Tim
Reputation: 715
Using python-oracledb / cx_oracle to connect to AWS RDS Oracle with TLS
I'm trying to use the Python oracledb library (successor to cx_oracle) to connect from AWS Lambda to RDS Oracle using TLS. I may want to do mutual TLS, but even one-way TLS would be fine. I could use some help.
What I can do:
- I can connect to RDS Oracle using TLS with SQL Developer on my local PC. I had to add the AWS RDS 2019 root cert to the Java Keystore. I didn't have to use an Oracle wallet.
- I can connect unencrypted from Lambda Python 3.9 to Oracle RDS using python-oracledb in thin mode
- I can connect unencrypted from Python on my PC to Oracle RDS using python-oracledb in thin mode
Noting that this is not a firewall issue, I have opened up the correct ports in AWS.
Code
Here's the basics of the code, which is very similar to the Oracle example.
import oracledb
import sys
import boto3
# When creating the Lambda function, ensure the following setting for LD_LIBRARY_PATH
def lambda_handler(event, context):
ssm_parameter = boto3.client('ssm')
# Unencrypted connection works fine
# oracleDSN = "dbname.accountstring.ap-southeast-2.rds.amazonaws.com:2484/servicename"
oracleDSN = '''(description= (retry_count=3)(retry_delay=1)(address=(protocol=tcps)
(port=2484)(host=dbname.accountstring.ap-southeast-2.rds.amazonaws.com))(connect_data=(service_name=servicename))
(security=(ssl_server_cert_dn="C=US,ST=Washington,L=Seattle,O=Amazon.com,OU=RDS,CN=dbname.accountstring.ap-southeast-2.rds.amazonaws.com")))'''
connRds = oracledb.connect(user=database_user, password=database_password, dsn=oracleDSN)
Errors
Here's the error message output from lambda (# replaces sensitive information)
Response
{
"errorMessage": "DPY-6005: cannot connect to database. Connection failed with \"[SSL] internal error (_ssl.c:2633)\"",
"errorType": "OperationalError",
"requestId": "",
"stackTrace": [
" File \"/var/lang/lib/python3.9/importlib/__init__.py\", line 127, in import_module\n return _bootstrap._gcd_import(name[level:], package, level)\n",
" File \"<frozen importlib._bootstrap>\", line 1030, in _gcd_import\n",
" File \"<frozen importlib._bootstrap>\", line 1007, in _find_and_load\n",
" File \"<frozen importlib._bootstrap>\", line 986, in _find_and_load_unlocked\n",
" File \"<frozen importlib._bootstrap>\", line 680, in _load_unlocked\n",
" File \"<frozen importlib._bootstrap_external>\", line 850, in exec_module\n",
" File \"<frozen importlib._bootstrap>\", line 228, in _call_with_frames_removed\n",
" File \"/var/task/TableDailyCount.py\", line 50, in <module>\n connRds = oracledb.connect(user=database_user, password=database_password, dsn=oracleDSN)\n",
" File \"/opt/python/oracledb/connection.py\", line 1000, in connect\n return conn_class(dsn=dsn, pool=pool, params=params, **kwargs)\n",
" File \"/opt/python/oracledb/connection.py\", line 128, in __init__\n impl.connect(params_impl)\n",
" File \"src/oracledb/impl/thin/connection.pyx\", line 345, in oracledb.thin_impl.ThinConnImpl.connect\n",
" File \"src/oracledb/impl/thin/connection.pyx\", line 163, in oracledb.thin_impl.ThinConnImpl._connect_with_params\n",
" File \"src/oracledb/impl/thin/connection.pyx\", line 129, in oracledb.thin_impl.ThinConnImpl._connect_with_description\n",
" File \"src/oracledb/impl/thin/connection.pyx\", line 247, in oracledb.thin_impl.ThinConnImpl._connect_with_address\n",
" File \"/opt/python/oracledb/errors.py\", line 103, in _raise_err\n raise exc_type(_Error(message)) from cause\n"
]
}
What I've tried
- Reading all the docs. I'm very technical and experienced, but fairly new to Python and Oracle.
- Copying the RDS pem root certificate into the deployment package and referencing that as the keystore - that didn't work
- I've added the RDS CA Certs to three different cacerts files within the python39 folder ( C:\Users\Me\AppData\Roaming\Python\Python39) as described on this page (you need to register for a free account to see the page)
- I've read everything I can find on the internet about this that seems relevant
- I've tried adding a wallet. I created the wallet in p12 format, added the RDS certs, converted to pem format with openssl (from memory) because the script on the oracledb page didn't work for me. I also tried putting the AWS RDS certs directly into the lambda but that didn't seem to work either. Reference the AWS certs page, ap-southeast-2-bundle.pem.
Question
- How would I get single direction TLS working?
- How do you create the ewallet.pem in the format that's required, from the AWS RDS Sydney root certificates?
Upvotes: 0
Views: 2169
Answers (1)
Tim
Reputation: 715
There was a bug in python-oracledb-1.0.1. The latest release 1.0.2 works to connect from both my PC and AWS Lambda to Oracle RDS TLS. The code above works fine.
Anthony from Oracle who posted above was amazingly helpful. Quick to reply to this question, quick with diagnosis, quick to fix the bug, and quick to release a patch. Thanks again Anthony!
Upvotes: 1
Related Questions
- Python connect to Oracle database with TCPS
- How to make a cx_oracle connection encrypted using ssl?
- Connect to Oracle Cloud Database with python oracledb
- AWS RDS oracle python connection
- Connecting to Oracle RDS
- Connect Oracle from AWS Lambda
- Accessing Oracle from AWS Lambda in Python
- Connecting to Oracle Database Using Python with cx_oracle
- Connecting to remote Oracle database using Python
- Connecting to oracle db from python