我试图使用Python oracledb库(cx_oracle的继任者)使用TLS从AWS Lambda连接到RDS Oracle。我可能想要使用双向TLS,但即使是单向TLS也可以。我需要一些帮助。
我能做的:
- 我可以在本地PC上使用TLS与SQL Developer连接到RDS Oracle。我必须将AWS RDS 2019根证书添加到Java密钥库中。我不需要使用Oracle钱包。
- 我可以在瘦模式下使用Python -oracledb连接未加密的Lambda Python 3.9到Oracle RDS
- 我可以在瘦模式下使用Python -oracledb从PC上的Python连接未加密的Oracle RDS
注意到这不是防火墙的问题,我已经在AWS中打开了正确的端口。
下面是代码的基础,它与Oracle的示例非常相似。
import oracledb
import sys
import boto3
# When creating the Lambda function, ensure the following setting for LD_LIBRARY_PATH
def lambda_handler(event, context):
ssm_parameter = boto3.client('ssm')
# Unencrypted connection works fine
# oracleDSN = "dbname.accountstring.ap-southeast-2.rds.amazonaws.com:2484/servicename"
oracleDSN = '''(description= (retry_count=3)(retry_delay=1)(address=(protocol=tcps)
(port=2484)(host=dbname.accountstring.ap-southeast-2.rds.amazonaws.com))(connect_data=(service_name=servicename))
(security=(ssl_server_cert_dn="C=US,ST=Washington,L=Seattle,O=Amazon.com,OU=RDS,CN=dbname.accountstring.ap-southeast-2.rds.amazonaws.com")))'''
connRds = oracledb.connect(user=database_user, password=database_password, dsn=oracleDSN)
下面是lambda输出的错误信息(#代替敏感信息)
Response
{
"errorMessage": "DPY-6005: cannot connect to database. Connection failed with "[SSL] internal error (_ssl.c:2633)"",
"errorType": "OperationalError",
"requestId": "",
"stackTrace": [
" File "/var/lang/lib/python3.9/importlib/__init__.py", line 127, in import_modulen return _bootstrap._gcd_import(name[level:], package, level)n",
" File "<frozen importlib._bootstrap>", line 1030, in _gcd_importn",
" File "<frozen importlib._bootstrap>", line 1007, in _find_and_loadn",
" File "<frozen importlib._bootstrap>", line 986, in _find_and_load_unlockedn",
" File "<frozen importlib._bootstrap>", line 680, in _load_unlockedn",
" File "<frozen importlib._bootstrap_external>", line 850, in exec_modulen",
" File "<frozen importlib._bootstrap>", line 228, in _call_with_frames_removedn",
" File "/var/task/TableDailyCount.py", line 50, in <module>n connRds = oracledb.connect(user=database_user, password=database_password, dsn=oracleDSN)n",
" File "/opt/python/oracledb/connection.py", line 1000, in connectn return conn_class(dsn=dsn, pool=pool, params=params, **kwargs)n",
" File "/opt/python/oracledb/connection.py", line 128, in __init__n impl.connect(params_impl)n",
" File "src/oracledb/impl/thin/connection.pyx", line 345, in oracledb.thin_impl.ThinConnImpl.connectn",
" File "src/oracledb/impl/thin/connection.pyx", line 163, in oracledb.thin_impl.ThinConnImpl._connect_with_paramsn",
" File "src/oracledb/impl/thin/connection.pyx", line 129, in oracledb.thin_impl.ThinConnImpl._connect_with_descriptionn",
" File "src/oracledb/impl/thin/connection.pyx", line 247, in oracledb.thin_impl.ThinConnImpl._connect_with_addressn",
" File "/opt/python/oracledb/errors.py", line 103, in _raise_errn raise exc_type(_Error(message)) from causen"
]
}
What I've try
- 阅读所有的文档。我非常有技术和经验,但对Python和Oracle相当陌生。
- 将RDS pem根证书复制到部署包中,并将其作为密钥库引用—这不起作用
- 我已经将RDS CA证书添加到python39文件夹中的三个不同的cacerts文件中(C:UsersMeAppDataRoamingPython python39),如本页所述(您需要注册一个免费帐户才能查看该页)
- 我已经在网上读了所有我能找到的相关的东西 我试过加钱包了。我创建了钱包在p12格式,添加了RDS确实的事情,转换为pem格式openssl(从内存),因为脚本oracledb页面没有为我工作。我还尝试将AWS RDS证书直接放入lambda中,但这似乎也不起作用。参考AWS证书页面ap- southeastern -2-bundle.pem。
问题
- 我如何获得单向TLS工作?
- 如何创建电子钱包?从AWS RDS悉尼根证书中获取所需格式的pem ?
python-oracledb-1.0.1有一个bug。最新版本1.0.2可以从我的PC和AWS Lambda连接到Oracle RDS TLS。上面的代码运行良好。
Oracle的Anthony在上面的帖子非常有帮助。快速回答这个问题,快速诊断,快速修复bug,快速发布补丁。再次感谢安东尼!