Monitor SSL-enabled PostgreSQL on Amazon RDS

To monitor a PostgreSQL instance that uses SSL connections, complete the following steps.
  1. Create the .postgresql directory under the system home folder, then create a file, root.crt in the directory /home/<name>/.postgresql/root.crt.
  2. Download PEM file from Amazon and copy to a local directory.
  3. Convert the PEM file to a DER file using the following openssl command: 
    openssl x509 -outform der -in rds-combined-ca-bundle.pem -out rds-combined-ca-bundle.der
  4. Add the certificate to the Java keystore using the following command: 
    sudo keytool -import -noprompt -trustcacerts -alias AmazonRDS -file rds-combined-ca-bundle.der -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit

    You can verify that the certificate was added by running the following command:

    keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit
  5. Re-start the dbagent process to register the certificate you added.
  6. In the Controller, create a new collector for PostgreSQL.
    1. In the Custom JDBC Connection String field, enter the following JDBC string: 
      jdbc:postgresql://<RDS-Hostname>:<RDS-Port>/postgres?ssl=true
    2. In the ADVANCED OPTIONS section, select Connection Properties and then specify these property details:
      Property Name Property Value
      sslrootcert The location of the downloaded PEM file
      sslmode verify-full