon Redshift

cluster. It does so by checking the server certificate that is automatically installed on all clusters that you

provision. For more information about using server certificates with JDBC, go to Configuring the Client

in the PostgreSQL documentation.

Connect Using the Server Certificate in Java

This section explains how to add the Amazon Redshift certificate to a Java keystore.The instructions

assume that the Java installation indicated by your JAVA_HOME environment variable is used by the client

you use to connect to your cluster. Additionally, we recommend that you run the commands in the task

as root user.

To connect using a server certificate

Use the keytool program to add the Amazon Redshift certificate to the Java system truststore on your

client computer or Amazon EC2 instance. At a command prompt, use the following command:

${JAVA_HOME}/bin/keytool -keystore ${JAVA_HOME}/lib/security/cacerts -import -

alias <alias> -file <certificate_filename>

Where <alias> is any user-provided string value and <certificate_filename> is the full path to

the certificate file that you downloaded from https://s3.amazonaws.com/redshift-downloads/

redshift-ssl-ca-cert.pem.

You will be prompted to enter and re-enter a password that will be used for working with the keystore.

The default password for the cacerts keystore is changeit, although you should use whatever password

belongs to the keystore if you have changed it.

If you do not have access to the cacerts keystore in the command preceding, you can create your own

truststore by using the following command:

API Version 2012-12-01

160

Amazon Redshift Management Guide

Configuring Connections in Amazon Redshift