Configure encryption for source database connections

The following sections provide steps you need to perform to configure SSL/TLS encryption for your source network connections.

Encrypt connections to self-hosted Oracle databases

The following sections contain details to help you configure SSL/TLS encryption for connections to self-hosted Oracle sources.

Use TLS variant

To use TLS encryption for connections to a self-hosted source, do the following:

  1. Obtain an SSL/TLS certificate signed by a trusted Certificate Authority (CA). Consult your organization policies to make sure you use the right channels to get the certificate. Make sure you save the x509 PEM-encoded root CA certificate that signs your server certificate. You need to provide it for the source connection profile in Database Migration Service.

    It is possible to use self-signed certificates for this purpose (for example generated with the openssl command line tool), but we don't recommend them for production use. Your security systems might flag self-signed certificates as a vulnerability.

  2. Configure TLS authentication on your source Oracle database. For more information, see Configuring a Transport Layer Security Connection without a Client Wallet in the Oracle documentation.
  3. At a later stage, when you create the source connection profile, do the following:
    1. Select TLS for the encryption type.
    2. In the Source CA certificate section, click Browse and upload the x509 PEM-encoded root CA certificate that signs your server certificate.

Encrypt connections to Amazon RDS for Oracle

The following sections contain details to help you configure SSL/TLS encryption for connections to Amazon RDS for Oracle sources.

Use TLS variant

To use TLS encryption for connections to Amazon RDS for Oracle, do the following:

  1. Enable the Oracle SSL encryption option on your Amazon RDS Oracle source database. For more information, see Using SSL with an RDS for Oracle DB instance in the Amazon RDS documentation.
  2. Download the x509 PEM-encoded root CA certificate that signs your server certificate. This certificate is included in the certificate bundles provided by AWS. For more information, see Download certificate bundles in the Amazon RDS documentation.
  3. At a later stage, when you create the source connection profile, do the following:
    1. Select TLS for the encryption type.
    2. In the Source CA certificate section, click Browse and upload the x509 PEM-encoded root CA certificate you downloaded in the certificate bundle.