Configure SSL
If you select Use SSL in source or target properties, set the options as follows.
Caution
In all cases, replace mypassword
with a secure password.
... for Amazon RDS for MariaDB
Using SSL certificates is optional.
Download the root certificate rds-ca-2019-root.pem.
Import that certificate into a custom Java truststore file:
keytool -importcert -alias MariaCACert -file rds-ca-2019-root.pem \ -keystore clientkeystore.jks -storepass mypassword
In Streamshift SSL UI:
SSL - check this box to set to true ( The client must set this property in order to use encrypted connections )
Verify Server Certificate - check this box or set to true. ( On setting it to true, all the ssl certificates mentioned below will be verified while establishing the connection. )
Trust Certificate Key Store Url - upload the certificate key store file clientkeystore.jks created as part of step 2.
Trust Certificate Key Store Type - provide the store type as specified (eg.JKS) in step 2.
Trust Certificate Key Store Password - set the value specified in --storepass in step 2.
Trust Certificate: if you selected Lift and Shift only and the source and target are both MariaDB, upload the rds-ca-2019-root.pem root certificate downloaded in step 1. Otherwise leave blank.
... for MariaDB on premise
Using SSL certificates is optional.
To import the certificate (must be in .pem format) into a custom Java truststore file:
keytool -importcert -alias MariaCACert -file server-ca.pem \ -keystore truststore.jks -storepass mypassword
Client Certificate Settings:
Convert client keys/certificate files to PKCS#12 before creating a keystore
openssl pkcs12 -export -in client-cert.pem -inkeyclient-key.pem \ -name “mysqlclient” -passoutpass:mypassword -out client-keystore.p12
Create a Java Keystore using the client-keystore.p12 file
keytool -importkeystore -srckeystore client-keystore.p12-srcstoretype pkcs12 \ -srcstorepass mypassword-destkeystore keystore.jks -deststoretype JKS \ -deststorepassmypassword
In Streamshift SSL UI:
SSL - check this box to set to true ( The client must set this property in order to use encrypted connections )
Verify Server Certificate - check this box or set to true. ( On setting it to true, all the ssl certificates mentioned below will be verified while establishing the connection. )
Trust Certificate Key Store Url - upload the certificate key store file truststore.jks created as part of step 1.
Trust Certificate Key Store Type - provide the store type as specified (eg.JKS) in step 1.
Trust Certificate Key Store Password - set the value specified in --storepass in step 1.
Client Certificate Key Store Url - upload the certificate key store file keystore.jks created as part of step 2.
Client Certificate Key Store Type - provide the store type as specified (eg.JKS) in step 2.
Client Certificate Key Store Password- set the value specified in --deststorepass in step 2.
If you selected Lift and Shift only and the source and target are both MariaDB, set these additional properties:
Trust Certificate - Upload server-ca.pem
Client Certificate - Upload client-cert.pem
Client Certificate Key- Upload client-key.pem
... for Amazon RDS for MySQL
Using SSL certificates is optional.
Download root certificate rds-ca-2019-root.pem.
To import the certificate into a custom Java truststore file:
keytool -importcert -alias MySQLCACert -file rds-ca-2019-root.pem \ -keystore clientkeystore.jks -storepass mypassword
In Streamshift SSL UI:
SSL - check this box to set to true ( The client must set this property in order to use encrypted connections )
Verify Server Certificate - check this box to set it to true. ( On setting it to true, all the ssl certificates mentioned below will be verified while establishing the connection. )
Trust Certificate Key Store Url - upload the certificate key store file clientkeystore.jks created as part of step 2.
Trust Certificate Key Store Type - provide the store type as specified (eg.JKS) in step 2.
Trust Certificate Key Store Password - set the value specified in --storepass in step 2.
Trust Certificate: if you selected Lift and Shift only and the source and target are both MySQL, upload the rds-ca-2019-root.pem certificate downloaded in step 1. Otherwise leave blank.
... for Azure Database for MySQL
Using SSL certificates is optional.
Download BaltimoreCyberTrustRoot.crt.pem & DigiCertGlobalRootG2.crt.pem certificates
Create truststore files:
keytool -importcert -alias MySQLServerCACert -file /path...../BaltimoreCyberTrustRoot.crt.pem-keystore \ truststore.jks -storepass password -noprompt keytool -importcert -alias MySQLServerCACert2 -file /path...../DigiCertGlobalRootG2.crt.pem-keystore \ truststore.jks -storepass password -noprompt
In Streamshift SSL UI:
SSL - check this box to set to true ( The client must set this property in order to use encrypted connections )
Verify Server Certificate - check this box to set to true. ( On setting it to true, all the ssl certificates mentioned below will be verified while establishing the connection. )
Trust Certificate Key Store Url - upload the certificate key store file truststore.jks created as part of step 2.
Trust Certificate Key Store Type - provide the store type as specified (eg.JKS) in step 2.
Trust Certificate Key Store Password - set the value specified in --storepass in step 2.
Trust Certificate: if you selected Lift and Shift only and the source and target are both MySQL, upload the BaltimoreCyberTrustRoot.crt.pem certificate downloaded in step 1. Otherwise leave blank.
... for Google Cloud SQL for MySQL
Using SSL certificates is optional.
Download server-ca.pem, client-cert.pem & client-key.pem from GCP.
To import the certificate into a custom Java truststore file:
keytool -importcert -alias MySQLCACert -file server-ca.pem -keystore truststore.jks \ -storepass mypassword
Client certificate settings:
Convert client keys/certificate files to PKCS#12:
openssl pkcs12 -export -in client-cert.pem -inkeyclient-key.pem \ -name “mysqlclient” -passoutpass:mypassword -out client-keystore.p12
Create a Java Keystore using the client-keystore.p12 file:
keytool -importkeystore -srckeystore client-keystore.p12-srcstoretype pkcs12 \ -srcstorepass mypassword-destkeystore keystore.jks \ -deststoretype JKS-deststorepass mypassword
In Streamshift SSL UI:
SSL - check this box to set to true ( The client must set this property in order to use encrypted connections )
Verify Server Certificate - check this box to set it to true. ( On setting it to true, all the ssl certificates mentioned below will be verified while establishing the connection. )
Trust Certificate Key Store Url - upload the certificate key store file truststore.jks created as part of step 2.
Trust Certificate Key Store Type - provide the store type as specified (eg.JKS) in step 2.
Trust Certificate Key Store Password - set the value specified in --storepass in step 2.
Client Certificate Key Store Url - upload the certificate key store file keystore.jks created as part of step 3.
Client Certificate Key Store Type - provide the store type as specified (eg.JKS) in step 3.
Client Certificate Key Store Password- set the value specified in --deststorepass in step 3.
If you selected Lift and Shift only and the source and target are both MySQL, set these additional properties:
Trust Certificate - Upload server-ca.pem
Client Certificate - Upload client-cert.pem
Client Certificate Key- Upload client-key.pem
... for MySQL on premise
Using SSL certificates is optional.
To import the certificate (must be in .pem format) nto a custom Java truststore file:
keytool -importcert -alias MariaCACert -file server-ca.pem \ -keystore truststore.jks -storepass mypassword
Convert client keys/certificate files to PKCS#12:
openssl pkcs12 -export -in client-cert.pem -inkeyclient-key.pem \ -name “mysqlclient” -passoutpass:mypassword -out client-keystore.p12
Create a Java Keystore using the client-keystore.p12 file:
keytool -importkeystore -srckeystore client-keystore.p12-srcstoretype pkcs12 \ -srcstorepass mypassword-destkeystore keystore.jks \ -deststoretype JKS-deststorepass mypassword
In Streamshift SSL UI:
SSL - check this box to set to true (The client must set this property in order to use encrypted connections )
Verify Server Certificate - check this box to set it to true. ( On setting it to true, all the ssl certificates mentioned below will be verified while establishing the connection. )
Trust Certificate Key Store Url - upload the certificate key store file truststore.jks created as part of step 2.
Trust Certificate Key Store Type - provide the store type as specified (eg.JKS) in step 2.
Trust Certificate Key Store Password - set the value specified in --storepass in step 2.
Client Certificate Key Store Url - upload the certificate key store file keystore.jks created as part of step 3.
Client Certificate Key Store Type - provide the store type as specified (eg.JKS) in step 3.
Client Certificate Key Store Password- set the value specified in --deststorepass in step 3.
If you selected Lift and Shift only and the source and target are both MySQL, set these additional properties:
Trust Certificate - Upload server-ca.pem
Client Certificate - Upload client-cert.pem
Client Certificate Key- Upload client-key.pem
... for Amazon RDS for Oracle
An SSL certificate is required.
Download root certificate rds-ca-2019-root.pem.
To import the certificate into a custom Java truststore file:
keytool -importcert -alias OracleCACert -file rds-ca-2019-root.pem \ -keystore clientkeystore.jks -storepass mypassword
In Streamshift SSL UI:
SSL - check this box to set to true
Trust store - upload this certificate key store file clientkeystore.jks created as part of step 2.
Trust store type - JKS
Trust store password - set the value specified in --storepass in step 2.
Trust Certificate: if you selected Lift and Shift only and the source and target are both Oracle, upload the rds-ca-2019-root.pem root certificate downloaded in step 1. Otherwise leave blank.
... for Oracle on premise
An SSL certificate is required.
To import the certificate(.pem format) into a custom Java truststore file:
keytool -importcert -alias OracleCACert -file server-ca.pem \ -keystore truststore.jks -storepass mypassword
Convert client keys/certificate files to PKCS#12 before creating a keystore:
openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem \ -name “mysqlclient” -passout pass:mypassword -out client-keystore.p12
Create a Java Keystore using the client-keystore.p12 file:
keytool -importkeystore -srckeystore client-keystore.p12 -srcstoretype pkcs12 \ -srcstorepass mypassword -destkeystore keystore.jks -deststoretype JKS \ -deststorepass mypassword
In Streamshift SSL UI:
SSL - check this box to set to true
Trust store - upload this certificate key store file truststore.jks created as part of step 1.
Trust store type - provide the store type as specified (eg.JKS) in step 1.
Trust store password - set the value specified in --storepass in step 1.
Key Store - upload this certificate key store file keystore.jks created as part of step 3.
Key Store Type - provide the store type as specified (eg.JKS) in step 3.
Key Store Password- set the value specified in --deststorepass in step 3.
Additional properties for Lift and Shift Only from Oracle to Oracle (homogenous migration):
... for Amazon RDS for PostgreSQL
Using SSL certificates is optional.
Download root certificate rds-ca-2019-root.pem.
In Streamshift SSL UI:
SSL - check this box to set to true ( The client must set this property in order to use encrypted connections )
SSL Mode - disable / allow / prefer / require /verify-ca, based on the type of encryption and validation required for the user (verify-full is not supported)
SSL Root Certificate - upload the downloaded root certificate mentioned in step 1
... for Azure Database for PostgreSQL
Using SSL certificates is optional.
Download BaltimoreCyberTrustRoot.crt.pem certificate.
In Streamshift SSL UI:
SSL - check this box to set to true ( The client must set this property in order to use encrypted connections )
SSL Mode - disable / allow / prefer / require /verify-ca , based on the type of encryption and validation required for the user (verify-full is not supported)
SSL Root Certificate - upload the downloaded root certificate mentioned in step 1
... for Google Cloud SQL for PostgreSQL
Using SSL certificates is optional.
Download server-ca.pem, client-cert.pem & client-key.pem from GCP.
Convert client-key.pem to .pk8 format:
openssl pkcs8 -topk8 -inform PEM -outform DER -inclient-key.pem -out client.root.pk8 \ -nocrypt
In Streamshift SSL UI:
SSL - check this box to set to true ( The client must set this property in order to use encrypted connections )
SSL Mode - disable / allow / prefer / require /verify-ca , based on the type of encryption and validation required for the user (verify-full is not supported)
SSL Certificate - upload the downloaded certificate client-cert.pem mentioned in step 1.
SSL Certificate Key (in .pk8 format) - upload the certificate key file client.root.pk8 specified in step 1.
SSL Root Certificate - upload the downloaded root certificate server-ca.pem mentioned in step 1
Client Certificate Key: if you selected Lift and Shift only and the source and target are both PostgreSQL, upload the client-key.pem file downloaded in step 1. Otherwise leave blank.
... for PostgreSQL on premise
Using SSL certificates is optional.
Convert client-key.pem to .pk8 format:
openssl pkcs8 -topk8 -inform PEM -outform DER -in client-key.pem -out client.root.pk8 \ -nocrypt
In Streamshift SSL UI:
SSL - check this box to set to true ( The client must set this property in order to use encrypted connections )
SSL Mode -
disable
/allow
/prefer
/require
/verify-ca
, to match the type of encryption and validation required for the user (verify-full
is not supported)SSL Certificate - upload the created SSL certificate client-cert.pem
SSL Certificate Key (in .pk8 format) - upload the certificate key file client.root.pk8 specified in step 1.
SSL Root Certificate - upload the created root certificate server-ca.pem
Client Certificate Key: if you selected Lift and Shift only and the source and target are both PostgreSQL, upload the client-key.pem file downloaded in step 1. Otherwise leave blank.
... for Amazon RDS for SQL Server
Using SSL certificates is optional.
Download the root certificate rds-ca-2019-root.pem.
Import that certificate into a custom Java truststore file:
keytool -importcert -alias MSSQLCACert -file rds-ca-2019-root.pem \ -keystore clientkeystore.jks -storepass mypassword
In Streamshift SSL UI:
SSL - check this box to set to true (The client must set this property in order to use encrypted connections)
Use Trust Server Certificate - check this box or set to true
Integrated Security - check this box or set to true (If “true”, it indicates that Windows credentials are used by SQL Server on Windows OS. The JDBC driver searches the local computer credential cache for credentials that were provided when a user signed in to the computer or network. If "false", the username and password must be supplied)
Trust Store - upload the certificate key store file clientkeystore.jks created as part of step 2.
Trust Store Password - set the value specified in --storepass in step 2.
Certificate Host Name - Host name of the server used to validate the SQL Server TLS/SSL certificate. (Eg : *.database.windows.net )
... for Azure SQL Database or Azure SQL Managed Instance
Using SSL certificates is optional.
Download BaltimoreCyberTrustRoot.crt.pem & DigiCertGlobalRootG2.crt.pem certificates
Create truststore files:
keytool -importcert -alias MSSQLServerCACert \ -file /path...../BaltimoreCyberTrustRoot.crt.pem-keystore truststore.jks \ -storepass password -noprompt keytool -importcert -alias MSSQLServerCACert2 \ -file /path...../DigiCertGlobalRootG2.crt.pem-keystore truststore.jks \ -storepass password -noprompt
In Streamshift SSL UI:
SSL - check this box to set to true (The client must set this property in order to use encrypted connections)
Use Trust Server Certificate - check this box or set to true
Integrated Security - check this box or set to true (If “true”, it indicates that Windows credentials are used by SQLServer on Windows OS. The JDBC driver searches the localcomputer credential cache for credentials that were providedwhen a user signed in to the computer or networkIf "false", the username and password must be supplied.)
Trust Store - upload the certificate key store file truststore.jks created as part of step 2.
Trust Store Password - set the value specified in --storepass in step 2.
Certificate Host Name - Host name of the server used to validate the SQL Server TLS/SSL certificate. ( Eg : *.database.windows.net )
... for Google Cloud SQL for SQL Server
Using SSL certificates is optional.
Download server-ca.pem from GCP.
To import the certificate into a custom Java truststore file:
keytool -importcert -alias MSSQLCACert -file server-ca.pem-keystore truststore.jks \ -storepass mypassword
In Streamshift SSL UI:
SSL - check this box to set to true (The client must set this property in order to use encrypted connections )
Use Trust Server Certificate - check this box or set to true
Integrated Security - check this box or set to true (If “true”, it indicates that Windows credentials are used by SQLServer on Windows OS. The JDBC driver searches the localcomputer credential cache for credentials that were providedwhen a user signed in to the computer or networkIf "false", the username and password must be supplied.)
Trust Store - upload the certificate key store file truststore.jks created as part of step 2.
Trust Store Password - set the value specified in --storepass in step 2.
Certificate Host Name - Host name of the server used to validate the SQL Server TLS/SSL certificate. ( Eg : *.database.windows.net )
... for SQL Server on premise
Using SSL certificates is optional.
Create server-ca.pem
To Create truststore file, use the following command:
keytool -importcert -alias MSSQLCACert -file server-ca.pem-keystore truststore.jks \ -storepass mypassword
In StreamShift SSL UI:
SSL - check this box to set to true ( The client must set this property in order to use encrypted connections )
Use Trust Server Certificate - check this box or set to true
Integrated Security - check this box or set to true (If “true”, it indicates that Windows credentials are used by SQLServer on Windows OS. The JDBC driver searches the localcomputer credential cache for credentials that were providedwhen a user signed in to the computer or networkIf "false", the username and password must be supplied.)
Trust Store - upload the certificate key store file truststore.jks created as part of step 2.
Trust Store Password - set the value specified in --storepass in step 2.
Certificate Host Name - Host name of the server used to validate the SQL Server TLS/SSL certificate. ( Eg : *.database.windows.net )