Upgrade to Pro — share decks privately, control downloads, hide ads and more …

RDSのSSL/TLS証明書の更新

Yamamoto Kazuhisa
January 25, 2020
Technology
1
290

 RDSのSSL/TLS証明書の更新

第28回 中国地方DB勉強会の発表内容です。

Yamamoto Kazuhisa

January 25, 2020
Tweet

More Decks by Yamamoto Kazuhisa

See All by Yamamoto Kazuhisa
Railsプロジェクトキャッチアップのコツ
kazuhisa
0
75
IoTで農家を守れ! LTE-M Button Plusを利用した 箱罠動作検知システム
kazuhisa
1
4.2k
RDSのPostgreSQL9.3を がんばってバージョンアップしてみた
kazuhisa
0
920
AWS Lambdaについて
kazuhisa
1
400

Other Decks in Technology

See All in Technology
Cracking the KubeCon CfP
inductor
2
240
反実仮想機械学習とは何か
usaito
PRO
11
4.6k
非同期推論システムによるコスト削減と信頼性向上
koki_nishihara
0
240
MLOpsの「壁」を乗り越える、LINEヤフーの Data Quality as Code
lycorptech_jp
PRO
5
510
Janus
bkuhlmann
1
490
障害対応をちょっとずつよくしていくための 演習の作りかた
heleeen
0
170
オーナーシップを持つ領域を明確にする
konifar
13
3.1k
AOAI をきっかけに​ 社内の Azure 管理を見直した話​
recruitengineers
PRO
1
280
開発パフォーマンスを最大化するための開発体制
ham0215
2
360
アクセス制御にまつわる改善 / Improving access control
itkq
0
530
いつか使うかも貯金してたらめちゃめちゃ機能が増えてた話
riyaamemiya
0
120
開発生産性向上サービスを作るFindyが自分たちで開発生産性を爆上げした組織づくりの歩み / Findy's path to boosting its own development productivity 2024-04-17
ma3tk
3
650

Featured

See All Featured
Into the Great Unknown - MozCon
thekraken
10
990
Rebuilding a faster, lazier Slack
samanthasiow
73
8.2k
Code Reviewing Like a Champion
maltzj
514
39k
What's new in Ruby 2.0
geeforr
337
31k
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
Building Applications with DynamoDB
mza
88
5.6k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
221
21k
From Idea to $5000 a Month in 5 Months
shpigford
377
45k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
17
6.4k
Building Better People: How to give real-time feedback that sticks.
wjessup
355
18k
The Illustrated Children's Guide to Kubernetes
chrisshort
31
46k
What the flash - Photography Introduction
edds
64
11k

Transcript

  1. 3%4ͷ44-5-4ূ໌ॻͷ ߋ৽  ୈճதࠃ஍ํ%#ษڧձJOԬࢁ ࢁຊ࿨ٱ

  2. ࣗݾ঺հ w גࣜձࣾϦκʔϜ w ࢁຊ࿨ٱ w Ϛωʔδϟʔ w ࠷ۙͷؔ৺͸ΞδϟΠϧ։ൃ

  3. ࠓ೔࿩͢͜ͱ w 3%4ͷ1PTUHSF42-ͷ44-5-4ূ໌ॻʹ͍ͭͯ

  4. 44-5-4ূ໌ॻ w 3%4ͷ1PTUHSF42-͸σϑΥϧτͰ44-઀ଓͰ͢ɻ w SETDB͸೥݄೔ʹར༻Ͱ͖ͳ͘ͳΓ·͢ɻ w ظݶ͕དྷΔͱ3%4͸ࣗಈతʹ࠶ىಈ͕͔͔Γ·͢ɻ w ظ೔·Ͱʹαʔόʔͷূ໌ॻΛೖΕସ͑ɺ઀ଓݩͷূ໌ॻ ΋ߋ৽͢Δඞཁ͕͋Γ·͢ɻ

    https://docs.aws.amazon.com/ja_jp/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate- rotation.html ͋ͨΓʹॻ͔Ε͍ͯ·͢ɻ

  5. 44-઀ଓ w &$ͷ"NB[PO-JOVY͔ΒQTRMίϚϯυͰ%#ʹ઀ଓ͢Δ ͱ࣍ͷΑ͏ʹදࣔ͞Ε·͢ <CPOEHBUF!JQDVSSFOU>QTRMIPHFITUBHJOHEFBECFBGBQ OPSUIFBTUSETBNB[POBXTDPN QTRM   44-DPOOFDUJPO

    QSPUPDPM5-4W DJQIFS&$%)&34""&4($. 4)" CJUT DPNQSFTTJPOP⒎  5ZQFIFMQGPSIFMQ IPHF w 44-઀ଓ͞Ε͍ͯΔͷͰ"84ͷΞφ΢ϯε௨Γ઀ଓݩͷ ূ໌ॻ΋ߋ৽͢Δඞཁ͕͋Γ·͢ΑͶʁ

  6. ূ໌ॻ ೖΕͨهԱ͕ ແ͍ ɾ೥ྸʹΑΔهԱྗͷ௿Լ  ɾτϦοΩʔͳ"OTJCMFͷςΫχοΫͰઃఆ͞Εͨʁ ɾ༯ਫ਼ͷ࢓ۀʁ

  7. ٙ໰ w ΞΫηεݩʹূ໌ॻΛೖΕͨهԱ͕ͳ͍ͷʹɺͳͥ44-઀ ଓͰ͖Δͷ͔ʁ

  8. ૝૾ w &$ʹॳΊ͔Βূ໌ॻ͕ηοτ͞Ε͍ͯͨͷ͔ͳʁ w ୳ͯ͠ΈΔ͚Ͳݟ͔ͭΒͳ͍ɻ w ݕূ؀ڥͰ3%4ͷূ໌ॻΛSETDBʹߋ৽ͯ͠ΈΔɻ w ˠͳ͔ͥ઀ଓͰ͖Δɻ w

    ˠҙຯ͕Θ͔Βͳ͍

  9. "84ͷαϙʔτʹฉ͍ͯΈͨ ͓ੈ࿩ʹͳΓ·͢ɻ ΫϥΠΞϯτͷSSL/TLS ূ໌ॻߋ৽ͷඞཁੑʹ͍࣭ͭͯ໰͕͋Γ·͢ɻ DBͷ઀ଓݩΫϥΠΞϯτ͸EC2(AmazonLinux)ͰRDS͸PostgreSQLΛར༻͍ͯ͠·͢ɻ ࣍ͷΑ͏ʹpsql ίϚϯυͰDBʹ઀ଓ͢ΔͱʮSSL connectionʯͱදࣔ͞ΕΔͨΊɺݱࡏ͸SSL઀ଓ͍ͯ͠Δ͸ͣͰ͢ɻ --------------------------------------------------------------------------- [bondgate@ip-10-2-0-13

    ~]$ psql hoge -h staging.deadbeaf.ap-northeast-1.rds.amazonaws.com psql (9.5.15) SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off) Type "help" for help. hoge=> --------------------------------------------------------------------------- https://docs.aws.amazon.com/ja_jp/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html ͪ͜ΒͷΞφ΢ϯε௨Γɺ2020೥2݄5೔·ͰʹRDSͷূ໌ॻΛrds-ca-2015͔Βrds-ca-2019ʹมߋ͢Δඞཁ͕͋Δ͜ͱ͸ཧղͰ͖·ͨ͠ɻ ݕূ༻RDSͰূ໌ॻΛrds-ca-2019ʹมߋͨ͠ͱ͜Ζɺrds-ca-2015ͷ࣌ͱಉ͡Α͏ʹΫϥΠΞϯτ͔Β઀ଓ͢Δ͜ͱ͕Ͱ͖·ͨ͠ɻ ࢿྉΛಡΉͱΫϥΠΞϯτͷSSL/TLS ূ໌ॻ΋ߋ৽͢Δඞཁ͕͋Δͱॻ͔Ε͍ͯΔͷͰ͕͢ɺ͜Ε͸ෆཁͳͷͰ͠ΐ͏͔ʁ ͦΕͱ΋ɺݱࡏͷEC2ʹrds-ca-2019ʹରԠ͢Δূ໌ॻ͕͢ͰʹΠϯετʔϧ͞Ε͍ͯΔͱ͍͏͜ͱͰ͠ΐ͏͔ʁ RDS্ͷSSL/TLSূ໌ॻͱΫϥΠΞϯτͷূ໌ॻͷؔ܎͕͏·͘ཧղͰ͖͍ͯͳ͍ͷͰ͕͢ɺ͝આ໌͍͚ͨͩΕ͹޾͍Ͱ͢ɻ ΑΖ͓͘͠Ͷ͕͍͠·͢ɻ DB Πϯελϯε:

  10. ͙͢ʹฦࣄ͕ฦ͖ͬͯͨ w ཁ໿͢Δͱ w QTRMίϚϯυʹ͓͚Δ44-5-4઀ଓ࣌ͷಈ࡞ʹ͍ͭͯ͸ TTMNPEFͱ͍͏ઃఆʹΑΓܾ·Δ w ݱࡏͷ઀ଓ͸TTMNPEF͸ઃఆ͞Ε͓ͯΒͣɺσϑΥϧτͷ TTMNPEFQSFGFSͱͯ͠ಈ࡞͍ͯ͠Δɻ w

    TTMNPEFQSFGFS͸ɺΫϥΠΞϯτ͸σʔλϕʔεαʔόଆ ͕44-5-4઀ଓʹରԠ͍ͯ͠Δ৔߹ʹ͸σʔλͷ҉߸Խ͸ ߦ͏΋ͷͷɺαʔόূ໌ॻͷݕূ͸ߦΘͳ͍ಈ࡞ͱͳΔɻ

  11. 1PTUHSF42-ͷυΩϡϝϯτ https://www.postgresql.jp/document/9.5/html/libpq-ssl.html

  12. .*5.๷ࢭͱ͸ʁ w தؒऀ߈ܸ w σʔλ͕ΫϥΠΞϯτɾαʔόؒͰ౉͞Ε͍ͯΔ࣌ ʹɺୈࡾऀ͕ͦͷσʔλΛมߋͰ͖Ε͹ɺαʔόΛ૷ ͏͜ͱ͕Ͱ͖ɺैͬͯͨͱ͑҉߸Խ͞Ε͍ͯͯ΋σʔ λΛཧղ͠มߋ͢Δ͜ͱ͕Ͱ͖·͢ɻୈࡾऀ͸ͦ͜Ͱɺ͜ͷ߈ܸ Λݕग़ෆՄೳʹ͢Δ઀ଓ৘ใͱσʔλΛݩͷαʔόʹૹΔ͜ͱ͕Ͱ͖·͢ɻ͜ΕΛߦ͏ ڞ௨ͨ͠ഔհ͸%/4ϙΠζχϯάͱΞυϨε৐ͬऔΓΛؚΈɺͦΕʹैͬͯΫϥΠΞϯ

    τ͸ҙਤͨ͠αʔόͰ͸ͳ͘ҟͳͬͨαʔόʹ༠ಋ͞Ε·͢ɻಉ࣌ʹɺ͜ͷ͜ͱΛ੒͠ ਱͛Δ͍͔ͭ͘ͷҟͳͬͨ߈ܸ΋ଘࡏ͠·͢ɻ44-͸ΫϥΠΞϯτʹର͠αʔόΛೝূ ͢Δ͜ͱͰɺ͜ͷ๷ࢭʹূ໌ॻݕূΛ࢖༻͠·͢ɻ https://www.postgresql.jp/document/9.5/html/libpq-ssl.html

  13. TTMNPEFͷݕূ <CPOEHBUF!JQd>1(44-.0%&WFSJGZGVMMQTRMIPHFI TUBHJOHEFBECFBGBQOPSUIFBTUSETBNB[POBXTDPN QTRMSPPUDFSUJpDBUFpMFIPNFCPOEHBUFQPTUHSFTRMSPPUDSUEPFTOPU FYJTU &JUIFSQSPWJEFUIFpMFPSDIBOHFTTMNPEFUPEJTBCMFTFSWFSDFSUJpDBUF WFSJpDBUJPO RDSͷূ໌ॻΛ2019೥ͷূ໌ॻʹߋ৽ɻSSL௨৴࣌ͷূ໌ॻͷ֬ೝΛڧ੍͠ ͨ৔߹ͷಈ͖Λݕূͨ͠ɻ 1(44-.0%&WFSJGZGVMMΛ௥Ճ͠ɺূ໌ॻͷ֬ೝΛߦͬͨɻূ໌ॻ͕ແ͍ͱࣦഊ͢

    Δ͜ͱΛ֬ೝɻ

  14. TTMNPEFͷݕূ <CPOEHBUF!JQQPTUHSFTRM>1(44-.0%&WFSJGZGVMMQTRMIPHF ITUBHJOHEFBECFBGBQOPSUIFBTUSETBNB[POBXTDPN QTRM44-FSSPSDFSUJpDBUFWFSJGZGBJMFE ূ໌ॻͷμ΢ϯϩʔυ͸ͪ͜Β͔Β https://docs.aws.amazon.com/ja_jp/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html 2015೥ͷূ໌ॻΛ~/.postgresql/root.crtʹઃஔͨ͠ɻ ূ໌ॻͷ֬ೝ͕ࣦഊͨ͠ɻ

  15. TTMNPEFͷݕূ <CPOEHBUF!JQQPTUHSFTRM>1(44-.0%&WFSJGZGVMMQTRMIPHF ITUBHJOHEFBECFBGBQOPSUIFBTUSETBNB[POBXTDPN 44-DPOOFDUJPO QSPUPDPM5-4W DJQIFS&$%)&34""&4($. 4)" CJUT DPNQSFTTJPOP⒎ 

    5ZQFIFMQGPSIFMQ IPHF ଓ͍ͯ2019೥ͷূ໌ॻΛಉ໊Ͱઃஔɻ઀ଓ੒ޭɻ

  16. ·ͱΊ w ূ໌ॻΛΫϥΠΞϯτʹઃஔ͍ͯ͠ͳ͍ͷͰ͋Ε͹3%4 ଆͷূ໌ॻͷߋ৽͚ͩͰ0,ɻ w தؒऀ߈ܸͷϦεΫΛߟ͑Δͱূ໌ॻΛઃஔͯ͠ɺূ໌ॻ ͷ֬ೝΛ༗ޮԽͨ͠΄͏͕ྑ͍ɻ w "84ͷαϙʔτͷਓɺ1PTUHSF42-ͷ࣭໰ʹ΋౴͑ͯ͘ Ε͍ͯ͢͝ʂ