Upgrade to Pro — share decks privately, control downloads, hide ads and more …

RDSのSSL/TLS証明書の更新

Yamamoto Kazuhisa
January 25, 2020
Technology
1
370

 RDSのSSL/TLS証明書の更新

第28回 中国地方DB勉強会の発表内容です。

Yamamoto Kazuhisa

January 25, 2020
Tweet

More Decks by Yamamoto Kazuhisa

See All by Yamamoto Kazuhisa
Railsプロジェクトキャッチアップのコツ
kazuhisa
0
89
IoTで農家を守れ! LTE-M Button Plusを利用した 箱罠動作検知システム
kazuhisa
1
4.6k
RDSのPostgreSQL9.3を がんばってバージョンアップしてみた
kazuhisa
0
980
AWS Lambdaについて
kazuhisa
1
400

Other Decks in Technology

See All in Technology
複雑なState管理からの脱却
sansantech
PRO
1
150
IBC 2024 動画技術関連レポート / IBC 2024 Report
cyberagentdevelopers
PRO
0
110
Taming you application's environments
salaboy
0
190
ISUCONに強くなるかもしれない日々の過ごしかた/Findy ISUCON 2024-11-14
fujiwara3
8
870
iOS/Androidで同じUI体験をネ イティブで作成する際に気をつ けたい落とし穴
fumiyasac0921
1
110
安心してください、日本語使えますよ―Ubuntu日本語Remix提供休止に寄せて― 2024-11-17
nobutomurata
1
1k
Amazon CloudWatch Network Monitor のススメ
yuki_ink
1
210
Oracle Cloud Infrastructure データベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
28
13k
いざ、BSC討伐の旅
nikinusu
2
780
リンクアンドモチベーション ソフトウェアエンジニア向け紹介資料 / Introduction to Link and Motivation for Software Engineers
lmi
4
300k
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
3.9k
AWS Lambdaと歩んだ“サーバーレス”と今後 #lambda_10years
yoshidashingo
1
170

Featured

See All Featured
GitHub's CSS Performance
jonrohan
1030
460k
Fontdeck: Realign not Redesign
paulrobertlloyd
82
5.2k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
229
52k
Speed Design
sergeychernyshev
25
620
StorybookのUI Testing Handbookを読んだ
zakiyama
27
5.3k
VelocityConf: Rendering Performance Case Studies
addyosmani
325
24k
Faster Mobile Websites
deanohume
305
30k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
364
24k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
8
890
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
10
720
How STYLIGHT went responsive
nonsquared
95
5.2k
Side Projects
sachag
452
42k

Transcript

  1. 3%4ͷ44-5-4ূ໌ॻͷ ߋ৽  ୈճதࠃ஍ํ%#ษڧձJOԬࢁ ࢁຊ࿨ٱ

  2. ࣗݾ঺հ w גࣜձࣾϦκʔϜ w ࢁຊ࿨ٱ w Ϛωʔδϟʔ w ࠷ۙͷؔ৺͸ΞδϟΠϧ։ൃ

  3. ࠓ೔࿩͢͜ͱ w 3%4ͷ1PTUHSF42-ͷ44-5-4ূ໌ॻʹ͍ͭͯ

  4. 44-5-4ূ໌ॻ w 3%4ͷ1PTUHSF42-͸σϑΥϧτͰ44-઀ଓͰ͢ɻ w SETDB͸೥݄೔ʹར༻Ͱ͖ͳ͘ͳΓ·͢ɻ w ظݶ͕དྷΔͱ3%4͸ࣗಈతʹ࠶ىಈ͕͔͔Γ·͢ɻ w ظ೔·Ͱʹαʔόʔͷূ໌ॻΛೖΕସ͑ɺ઀ଓݩͷূ໌ॻ ΋ߋ৽͢Δඞཁ͕͋Γ·͢ɻ

    https://docs.aws.amazon.com/ja_jp/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate- rotation.html ͋ͨΓʹॻ͔Ε͍ͯ·͢ɻ

  5. 44-઀ଓ w &$ͷ"NB[PO-JOVY͔ΒQTRMίϚϯυͰ%#ʹ઀ଓ͢Δ ͱ࣍ͷΑ͏ʹදࣔ͞Ε·͢ <CPOEHBUF!JQDVSSFOU>QTRMIPHFITUBHJOHEFBECFBGBQ OPSUIFBTUSETBNB[POBXTDPN QTRM   44-DPOOFDUJPO

    QSPUPDPM5-4W DJQIFS&$%)&34""&4($. 4)" CJUT DPNQSFTTJPOP⒎  5ZQFIFMQGPSIFMQ IPHF w 44-઀ଓ͞Ε͍ͯΔͷͰ"84ͷΞφ΢ϯε௨Γ઀ଓݩͷ ূ໌ॻ΋ߋ৽͢Δඞཁ͕͋Γ·͢ΑͶʁ

  6. ূ໌ॻ ೖΕͨهԱ͕ ແ͍ ɾ೥ྸʹΑΔهԱྗͷ௿Լ  ɾτϦοΩʔͳ"OTJCMFͷςΫχοΫͰઃఆ͞Εͨʁ ɾ༯ਫ਼ͷ࢓ۀʁ

  7. ٙ໰ w ΞΫηεݩʹূ໌ॻΛೖΕͨهԱ͕ͳ͍ͷʹɺͳͥ44-઀ ଓͰ͖Δͷ͔ʁ

  8. ૝૾ w &$ʹॳΊ͔Βূ໌ॻ͕ηοτ͞Ε͍ͯͨͷ͔ͳʁ w ୳ͯ͠ΈΔ͚Ͳݟ͔ͭΒͳ͍ɻ w ݕূ؀ڥͰ3%4ͷূ໌ॻΛSETDBʹߋ৽ͯ͠ΈΔɻ w ˠͳ͔ͥ઀ଓͰ͖Δɻ w

    ˠҙຯ͕Θ͔Βͳ͍

  9. "84ͷαϙʔτʹฉ͍ͯΈͨ ͓ੈ࿩ʹͳΓ·͢ɻ ΫϥΠΞϯτͷSSL/TLS ূ໌ॻߋ৽ͷඞཁੑʹ͍࣭ͭͯ໰͕͋Γ·͢ɻ DBͷ઀ଓݩΫϥΠΞϯτ͸EC2(AmazonLinux)ͰRDS͸PostgreSQLΛར༻͍ͯ͠·͢ɻ ࣍ͷΑ͏ʹpsql ίϚϯυͰDBʹ઀ଓ͢ΔͱʮSSL connectionʯͱදࣔ͞ΕΔͨΊɺݱࡏ͸SSL઀ଓ͍ͯ͠Δ͸ͣͰ͢ɻ --------------------------------------------------------------------------- [bondgate@ip-10-2-0-13

    ~]$ psql hoge -h staging.deadbeaf.ap-northeast-1.rds.amazonaws.com psql (9.5.15) SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off) Type "help" for help. hoge=> --------------------------------------------------------------------------- https://docs.aws.amazon.com/ja_jp/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html ͪ͜ΒͷΞφ΢ϯε௨Γɺ2020೥2݄5೔·ͰʹRDSͷূ໌ॻΛrds-ca-2015͔Βrds-ca-2019ʹมߋ͢Δඞཁ͕͋Δ͜ͱ͸ཧղͰ͖·ͨ͠ɻ ݕূ༻RDSͰূ໌ॻΛrds-ca-2019ʹมߋͨ͠ͱ͜Ζɺrds-ca-2015ͷ࣌ͱಉ͡Α͏ʹΫϥΠΞϯτ͔Β઀ଓ͢Δ͜ͱ͕Ͱ͖·ͨ͠ɻ ࢿྉΛಡΉͱΫϥΠΞϯτͷSSL/TLS ূ໌ॻ΋ߋ৽͢Δඞཁ͕͋Δͱॻ͔Ε͍ͯΔͷͰ͕͢ɺ͜Ε͸ෆཁͳͷͰ͠ΐ͏͔ʁ ͦΕͱ΋ɺݱࡏͷEC2ʹrds-ca-2019ʹରԠ͢Δূ໌ॻ͕͢ͰʹΠϯετʔϧ͞Ε͍ͯΔͱ͍͏͜ͱͰ͠ΐ͏͔ʁ RDS্ͷSSL/TLSূ໌ॻͱΫϥΠΞϯτͷূ໌ॻͷؔ܎͕͏·͘ཧղͰ͖͍ͯͳ͍ͷͰ͕͢ɺ͝આ໌͍͚ͨͩΕ͹޾͍Ͱ͢ɻ ΑΖ͓͘͠Ͷ͕͍͠·͢ɻ DB Πϯελϯε:

  10. ͙͢ʹฦࣄ͕ฦ͖ͬͯͨ w ཁ໿͢Δͱ w QTRMίϚϯυʹ͓͚Δ44-5-4઀ଓ࣌ͷಈ࡞ʹ͍ͭͯ͸ TTMNPEFͱ͍͏ઃఆʹΑΓܾ·Δ w ݱࡏͷ઀ଓ͸TTMNPEF͸ઃఆ͞Ε͓ͯΒͣɺσϑΥϧτͷ TTMNPEFQSFGFSͱͯ͠ಈ࡞͍ͯ͠Δɻ w

    TTMNPEFQSFGFS͸ɺΫϥΠΞϯτ͸σʔλϕʔεαʔόଆ ͕44-5-4઀ଓʹରԠ͍ͯ͠Δ৔߹ʹ͸σʔλͷ҉߸Խ͸ ߦ͏΋ͷͷɺαʔόূ໌ॻͷݕূ͸ߦΘͳ͍ಈ࡞ͱͳΔɻ

  11. 1PTUHSF42-ͷυΩϡϝϯτ https://www.postgresql.jp/document/9.5/html/libpq-ssl.html

  12. .*5.๷ࢭͱ͸ʁ w தؒऀ߈ܸ w σʔλ͕ΫϥΠΞϯτɾαʔόؒͰ౉͞Ε͍ͯΔ࣌ ʹɺୈࡾऀ͕ͦͷσʔλΛมߋͰ͖Ε͹ɺαʔόΛ૷ ͏͜ͱ͕Ͱ͖ɺैͬͯͨͱ͑҉߸Խ͞Ε͍ͯͯ΋σʔ λΛཧղ͠มߋ͢Δ͜ͱ͕Ͱ͖·͢ɻୈࡾऀ͸ͦ͜Ͱɺ͜ͷ߈ܸ Λݕग़ෆՄೳʹ͢Δ઀ଓ৘ใͱσʔλΛݩͷαʔόʹૹΔ͜ͱ͕Ͱ͖·͢ɻ͜ΕΛߦ͏ ڞ௨ͨ͠ഔհ͸%/4ϙΠζχϯάͱΞυϨε৐ͬऔΓΛؚΈɺͦΕʹैͬͯΫϥΠΞϯ

    τ͸ҙਤͨ͠αʔόͰ͸ͳ͘ҟͳͬͨαʔόʹ༠ಋ͞Ε·͢ɻಉ࣌ʹɺ͜ͷ͜ͱΛ੒͠ ਱͛Δ͍͔ͭ͘ͷҟͳͬͨ߈ܸ΋ଘࡏ͠·͢ɻ44-͸ΫϥΠΞϯτʹର͠αʔόΛೝূ ͢Δ͜ͱͰɺ͜ͷ๷ࢭʹূ໌ॻݕূΛ࢖༻͠·͢ɻ https://www.postgresql.jp/document/9.5/html/libpq-ssl.html

  13. TTMNPEFͷݕূ <CPOEHBUF!JQd>1(44-.0%&WFSJGZGVMMQTRMIPHFI TUBHJOHEFBECFBGBQOPSUIFBTUSETBNB[POBXTDPN QTRMSPPUDFSUJpDBUFpMFIPNFCPOEHBUFQPTUHSFTRMSPPUDSUEPFTOPU FYJTU &JUIFSQSPWJEFUIFpMFPSDIBOHFTTMNPEFUPEJTBCMFTFSWFSDFSUJpDBUF WFSJpDBUJPO RDSͷূ໌ॻΛ2019೥ͷূ໌ॻʹߋ৽ɻSSL௨৴࣌ͷূ໌ॻͷ֬ೝΛڧ੍͠ ͨ৔߹ͷಈ͖Λݕূͨ͠ɻ 1(44-.0%&WFSJGZGVMMΛ௥Ճ͠ɺূ໌ॻͷ֬ೝΛߦͬͨɻূ໌ॻ͕ແ͍ͱࣦഊ͢

    Δ͜ͱΛ֬ೝɻ

  14. TTMNPEFͷݕূ <CPOEHBUF!JQQPTUHSFTRM>1(44-.0%&WFSJGZGVMMQTRMIPHF ITUBHJOHEFBECFBGBQOPSUIFBTUSETBNB[POBXTDPN QTRM44-FSSPSDFSUJpDBUFWFSJGZGBJMFE ূ໌ॻͷμ΢ϯϩʔυ͸ͪ͜Β͔Β https://docs.aws.amazon.com/ja_jp/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html 2015೥ͷূ໌ॻΛ~/.postgresql/root.crtʹઃஔͨ͠ɻ ূ໌ॻͷ֬ೝ͕ࣦഊͨ͠ɻ

  15. TTMNPEFͷݕূ <CPOEHBUF!JQQPTUHSFTRM>1(44-.0%&WFSJGZGVMMQTRMIPHF ITUBHJOHEFBECFBGBQOPSUIFBTUSETBNB[POBXTDPN 44-DPOOFDUJPO QSPUPDPM5-4W DJQIFS&$%)&34""&4($. 4)" CJUT DPNQSFTTJPOP⒎ 

    5ZQFIFMQGPSIFMQ IPHF ଓ͍ͯ2019೥ͷূ໌ॻΛಉ໊Ͱઃஔɻ઀ଓ੒ޭɻ

  16. ·ͱΊ w ূ໌ॻΛΫϥΠΞϯτʹઃஔ͍ͯ͠ͳ͍ͷͰ͋Ε͹3%4 ଆͷূ໌ॻͷߋ৽͚ͩͰ0,ɻ w தؒऀ߈ܸͷϦεΫΛߟ͑Δͱূ໌ॻΛઃஔͯ͠ɺূ໌ॻ ͷ֬ೝΛ༗ޮԽͨ͠΄͏͕ྑ͍ɻ w "84ͷαϙʔτͷਓɺ1PTUHSF42-ͷ࣭໰ʹ΋౴͑ͯ͘ Ε͍ͯ͢͝ʂ