Configuring Authentication and SSL

Configure the Simba Amazon Redshift JDBC Driver to authenticate your connection according to the security requirements of the Redshift server that you are connecting to.

You must always provide your Redshift user name and password to authenticate the connection. Depending on whether SSL is enabled and required on the server, you might also need to configure the connector to connect through SSL or use one-way SSL authentication so that the client (the connector itself) verifies the identity of the server.

You provide the configuration information to the connector in the connection URL. For more information about the syntax of the connection URL, see Building the Connection URL.

Note:

In this documentation, "SSL" indicates both TLS (Transport Layer Security) and SSL (Secure Sockets Layer). The connector supports industry-standard versions of TLS/SSL.

Using User Name and Password Only

If the server you are connecting to does not use SSL, then you only need to provide your user name and password to authenticate the connection.

To configure authentication using your user name and password only:

  1. Set the UID property to your user name for accessing the Redshift server.
  2. Set the PWD property to the password corresponding to your user name.

Using SSL without Identity Verification

If the server you are connecting to uses SSL but does not require identity verification, then you can configure the connector to use a non-validating SSL factory.

To configure an SSL connection without identity verification:

  1. Set the UID property to your user name for accessing the Redshift server.
  2. Set the PWD property to the password corresponding to your user name.
  3. Set the SSL property to true.
  4. Set the SSLFactory property to com.simba.redshift.ssl.NonValidatingFactory.

Using One-Way SSL Authentication

If the server you are connecting to uses SSL and has a certificate, then you can configure the connector to verify the identity of the server using one-way authentication.

One-way authentication requires a signed, trusted SSL certificate for verifying the identity of the server. You can configure the connector to use a specific certificate or access a TrustStore that contains the appropriate certificate. If you do not specify a certificate or TrustStore, then the connector uses the default Java TrustStore (typically either jssecacerts or cacerts).

To configure one-way SSL authentication:

  1. Set the UID property to your user name for accessing the Redshift server.
  2. Set the PWD property to the password corresponding to your user name.
  3. Set the SSL property to true.
  4. Set the SSLRootCert property to the location of your root CA certificate.
  5. If you are not using one of the default Java TrustStores, then do one of the following:
    • To specify a server certificate, set the SSLRootCert property to the full path of the certificate.
    • Or, to specify a TrustStore, do the following:
      1. Use the keytool program to add the server certificate to the TrustStore that you want to use
      2. Specify the TrustStore and password to use when starting the Java application using the connector. For example:

        3. -Djavax.net.ssl.trustStore=[TrustStoreName]

        -Djavax.net.ssl.trustStorePassword=[TrustStorePassword]

  6. Choose one:
    • To validate the certificate, set the SSLMode property to verify-ca.
    • Or, to validate the certificate and verify the host name in the certificate, set the SSLMode property to verify-full.

Related topics