+ New Ticket

Transitioning to ACM Certificates for SSL Connections

Pinned

Comments

11 comments

  • Official comment
    Avatar
    Eli Weine

    **UPDATE 11-OCT-2017**

    Hello all, our investigation has been updated.  The ACM certificate change Amazon is making on 23-OCT-2017 should not affect the current version of Workbench for Redshift (v4.9.1.2686)

    If your Redshift cluster is set to require ssl, then the client Workbench connection ssl mode must also be set to ‘Require’.  This is no different than the current functionality.  Please note all other ssl modes may result in unencrypted connections.

    Comment actions Permalink
  • Avatar
    jinpinl li

    will aginity initiate self-updates regarding this?

    1
    Comment actions Permalink
  • Avatar
    Eli Weine

    Hello, thanks for pointing out this risk.  Workbench for Redshift version 4.9 currently uses the open source npgsql postgresql driver (http://www.npgsql.org) to connect to Redshift.  It is included in the install package itself.

     

    I have brought this to the attention of the Product Team.  They have confirmed further investigation is needed, so we will update this post with the results of the investigation when it is complete.

     

    Thanks in advance for your patience.

    1
    Comment actions Permalink
  • Avatar
    Bryan Post

    Any update on this item? Our team uses Aginity and cannot lose access to Redshift. More direct communication on this would be appreciated, otherwise we will have to begin migrating our user base to another platform.

    2
    Comment actions Permalink
  • Avatar
    Owen Zacharias

    We're also concerned about this.  We have a large group using Aginity with Redshift and will need some lead time to account for upgrades.

    1
    Comment actions Permalink
  • Avatar
    Lars Petter

    Same goes for us - investigating alternatives as we speak.

    0
    Comment actions Permalink
  • Avatar
    Seema Chawla

    Yes, we are also concerned about this. Getting info from Aginity team will really help.

    0
    Comment actions Permalink
  • Avatar
    Bryan Post

    @Eli Weine Is this true that Aginity for Redshift does not support SSL? Our team has been using Version 4.4.2183.656 (build 3/31/2015) with the assumption that SSL is active, due to the following prompt:

    Is this not the case? It seems strange that the service would advertise a security feature that is not actually present. Please let me know if I'm misunderstanding something.

    0
    Comment actions Permalink
  • Avatar
    Eli Weine

    @Bryan, there was some confusion around this issue.  Workbench will use ssl when the mode is set to Require and the Redshift cluster requires ssl.  Sorry for any confusion.

    0
    Comment actions Permalink
  • Avatar
    Owen Zacharias

    @Eli Weine:

    We're still a bit concerned. Looking a little deeper at the configuration options for ngpsql (http://www.npgsql.org/doc/connection-string-parameters.html) we see the option to require SSL (as stated above, is exposed via the Aginity control panel) which will simply force SSL encryption.

    However, there is also an option "Trust Server Certificate" which defaults to false.  This setting controls SSL authentication.  The default setting (false) will cause the connection to fail for both self-signed certs as well as those without known/trusted CAs/anchor certificates.

    Can you please elaborate on how Aginity handles SSL authentication of the redshift cluster?

    0
    Comment actions Permalink
  • Avatar
    Bryan Post

    @Eli Weine:

    Some of our users have the following version installed:

    Workbench: Aginity Workbench for Redshift 4.4.2183.656 (3/31/2015)
    OS Version: Microsoft Windows NT 6.1.7601 Service Pack 1 (64-bit)
    DBMS Version: PostgreSQL 8.0.2 on i686-pc-linux-gnu, compiled by GCC gcc (GCC) 3.4.2 20041017 (Red Hat 3.4.2-6.fc3), Redshift 1.0.1459
    Driver Used: Redshift

     

    Will they be affected by this change? From AWS' documentation, it appears they will. They report not seeing a "Check for updates" feature in their Aginity client, should they manually download and install the newest version?

     

    0
    Comment actions Permalink

Please sign in to leave a comment.