Hi, we're wondering how we can check whether GoodData.CN services (metadata-api and sql-executor) are connecting to our RDS Postgres cluster over TLS and, if not, how to enable TLS. We're running GoodData.CN 3.8. Thanks so much!

Hello Pete, Thank you for bringing that up. Please allow me to assist you with your question. There is no short answer as it depends on how GoodData CN is deployed. You might find your answer in environment variables such as like Helm charts. For TLS connection strings should include parameters like

sslmode, sslrootcert, sslcert

. You can also check active connections to your RDS PostgreSQL cluster to see if they are encrypted: Connect to the PostgreSQL Database: You can connect using a tool like psql or any other PostgreSQL client. Run the Following Query: SELECT datname, usename, ssl, client_addr, client_hostname, client_port FROM pg_stat_ssl JOIN pg_stat_activity ON pg_stat_ssl.pid = pg_stat_activity.pid; If on Amazon RDS SSL has been configured to REQUIRE SSL connection then

psql

will fail to connect. Requirement for connection to PostgreSQL DB instance to use SSL is specified in

rds.force_ssl

. The encrypted status of your connection is shown in the logon banner when you connect to the DB instance, example:

Password for user master: 
psql (10.3) 
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256) 
Type "help" for help.
postgres=>

You can also load the

sslinfo

extension and then call the

ssl_is_used()

function to determine if SSL is being used. The function returns

t

if the connection is using SSL, otherwise it returns `f`:

CREATE EXTENSION sslinfo;

SELECT ssl_is_used();

Please let me know if that helped.

Thank you, Jakub. We ran the above query to confirm that a TLS connection is being used to connect to our RDS Postgres cluster. Our follow up question is what we must do when RDS's CA cert expires as described here: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html. What steps should we follow to ensure that we have minimal or no downtime for our GoodData.CN services when we upgrade the cert in RDS?

Hello Pete, I understand you are asking about how to renew the certificate on GoodData CN node, correct? It really depends how it is being deployed. I recommend to backup current certificates before they get replace by newer ones, after that Docker or Kubernetes will need to be restarted. GoodData CN is self managed service and steps which need to be followed are exactly same steps as renewal of any TLS certificate on Kubernetes or Docker nodes. To ensure no downtime I suggest renewing certificate in a timely manner before current one expires and also leaving enough time for eventual troubleshooting if needed. Is it answering all your questions?