RDSのSSL/TLS証明書の更新

3%4ͷ44-5-4ূ໌ॻͷ ߋ৽ ୈճதࠃ஍ํ%#ษڧձJOԬࢁ ࢁຊ࿨ٱ

ࣗݾ঺հ w גࣜձࣾϦκʔϜ w ࢁຊ࿨ٱ w Ϛωʔδϟʔ w ࠷ۙͷؔ৺͸ΞδϟΠϧ։ൃ

ࠓ೔࿩͢͜ͱ w 3%4ͷ1PTUHSF42-ͷ44-5-4ূ໌ॻʹ͍ͭͯ

44-5-4ূ໌ॻ w 3%4ͷ1PTUHSF42-͸σϑΥϧτͰ44-઀ଓͰ͢ɻ w SETDB͸೥݄೔ʹར༻Ͱ͖ͳ͘ͳΓ·͢ɻ w ظݶ͕དྷΔͱ3%4͸ࣗಈతʹ࠶ىಈ͕͔͔Γ·͢ɻ w ظ೔·Ͱʹαʔόʔͷূ໌ॻΛೖΕସ͑ɺ઀ଓݩͷূ໌ॻ ΋ߋ৽͢Δඞཁ͕͋Γ·͢ɻ
https://docs.aws.amazon.com/ja_jp/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certiﬁcate- rotation.html ͋ͨΓʹॻ͔Ε͍ͯ·͢ɻ

44-઀ଓ w &$ͷ"NB[PO-JOVY͔ΒQTRMίϚϯυͰ%#ʹ઀ଓ͢Δ ͱ࣍ͷΑ͏ʹදࣔ͞Ε·͢ <CPOEHBUF!JQDVSSFOU>QTRMIPHFITUBHJOHEFBECFBGBQ OPSUIFBTUSETBNB[POBXTDPN QTRM 44-DPOOFDUJPO
QSPUPDPM5-4W DJQIFS&$%)&34""&4($. 4)" CJUT DPNQSFTTJPOP⒎ 5ZQFIFMQGPSIFMQ IPHF w 44-઀ଓ͞Ε͍ͯΔͷͰ"84ͷΞφ΢ϯε௨Γ઀ଓݩͷ ূ໌ॻ΋ߋ৽͢Δඞཁ͕͋Γ·͢ΑͶʁ

ূ໌ॻ ೖΕͨهԱ͕ ແ͍ ɾ೥ྸʹΑΔهԱྗͷ௿Լ ɾτϦοΩʔͳ"OTJCMFͷςΫχοΫͰઃఆ͞Εͨʁ ɾ༯ਫ਼ͷ࢓ۀʁ

ٙ໰ w ΞΫηεݩʹূ໌ॻΛೖΕͨهԱ͕ͳ͍ͷʹɺͳͥ44-઀ ଓͰ͖Δͷ͔ʁ

૝૾ w &$ʹॳΊ͔Βূ໌ॻ͕ηοτ͞Ε͍ͯͨͷ͔ͳʁ w ୳ͯ͠ΈΔ͚Ͳݟ͔ͭΒͳ͍ɻ w ݕূ؀ڥͰ3%4ͷূ໌ॻΛSETDBʹߋ৽ͯ͠ΈΔɻ w ˠͳ͔ͥ઀ଓͰ͖Δɻ w
ˠҙຯ͕Θ͔Βͳ͍

"84ͷαϙʔτʹฉ͍ͯΈͨ ͓ੈ࿩ʹͳΓ·͢ɻ ΫϥΠΞϯτͷSSL/TLS ূ໌ॻߋ৽ͷඞཁੑʹ͍࣭ͭͯ໰͕͋Γ·͢ɻ DBͷ઀ଓݩΫϥΠΞϯτ͸EC2(AmazonLinux)ͰRDS͸PostgreSQLΛར༻͍ͯ͠·͢ɻ ࣍ͷΑ͏ʹpsql ίϚϯυͰDBʹ઀ଓ͢ΔͱʮSSL connectionʯͱදࣔ͞ΕΔͨΊɺݱࡏ͸SSL઀ଓ͍ͯ͠Δ͸ͣͰ͢ɻ --------------------------------------------------------------------------- [bondgate@ip-10-2-0-13
~]$ psql hoge -h staging.deadbeaf.ap-northeast-1.rds.amazonaws.com psql (9.5.15) SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: oﬀ) Type "help" for help. hoge=> --------------------------------------------------------------------------- https://docs.aws.amazon.com/ja_jp/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certiﬁcate-rotation.html ͪ͜ΒͷΞφ΢ϯε௨Γɺ2020೥2݄5೔·ͰʹRDSͷূ໌ॻΛrds-ca-2015͔Βrds-ca-2019ʹมߋ͢Δඞཁ͕͋Δ͜ͱ͸ཧղͰ͖·ͨ͠ɻ ݕূ༻RDSͰূ໌ॻΛrds-ca-2019ʹมߋͨ͠ͱ͜Ζɺrds-ca-2015ͷ࣌ͱಉ͡Α͏ʹΫϥΠΞϯτ͔Β઀ଓ͢Δ͜ͱ͕Ͱ͖·ͨ͠ɻ ࢿྉΛಡΉͱΫϥΠΞϯτͷSSL/TLS ূ໌ॻ΋ߋ৽͢Δඞཁ͕͋Δͱॻ͔Ε͍ͯΔͷͰ͕͢ɺ͜Ε͸ෆཁͳͷͰ͠ΐ͏͔ʁ ͦΕͱ΋ɺݱࡏͷEC2ʹrds-ca-2019ʹରԠ͢Δূ໌ॻ͕͢ͰʹΠϯετʔϧ͞Ε͍ͯΔͱ͍͏͜ͱͰ͠ΐ͏͔ʁ RDS্ͷSSL/TLSূ໌ॻͱΫϥΠΞϯτͷূ໌ॻͷؔ܎͕͏·͘ཧղͰ͖͍ͯͳ͍ͷͰ͕͢ɺ͝આ໌͍͚ͨͩΕ͹޾͍Ͱ͢ɻ ΑΖ͓͘͠Ͷ͕͍͠·͢ɻ DB Πϯελϯε:

͙͢ʹฦࣄ͕ฦ͖ͬͯͨ w ཁ໿͢Δͱ w QTRMίϚϯυʹ͓͚Δ44-5-4઀ଓ࣌ͷಈ࡞ʹ͍ͭͯ͸ TTMNPEFͱ͍͏ઃఆʹΑΓܾ·Δ w ݱࡏͷ઀ଓ͸TTMNPEF͸ઃఆ͞Ε͓ͯΒͣɺσϑΥϧτͷ TTMNPEFQSFGFSͱͯ͠ಈ࡞͍ͯ͠Δɻ w
TTMNPEFQSFGFS͸ɺΫϥΠΞϯτ͸σʔλϕʔεαʔόଆ ͕44-5-4઀ଓʹରԠ͍ͯ͠Δ৔߹ʹ͸σʔλͷ҉߸Խ͸ ߦ͏΋ͷͷɺαʔόূ໌ॻͷݕূ͸ߦΘͳ͍ಈ࡞ͱͳΔɻ

1PTUHSF42-ͷυΩϡϝϯτ https://www.postgresql.jp/document/9.5/html/libpq-ssl.html

.*5.๷ࢭͱ͸ʁ w தؒऀ߈ܸ w σʔλ͕ΫϥΠΞϯτɾαʔόؒͰ౉͞Ε͍ͯΔ࣌ ʹɺୈࡾऀ͕ͦͷσʔλΛมߋͰ͖Ε͹ɺαʔόΛ૷ ͏͜ͱ͕Ͱ͖ɺैͬͯͨͱ͑҉߸Խ͞Ε͍ͯͯ΋σʔ λΛཧղ͠มߋ͢Δ͜ͱ͕Ͱ͖·͢ɻୈࡾऀ͸ͦ͜Ͱɺ͜ͷ߈ܸ Λݕग़ෆՄೳʹ͢Δ઀ଓ৘ใͱσʔλΛݩͷαʔόʹૹΔ͜ͱ͕Ͱ͖·͢ɻ͜ΕΛߦ͏ ڞ௨ͨ͠ഔհ͸%/4ϙΠζχϯάͱΞυϨε৐ͬऔΓΛؚΈɺͦΕʹैͬͯΫϥΠΞϯ
τ͸ҙਤͨ͠αʔόͰ͸ͳ͘ҟͳͬͨαʔόʹ༠ಋ͞Ε·͢ɻಉ࣌ʹɺ͜ͷ͜ͱΛ੒͠ ਱͛Δ͍͔ͭ͘ͷҟͳͬͨ߈ܸ΋ଘࡏ͠·͢ɻ44-͸ΫϥΠΞϯτʹର͠αʔόΛೝূ ͢Δ͜ͱͰɺ͜ͷ๷ࢭʹূ໌ॻݕূΛ࢖༻͠·͢ɻ https://www.postgresql.jp/document/9.5/html/libpq-ssl.html

TTMNPEFͷݕূ <CPOEHBUF!JQd>1(44-.0%&WFSJGZGVMMQTRMIPHFI TUBHJOHEFBECFBGBQOPSUIFBTUSETBNB[POBXTDPN QTRMSPPUDFSUJpDBUFpMFIPNFCPOEHBUFQPTUHSFTRMSPPUDSUEPFTOPU FYJTU &JUIFSQSPWJEFUIFpMFPSDIBOHFTTMNPEFUPEJTBCMFTFSWFSDFSUJpDBUF WFSJpDBUJPO RDSͷূ໌ॻΛ2019೥ͷূ໌ॻʹߋ৽ɻSSL௨৴࣌ͷূ໌ॻͷ֬ೝΛڧ੍͠ ͨ৔߹ͷಈ͖Λݕূͨ͠ɻ 1(44-.0%&WFSJGZGVMMΛ௥Ճ͠ɺূ໌ॻͷ֬ೝΛߦͬͨɻূ໌ॻ͕ແ͍ͱࣦഊ͢
Δ͜ͱΛ֬ೝɻ

TTMNPEFͷݕূ <CPOEHBUF!JQQPTUHSFTRM>1(44-.0%&WFSJGZGVMMQTRMIPHF ITUBHJOHEFBECFBGBQOPSUIFBTUSETBNB[POBXTDPN QTRM44-FSSPSDFSUJpDBUFWFSJGZGBJMFE ূ໌ॻͷμ΢ϯϩʔυ͸ͪ͜Β͔Β https://docs.aws.amazon.com/ja_jp/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html 2015೥ͷূ໌ॻΛ~/.postgresql/root.crtʹઃஔͨ͠ɻ ূ໌ॻͷ֬ೝ͕ࣦഊͨ͠ɻ

TTMNPEFͷݕূ <CPOEHBUF!JQQPTUHSFTRM>1(44-.0%&WFSJGZGVMMQTRMIPHF ITUBHJOHEFBECFBGBQOPSUIFBTUSETBNB[POBXTDPN 44-DPOOFDUJPO QSPUPDPM5-4W DJQIFS&$%)&34""&4($. 4)" CJUT DPNQSFTTJPOP⒎
5ZQFIFMQGPSIFMQ IPHF ଓ͍ͯ2019೥ͷূ໌ॻΛಉ໊Ͱઃஔɻ઀ଓ੒ޭɻ

·ͱΊ w ূ໌ॻΛΫϥΠΞϯτʹઃஔ͍ͯ͠ͳ͍ͷͰ͋Ε͹3%4 ଆͷূ໌ॻͷߋ৽͚ͩͰ0,ɻ w தؒऀ߈ܸͷϦεΫΛߟ͑Δͱূ໌ॻΛઃஔͯ͠ɺূ໌ॻ ͷ֬ೝΛ༗ޮԽͨ͠΄͏͕ྑ͍ɻ w "84ͷαϙʔτͷਓɺ1PTUHSF42-ͷ࣭໰ʹ΋౴͑ͯ͘ Ε͍ͯ͢͝ʂ

RDSのSSL/TLS証明書の更新

RDSのSSL/TLS証明書の更新

Yamamoto Kazuhisa

More Decks by Yamamoto Kazuhisa

Other Decks in Technology

Featured

Transcript

3%4ͷ44-5-4ূ໌ॻͷ ߋ৽ ୈճதࠃ஍ํ%#ษڧձJOԬࢁ ࢁຊ࿨ٱ

ࣗݾ঺հ w גࣜձࣾϦκʔϜ w ࢁຊ࿨ٱ w Ϛωʔδϟʔ w ࠷ۙͷؔ৺͸ΞδϟΠϧ։ൃ

ࠓ೔࿩͢͜ͱ w 3%4ͷ1PTUHSF42-ͷ44-5-4ূ໌ॻʹ͍ͭͯ

44-5-4ূ໌ॻ w 3%4ͷ1PTUHSF42-͸σϑΥϧτͰ44-઀ଓͰ͢ɻ w SETDB͸೥݄೔ʹར༻Ͱ͖ͳ͘ͳΓ·͢ɻ w ظݶ͕དྷΔͱ3%4͸ࣗಈతʹ࠶ىಈ͕͔͔Γ·͢ɻ w ظ೔·Ͱʹαʔόʔͷূ໌ॻΛೖΕସ͑ɺ઀ଓݩͷূ໌ॻ ΋ߋ৽͢Δඞཁ͕͋Γ·͢ɻ

44-઀ଓ w &$ͷ"NB[PO-JOVY͔ΒQTRMίϚϯυͰ%#ʹ઀ଓ͢Δ ͱ࣍ͷΑ͏ʹදࣔ͞Ε·͢ <CPOEHBUF!JQDVSSFOU>QTRMIPHFITUBHJOHEFBECFBGBQ OPSUIFBTUSETBNB[POBXTDPN QTRM 44-DPOOFDUJPO

ূ໌ॻ ೖΕͨهԱ͕ ແ͍ ɾ೥ྸʹΑΔهԱྗͷ௿Լ ɾτϦοΩʔͳ"OTJCMFͷςΫχοΫͰઃఆ͞Εͨʁ ɾ༯ਫ਼ͷ࢓ۀʁ

ٙ໰ w ΞΫηεݩʹূ໌ॻΛೖΕͨهԱ͕ͳ͍ͷʹɺͳͥ44-઀ ଓͰ͖Δͷ͔ʁ

૝૾ w &$ʹॳΊ͔Βূ໌ॻ͕ηοτ͞Ε͍ͯͨͷ͔ͳʁ w ୳ͯ͠ΈΔ͚Ͳݟ͔ͭΒͳ͍ɻ w ݕূ؀ڥͰ3%4ͷূ໌ॻΛSETDBʹߋ৽ͯ͠ΈΔɻ w ˠͳ͔ͥ઀ଓͰ͖Δɻ w

͙͢ʹฦࣄ͕ฦ͖ͬͯͨ w ཁ໿͢Δͱ w QTRMίϚϯυʹ͓͚Δ44-5-4઀ଓ࣌ͷಈ࡞ʹ͍ͭͯ͸ TTMNPEFͱ͍͏ઃఆʹΑΓܾ·Δ w ݱࡏͷ઀ଓ͸TTMNPEF͸ઃఆ͞Ε͓ͯΒͣɺσϑΥϧτͷ TTMNPEFQSFGFSͱͯ͠ಈ࡞͍ͯ͠Δɻ w

1PTUHSF42-ͷυΩϡϝϯτ https://www.postgresql.jp/document/9.5/html/libpq-ssl.html

TTMNPEFͷݕূ <CPOEHBUF!JQQPTUHSFTRM>1(44-.0%&WFSJGZGVMMQTRMIPHF ITUBHJOHEFBECFBGBQOPSUIFBTUSETBNB[POBXTDPN 44-DPOOFDUJPO QSPUPDPM5-4W DJQIFS&$%)&34""&4($. 4)" CJUT DPNQSFTTJPOP⒎

·ͱΊ w ূ໌ॻΛΫϥΠΞϯτʹઃஔ͍ͯ͠ͳ͍ͷͰ͋Ε͹3%4 ଆͷূ໌ॻͷߋ৽͚ͩͰ0,ɻ w தؒऀ߈ܸͷϦεΫΛߟ͑Δͱূ໌ॻΛઃஔͯ͠ɺূ໌ॻ ͷ֬ೝΛ༗ޮԽͨ͠΄͏͕ྑ͍ɻ w "84ͷαϙʔτͷਓɺ1PTUHSF42-ͷ࣭໰ʹ΋౴͑ͯ͘ Ε͍ͯ͢͝ʂ