Skip to main content

StreamShift Documentation

Configure SSL

If you select Use SSL in source or target properties, set the options as follows.

Caution

In all cases, replace mypassword with a secure password.

... for Amazon RDS for MariaDB

Using SSL certificates is optional.

  1. Download the root certificate rds-ca-2019-root.pem.

  2. Import that certificate into a custom Java truststore file:

    keytool -importcert -alias MariaCACert -file rds-ca-2019-root.pem \
  -keystore clientkeystore.jks -storepass mypassword

  3. In Streamshift SSL UI:

    1. SSL - check this box to set to true ( The client must set this property in order to use encrypted connections )

    2. Verify Server Certificate - check this box or set to true. ( On setting it to true, all the ssl certificates mentioned below will be verified while establishing the connection. )

    3. Trust Certificate Key Store Url - upload the certificate key store file clientkeystore.jks created as part of step 2.

    4. Trust Certificate Key Store Type - provide the store type as specified (eg.JKS) in step 2.

    5. Trust Certificate Key Store Password - set the value specified in --storepass in step 2.

    6. Trust Certificate: if you selected Lift and Shift only and the source and target are both MariaDB, upload the rds-ca-2019-root.pem root certificate downloaded in step 1. Otherwise leave blank.

... for MariaDB on premise

Using SSL certificates is optional.

  1. To import the certificate (must be in .pem format) into a custom Java truststore file:

    keytool -importcert -alias MariaCACert -file server-ca.pem \
  -keystore truststore.jks -storepass mypassword

  2. Client Certificate Settings:

    1. Convert client keys/certificate files to PKCS#12 before creating a keystore

      openssl pkcs12 -export -in client-cert.pem -inkeyclient-key.pem \
  -name “mysqlclient” -passoutpass:mypassword -out client-keystore.p12

    2. Create a Java Keystore using the client-keystore.p12 file

      keytool -importkeystore -srckeystore client-keystore.p12-srcstoretype pkcs12 \
  -srcstorepass mypassword-destkeystore keystore.jks -deststoretype JKS \ 
  -deststorepassmypassword

  3. In Streamshift SSL UI:

    1. SSL - check this box to set to true ( The client must set this property in order to use encrypted connections )

    2. Verify Server Certificate - check this box or set to true. ( On setting it to true, all the ssl certificates mentioned below will be verified while establishing the connection. )

    3. Trust Certificate Key Store Url - upload the certificate key store file truststore.jks created as part of step 1.

    4. Trust Certificate Key Store Type - provide the store type as specified (eg.JKS) in step 1.

    5. Trust Certificate Key Store Password - set the value specified in --storepass in step 1.

    6. Client Certificate Key Store Url - upload the certificate key store file keystore.jks created as part of step 2.

    7. Client Certificate Key Store Type - provide the store type as specified (eg.JKS) in step 2.

    8. Client Certificate Key Store Password- set the value specified in --deststorepass in step 2.

If you selected Lift and Shift only and the source and target are both MariaDB, set these additional properties:

  1. Trust Certificate - Upload server-ca.pem

  2. Client Certificate - Upload client-cert.pem

  3. Client Certificate Key- Upload client-key.pem

... for Amazon RDS for MySQL

Using SSL certificates is optional.

  1. Download root certificate rds-ca-2019-root.pem.

  2. To import the certificate into a custom Java truststore file:

    keytool -importcert -alias MySQLCACert -file rds-ca-2019-root.pem \
  -keystore clientkeystore.jks -storepass mypassword

  3. In Streamshift SSL UI:

    1. SSL - check this box to set to true ( The client must set this property in order to use encrypted connections )

    2. Verify Server Certificate - check this box to set it to true. ( On setting it to true, all the ssl certificates mentioned below will be verified while establishing the connection. )

    3. Trust Certificate Key Store Url - upload the certificate key store file clientkeystore.jks created as part of step 2.

    4. Trust Certificate Key Store Type - provide the store type as specified (eg.JKS) in step 2.

    5. Trust Certificate Key Store Password - set the value specified in --storepass in step 2.

    6. Trust Certificate: if you selected Lift and Shift only and the source and target are both MySQL, upload the rds-ca-2019-root.pem certificate downloaded in step 1. Otherwise leave blank.

... for Azure Database for MySQL

Using SSL certificates is optional.

  1. Download BaltimoreCyberTrustRoot.crt.pem & DigiCertGlobalRootG2.crt.pem certificates

  2. Create truststore files:

    keytool -importcert -alias MySQLServerCACert -file /path...../BaltimoreCyberTrustRoot.crt.pem-keystore \
  truststore.jks -storepass password -noprompt
keytool -importcert -alias MySQLServerCACert2 -file /path...../DigiCertGlobalRootG2.crt.pem-keystore \ 
  truststore.jks -storepass password -noprompt

  3. In Streamshift SSL UI:

    1. SSL - check this box to set to true ( The client must set this property in order to use encrypted connections )

    2. Verify Server Certificate - check this box to set to true. ( On setting it to true, all the ssl certificates mentioned below will be verified while establishing the connection. )

    3. Trust Certificate Key Store Url - upload the certificate key store file truststore.jks created as part of step 2.

    4. Trust Certificate Key Store Type - provide the store type as specified (eg.JKS) in step 2.

    5. Trust Certificate Key Store Password - set the value specified in --storepass in step 2.

    6. Trust Certificate: if you selected Lift and Shift only and the source and target are both MySQL, upload the BaltimoreCyberTrustRoot.crt.pem certificate downloaded in step 1. Otherwise leave blank.

... for Google Cloud SQL for MySQL

Using SSL certificates is optional.

  1. Download server-ca.pem, client-cert.pem & client-key.pem from GCP.

  2. To import the certificate into a custom Java truststore file:

    keytool -importcert -alias MySQLCACert -file server-ca.pem -keystore truststore.jks \
  -storepass mypassword

  3. Client certificate settings:

    1. Convert client keys/certificate files to PKCS#12:

      openssl pkcs12 -export -in client-cert.pem -inkeyclient-key.pem \
  -name “mysqlclient” -passoutpass:mypassword -out client-keystore.p12

    2. Create a Java Keystore using the client-keystore.p12 file:

      keytool -importkeystore -srckeystore client-keystore.p12-srcstoretype pkcs12 \
  -srcstorepass mypassword-destkeystore keystore.jks \
  -deststoretype JKS-deststorepass mypassword

  4. In Streamshift SSL UI:

    1. SSL - check this box to set to true ( The client must set this property in order to use encrypted connections )

    2. Verify Server Certificate - check this box to set it to true. ( On setting it to true, all the ssl certificates mentioned below will be verified while establishing the connection. )

    3. Trust Certificate Key Store Url - upload the certificate key store file truststore.jks created as part of step 2.

    4. Trust Certificate Key Store Type - provide the store type as specified (eg.JKS) in step 2.

    5. Trust Certificate Key Store Password - set the value specified in --storepass in step 2.

    6. Client Certificate Key Store Url - upload the certificate key store file keystore.jks created as part of step 3.

    7. Client Certificate Key Store Type - provide the store type as specified (eg.JKS) in step 3.

    8. Client Certificate Key Store Password- set the value specified in --deststorepass in step 3.

If you selected Lift and Shift only and the source and target are both MySQL, set these additional properties:

  1. Trust Certificate - Upload server-ca.pem

  2. Client Certificate - Upload client-cert.pem

  3. Client Certificate Key- Upload client-key.pem

... for MySQL on premise

Using SSL certificates is optional.

  1. To import the certificate (must be in .pem format) nto a custom Java truststore file:

    keytool -importcert -alias MariaCACert -file server-ca.pem \
  -keystore truststore.jks -storepass mypassword

  2. Convert client keys/certificate files to PKCS#12:

    openssl pkcs12 -export -in client-cert.pem -inkeyclient-key.pem \
  -name “mysqlclient” -passoutpass:mypassword -out client-keystore.p12

  3. Create a Java Keystore using the client-keystore.p12 file:

    keytool -importkeystore -srckeystore client-keystore.p12-srcstoretype pkcs12 \
  -srcstorepass mypassword-destkeystore keystore.jks \
  -deststoretype JKS-deststorepass mypassword

  4. In Streamshift SSL UI:

    1. SSL - check this box to set to true (The client must set this property in order to use encrypted connections )

    2. Verify Server Certificate - check this box to set it to true. ( On setting it to true, all the ssl certificates mentioned below will be verified while establishing the connection. )

    3. Trust Certificate Key Store Url - upload the certificate key store file truststore.jks created as part of step 2.

    4. Trust Certificate Key Store Type - provide the store type as specified (eg.JKS) in step 2.

    5. Trust Certificate Key Store Password - set the value specified in --storepass in step 2.

    6. Client Certificate Key Store Url - upload the certificate key store file keystore.jks created as part of step 3.

    7. Client Certificate Key Store Type - provide the store type as specified (eg.JKS) in step 3.

    8. Client Certificate Key Store Password- set the value specified in --deststorepass in step 3.

If you selected Lift and Shift only and the source and target are both MySQL, set these additional properties:

  1. Trust Certificate - Upload server-ca.pem

  2. Client Certificate - Upload client-cert.pem

  3. Client Certificate Key- Upload client-key.pem

... for Amazon RDS for Oracle

An SSL certificate is required.

  1. Download root certificate rds-ca-2019-root.pem.

  2. To import the certificate into a custom Java truststore file:

    keytool -importcert -alias OracleCACert -file rds-ca-2019-root.pem \
 -keystore clientkeystore.jks -storepass mypassword

  3. In Streamshift SSL UI:

    1. SSL - check this box to set to true

    2. Trust store - upload this certificate key store file clientkeystore.jks created as part of step 2.

    3. Trust store type - JKS

    4. Trust store password - set the value specified in --storepass in step 2.

    5. Trust Certificate: if you selected Lift and Shift only and the source and target are both Oracle, upload the rds-ca-2019-root.pem root certificate downloaded in step 1. Otherwise leave blank.

... for Oracle on premise

An SSL certificate is required.

  1. To import the certificate(.pem format) into a custom Java truststore file:

    keytool -importcert -alias OracleCACert -file server-ca.pem \
  -keystore truststore.jks -storepass mypassword

  2. Convert client keys/certificate files to PKCS#12 before creating a keystore:

    openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem \
  -name “mysqlclient” -passout pass:mypassword -out client-keystore.p12

  3. Create a Java Keystore using the client-keystore.p12 file:

    keytool -importkeystore -srckeystore client-keystore.p12 -srcstoretype pkcs12 \
  -srcstorepass mypassword -destkeystore keystore.jks -deststoretype JKS \
  -deststorepass mypassword

  4. In Streamshift SSL UI:

    1. SSL - check this box to set to true

    2. Trust store - upload this certificate key store file truststore.jks created as part of step 1.

    3. Trust store type - provide the store type as specified (eg.JKS) in step 1.

    4. Trust store password - set the value specified in --storepass in step 1.

    5. Key Store - upload this certificate key store file keystore.jks created as part of step 3.

    6. Key Store Type - provide the store type as specified (eg.JKS) in step 3.

    7. Key Store Password- set the value specified in --deststorepass in step 3.

Additional properties for Lift and Shift Only from Oracle to Oracle (homogenous migration):

... for Amazon RDS for PostgreSQL

Using SSL certificates is optional.

  1. Download root certificate rds-ca-2019-root.pem.

  2. In Streamshift SSL UI:

    1. SSL - check this box to set to true ( The client must set this property in order to use encrypted connections )

    2. SSL Mode - disable / allow / prefer / require /verify-ca, based on the type of encryption and validation required for the user (verify-full is not supported)

    3. SSL Root Certificate - upload the downloaded root certificate mentioned in step 1

... for Azure Database for PostgreSQL

Using SSL certificates is optional.

  1. Download BaltimoreCyberTrustRoot.crt.pem certificate.

  2. In Streamshift SSL UI:

    1. SSL - check this box to set to true ( The client must set this property in order to use encrypted connections )

    2. SSL Mode - disable / allow / prefer / require /verify-ca , based on the type of encryption and validation required for the user (verify-full is not supported)

    3. SSL Root Certificate - upload the downloaded root certificate mentioned in step 1

... for Google Cloud SQL for PostgreSQL

Using SSL certificates is optional.

  1. Download server-ca.pem, client-cert.pem & client-key.pem from GCP.

  2. Convert client-key.pem to .pk8 format:

    openssl pkcs8 -topk8 -inform PEM -outform DER -inclient-key.pem -out client.root.pk8 \
  -nocrypt

  3. In Streamshift SSL UI:

    1. SSL - check this box to set to true ( The client must set this property in order to use encrypted connections )

    2. SSL Mode - disable / allow / prefer / require /verify-ca , based on the type of encryption and validation required for the user (verify-full is not supported)

    3. SSL Certificate - upload the downloaded certificate client-cert.pem mentioned in step 1.

    4. SSL Certificate Key (in .pk8 format) - upload the certificate key file client.root.pk8 specified in step 1.

    5. SSL Root Certificate - upload the downloaded root certificate server-ca.pem mentioned in step 1

    6. Client Certificate Key: if you selected Lift and Shift only and the source and target are both PostgreSQL, upload the client-key.pem file downloaded in step 1. Otherwise leave blank.

... for PostgreSQL on premise

Using SSL certificates is optional.

  1. Convert client-key.pem to .pk8 format:

    openssl pkcs8 -topk8 -inform PEM -outform DER -in client-key.pem -out client.root.pk8 \
  -nocrypt

  2. In Streamshift SSL UI:

    1. SSL - check this box to set to true ( The client must set this property in order to use encrypted connections )

    2. SSL Mode - disable / allow / prefer / require /verify-ca , to match the type of encryption and validation required for the user (verify-full is not supported)

    3. SSL Certificate - upload the created SSL certificate client-cert.pem

    4. SSL Certificate Key (in .pk8 format) - upload the certificate key file client.root.pk8 specified in step 1.

    5. SSL Root Certificate - upload the created root certificate server-ca.pem

    6. Client Certificate Key: if you selected Lift and Shift only and the source and target are both PostgreSQL, upload the client-key.pem file downloaded in step 1. Otherwise leave blank.

... for Amazon RDS for SQL Server

Using SSL certificates is optional.

  1. Download the root certificate rds-ca-2019-root.pem.

  2. Import that certificate into a custom Java truststore file:

    keytool -importcert -alias MSSQLCACert -file rds-ca-2019-root.pem \
  -keystore clientkeystore.jks -storepass mypassword

  3. In Streamshift SSL UI:

    1. SSL - check this box to set to true (The client must set this property in order to use encrypted connections)

    2. Use Trust Server Certificate - check this box or set to true

    3. Integrated Security - check this box or set to true (If “true”, it indicates that Windows credentials are used by SQL Server on Windows OS. The JDBC driver searches the local computer credential cache for credentials that were provided when a user signed in to the computer or network. If "false", the username and password must be supplied)

    4. Trust Store - upload the certificate key store file clientkeystore.jks created as part of step 2.

    5. Trust Store Password - set the value specified in --storepass in step 2.

    6. Certificate Host Name - Host name of the server used to validate the SQL Server TLS/SSL certificate. (Eg : *.database.windows.net )

... for Azure SQL Database or Azure SQL Managed Instance

Using SSL certificates is optional.

  1. Download BaltimoreCyberTrustRoot.crt.pem & DigiCertGlobalRootG2.crt.pem certificates

  2. Create truststore files:

    keytool -importcert -alias MSSQLServerCACert \
  -file /path...../BaltimoreCyberTrustRoot.crt.pem-keystore truststore.jks \
  -storepass password -noprompt
keytool -importcert -alias MSSQLServerCACert2 \
  -file /path...../DigiCertGlobalRootG2.crt.pem-keystore truststore.jks \
  -storepass password -noprompt

  3. In Streamshift SSL UI:

    1. SSL - check this box to set to true (The client must set this property in order to use encrypted connections)

    2. Use Trust Server Certificate - check this box or set to true

    3. Integrated Security - check this box or set to true (If “true”, it indicates that Windows credentials are used by SQLServer on Windows OS. The JDBC driver searches the localcomputer credential cache for credentials that were providedwhen a user signed in to the computer or networkIf "false", the username and password must be supplied.)

    4. Trust Store - upload the certificate key store file truststore.jks created as part of step 2.

    5. Trust Store Password - set the value specified in --storepass in step 2.

    6. Certificate Host Name - Host name of the server used to validate the SQL Server TLS/SSL certificate. ( Eg : *.database.windows.net )

... for Google Cloud SQL for SQL Server

Using SSL certificates is optional.

  1. Download server-ca.pem from GCP.

  2. To import the certificate into a custom Java truststore file:

    keytool -importcert -alias MSSQLCACert -file server-ca.pem-keystore truststore.jks \
  -storepass mypassword

  3. In Streamshift SSL UI:

    1. SSL - check this box to set to true (The client must set this property in order to use encrypted connections )

    2. Use Trust Server Certificate - check this box or set to true

    3. Integrated Security - check this box or set to true (If “true”, it indicates that Windows credentials are used by SQLServer on Windows OS. The JDBC driver searches the localcomputer credential cache for credentials that were providedwhen a user signed in to the computer or networkIf "false", the username and password must be supplied.)

    4. Trust Store - upload the certificate key store file truststore.jks created as part of step 2.

    5. Trust Store Password - set the value specified in --storepass in step 2.

    6. Certificate Host Name - Host name of the server used to validate the SQL Server TLS/SSL certificate. ( Eg : *.database.windows.net )

... for SQL Server on premise

Using SSL certificates is optional.

  1. Create server-ca.pem

  2. To Create truststore file, use the following command:

    keytool -importcert -alias MSSQLCACert -file server-ca.pem-keystore truststore.jks \
  -storepass mypassword

  3. In StreamShift SSL UI:

    1. SSL - check this box to set to true ( The client must set this property in order to use encrypted connections )

    2. Use Trust Server Certificate - check this box or set to true

    3. Integrated Security - check this box or set to true (If “true”, it indicates that Windows credentials are used by SQLServer on Windows OS. The JDBC driver searches the localcomputer credential cache for credentials that were providedwhen a user signed in to the computer or networkIf "false", the username and password must be supplied.)

    4. Trust Store - upload the certificate key store file truststore.jks created as part of step 2.

    5. Trust Store Password - set the value specified in --storepass in step 2.

    6. Certificate Host Name - Host name of the server used to validate the SQL Server TLS/SSL certificate. ( Eg : *.database.windows.net )

In this section: