Amazon Redshift will no longer support the creation of new Python UDFs starting Patch 198. Existing Python UDFs will continue to function until June 30, 2026. For more information, see the [ blog post ](https://aws.amazon.com/blogs/big-data/amazon-redshift-python-user-defined-functions-will-reach-end-of-support-after-june-30-2026/).
# Configuring security options for connections
Amazon Redshift supports Secure Sockets Layer (SSL) connections to encrypt data and server certificates to validate the server certificate that the client connects to.
## SSL
To support SSL connections, Amazon Redshift creates and installs an [AWS Certificate Manager (ACM)](https://aws.amazon.com/certificate-manager/) issued SSL certificate on each cluster. ACM certificates are publicly trusted by most operating systems, web browsers, and clients. You might need to download a certificate bundle if your SQL clients or applications connect to Amazon Redshift using SSL with the `sslmode` connection option set to `require`, `verify-ca`, or `verify-full`. If your client needs a certificate, Amazon Redshift provides a bundle certificate as follows:
+ Download the bundle from [https://s3.amazonaws.com/redshift-downloads/amazon-trust-ca-bundle.crt](https://s3.amazonaws.com/redshift-downloads/amazon-trust-ca-bundle.crt).
+ The expected MD5 checksum number is 418dea9b6d5d5de7a8f1ac42e164cdcf.
+ The sha256 checksum number is 36dba8e4b8041cd14b9d60158893963301bcbb92e1c456847784de2acb5bd550.
Don't use the previous certificate bundle that was located at `https://s3.amazonaws.com/redshift-downloads/redshift-ca-bundle.crt`.
+ In the China AWS Region, download the bundle from [https://s3---cn-north-1.amazonaws.com.rproxy.govskope.ca.cn/redshift-downloads-cn/amazon-trust-ca-bundle.crt](https://s3---cn-north-1.amazonaws.com.rproxy.govskope.ca.cn/redshift-downloads-cn/amazon-trust-ca-bundle.crt).
+ The expected MD5 checksum number is 418dea9b6d5d5de7a8f1ac42e164cdcf.
+ The sha256 checksum number is 36dba8e4b8041cd14b9d60158893963301bcbb92e1c456847784de2acb5bd550.
Don't use the previous certificate bundles that were located at `https://s3---cn-north-1.amazonaws.com.rproxy.govskope.ca.cn/redshift-downloads-cn/redshift-ca-bundle.crt` and `https://s3---cn-north-1.amazonaws.com.rproxy.govskope.ca.cn/redshift-downloads-cn/redshift-ssl-ca-cert.pem`
**Important**
Amazon Redshift has changed the way that SSL certificates are managed. You might need to update your current trust root CA certificates to continue to connect to your clusters using SSL. For more information, see [Transitioning to ACM certificates for SSL connections](connecting-transitioning-to-acm-certs.md).
By default, cluster databases accept a connection whether it uses SSL or not. To configure your cluster to require an SSL connection, set the `require_SSL` parameter to `true` in the parameter group that is associated with the cluster.
Amazon Redshift supports an SSL mode that is compliant with Federal Information Processing Standard (FIPS) 140-2. FIPS-compliant SSL mode is disabled by default.
**Important**
Enable FIPS-compliant SSL mode only if your system is required to be FIPS-compliant.
To enable FIPS-compliant SSL mode, set both the `use_fips_ssl` parameter and the `require_SSL` parameter to `true` in the parameter group that is associated with the Amazon Redshift cluster or Redshift Serverless workgroup. For information about modifying a parameter group on a cluster, see [Amazon Redshift parameter groups](working-with-parameter-groups.md). For information about modifying a parameter group on a workgroup, see [Configuring a FIPS-compliant SSL connection to Amazon Redshift Serverless](serverless-connecting.md#serverless_secure-fips-ssl).
Amazon Redshift supports the Elliptic Curve Diffie—Hellman Ephemeral (ECDHE) key agreement protocol. With ECDHE, the client and server each have an elliptic curve public-private key pair that is used to establish a shared secret over an insecure channel. You don't need to configure anything in Amazon Redshift to enable ECDHE. If you connect from a SQL client tool that uses ECDHE to encrypt communication between the client and server, Amazon Redshift uses the provided cipher list to make the appropriate connection. For more information, see [Elliptic curve diffie—hellman](https://en.wikipedia.org/wiki/Elliptic_curve_Diffie%E2%80%93Hellman) on Wikipedia and [Ciphers](https://www.openssl.org/) on the OpenSSL website.
## SSL and trust CA certificates in ODBC
If you connect using the latest Amazon Redshift ODBC drivers (version 1.3.7.1000 or later), you can skip this section. To download the latest drivers, see [Configuring a connection for ODBC driver version 2.x for Amazon Redshift](odbc20-install.md).
You might need to update your current trust root CA certificates to continue to connect to your clusters using SSL. For more information, see [SSL](#connect-using-ssl).
You can verify that the certificate that you downloaded matches the expected MD5 checksum number. To do this, you can use the Md5sum program on Linux operating systems, or another tool on Windows and macOS X operating systems.
ODBC DSNs contain an `sslmode` setting that determines how to handle encryption for client connections and server certificate verification. Amazon Redshift supports the following `sslmode` values from the client connection:
+ `disable`
SSL is disabled and the connection is not encrypted.
+ `allow`
SSL is used if the server requires it.
+ `prefer`
SSL is used if the server supports it. Amazon Redshift supports SSL, so SSL is used when you set `sslmode` to `prefer`.
+ `require`
SSL is required.
+ `verify-ca`
SSL must be used and the server certificate must be verified.
+ `verify-full`
SSL must be used. The server certificate must be verified and the server hostname must match the hostname attribute on the certificate.
You can determine whether SSL is used and server certificates are verified in a connection between the client and the server. To do this, you need to review the `sslmode` setting for your ODBC DSN on the client and the `require_SSL` setting for the Amazon Redshift cluster on the server. The following table describes the encryption result for the various client and server setting combinations:
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/redshift/latest/mgmt/connecting-ssl-support.html)
### Connect using the server certificate with ODBC on Microsoft Windows
If you want to connect to your cluster using SSL and the server certificate, first download the certificate to your client computer or Amazon EC2 instance. Then configure the ODBC DSN.
1. Download the Amazon Redshift certificate authority bundle to your client computer at the `lib` folder in your driver installation directory, and save the file as `root.crt`. For download information, see [SSL](#connect-using-ssl).
1. Open **ODBC Data Source Administrator**, and add or edit the system DSN entry for your ODBC connection. For **SSL Mode**, select `verify-full` unless you use a DNS alias. If you use a DNS alias, select `verify-ca`. Then choose **Save**.
For more information about configuring the ODBC DSN, see [Configuring a connection for ODBC driver version 2.x for Amazon Redshift](odbc20-install.md).
## SSL and server certificates in Java
SSL provides one layer of security by encrypting data that moves between your client and cluster. Using a server certificate provides an extra layer of security by validating that the cluster is an Amazon Redshift cluster. It does so by checking the server certificate that is automatically installed on all clusters that you provision. For more information about using server certificates with JDBC, go to [Configuring the client](https://jdbc.postgresql.org/documentation/ssl/#configuring-the-client) in the PostgreSQL documentation.
### Connect using trust CA certificates in Java
**Important**
Amazon Redshift has changed the way that SSL certificates are managed. You might need to update your current trust root CA certificates to continue to connect to your clusters using SSL. For more information, see [SSL](#connect-using-ssl).
**To connect using trust CA certificates**
You can use the `redshift-keytool.jar` file to import CA certificates in the Amazon Redshift Certificate Authority bundle into a Java TrustStore or your private TrustStore.
1. If you use the Java command line `-Djavax.net.ssl.trustStore` option, remove it from command line, if possible.
1. Download [redshift-keytool.jar](https://s3.amazonaws.com/redshift-downloads/redshift-keytool.jar).
1. Do one of the following:
+ To import the Amazon Redshift Certificate Authority bundle into a Java TrustStore, run the following command.
```
java -jar redshift-keytool.jar -s
```
+ To import the Amazon Redshift Certificate Authority bundle into your private TrustStore, run the following command:
```
java -jar redshift-keytool.jar -k -p
```
# Transitioning to ACM certificates for SSL connections
Amazon Redshift is replacing the SSL certificates on your clusters with [AWS Certificate Manager (ACM)](https://aws.amazon.com/certificate-manager/) issued certificates. ACM is a trusted public certificate authority (CA) that is trusted by most current systems. You might need to update your current trust root CA certificates to continue to connect to your clusters using SSL.
This change affects you only if all of the following apply:
+ Your SQL clients or applications connect to Amazon Redshift clusters using SSL with the `sslMode` connection option set to `require`, `verify-ca`, or `verify-full` configuration option.
+ You aren't using the Amazon Redshift ODBC or JDBC drivers, or you use Amazon Redshift drivers before ODBC version 1.3.7.1000 or JDBC version 1.2.8.1005.
If this change affects you on commercial Amazon Redshift Regions, then you must update your current trust root CA certificates before October 23, 2017. Amazon Redshift will transition your clusters to use ACM certificates between now and October 23, 2017. The change should have very little or no effect on your cluster's performance or availability.
If this change affects you on AWS GovCloud (US) (US) Regions, then you must update your current trust root CA certificates before April 1, 2020 to avoid service interruption. Beginning on this date, clients connecting to Amazon Redshift clusters using SSL encrypted connections need an additional trusted certificate authority (CA). Clients use trusted certificate authorities to confirm the identity of the Amazon Redshift cluster when they connect to it. Your action is required to update your SQL clients and applications to use an updated certificate bundle that includes the new trusted CA.
**Important**
In the China Regions on January 5, 2021, Amazon Redshift is replacing the SSL certificates on your clusters with AWS Certificate Manager (ACM) issued certificates. If this change affects you on China (Beijing) Region or China (Ningxia) Region, then you must update your current trust root CA certificates before January 5, 2021 to avoid service interruption. Beginning on this date, clients connecting to Amazon Redshift clusters using SSL encrypted connections need an additional trusted certificate authority (CA). Clients use trusted certificate authorities to confirm the identity of the Amazon Redshift cluster when they connect to it. Your action is required to update your SQL clients and applications to use an updated certificate bundle that includes the new trusted CA.
+ [Using the latest Amazon Redshift ODBC or JDBC drivers](#connecting-transitioning-to-acm-latest-odbc-jdbc)
+ [Using earlier Amazon Redshift ODBC or JDBC drivers](#connecting-transitioning-to-acm-earlier-odbc-jdbc)
+ [Using other SSL connection types](#connecting-transitioning-to-acm-other-ssl-types)
## Using the latest Amazon Redshift ODBC or JDBC drivers
The preferred method is to use the latest Amazon Redshift ODBC or JDBC drivers. Amazon Redshift drivers beginning with ODBC version 1.3.7.1000 and JDBC version 1.2.8.1005 automatically manage the transition from an Amazon Redshift self-signed certificate to an ACM certificate. To download the latest drivers, see [Configuring a connection for JDBC driver version 2.x for Amazon Redshift](jdbc20-install.md).
If you use the latest Amazon Redshift JDBC driver, it's best not to use `-Djavax.net.ssl.trustStore` in JVM options. If you must use `-Djavax.net.ssl.trustStore`, import the Redshift certificate authority bundle into the truststore it points to. For download information, see [SSL](connecting-ssl-support.md#connect-using-ssl). For more information, see [Importing the Amazon Redshift certificate authority bundle into a TrustStore](#importing-the-acm-bundle-to-truststore).
## Using earlier Amazon Redshift ODBC or JDBC drivers
+ If your ODBC DSN is configured with `SSLCertPath`, overwrite the certificate file in the specified path.
+ If `SSLCertPath` is not set, then overwrite the certificate file named `root.crt` in the driver DLL location.
If you must use an Amazon Redshift JDBC driver before version 1.2.8.1005, then do one of the following:
+ If your JDBC connection string uses the `sslCert` option, remove the `sslCert` option. Then import the Redshift certificate authority bundle to your Java TrustStore. For download information, see [SSL](connecting-ssl-support.md#connect-using-ssl). For more information, see [Importing the Amazon Redshift certificate authority bundle into a TrustStore](#importing-the-acm-bundle-to-truststore).
+ If you use the Java command line `-Djavax.net.ssl.trustStore` option, remove it from command line, if possible. Then import the Redshift certificate authority bundle to your Java TrustStore. For download information, see [SSL](connecting-ssl-support.md#connect-using-ssl). For more information, see [Importing the Amazon Redshift certificate authority bundle into a TrustStore](#importing-the-acm-bundle-to-truststore).
### Importing the Amazon Redshift certificate authority bundle into a TrustStore
You can use `redshift-keytool.jar` to import CA certificates in the Amazon Redshift Certificate Authority bundle into a Java TrustStore or your private truststore.
**To import the Amazon Redshift certificate authority bundle into a TrustStore**
1. Download [redshift-keytool.jar](https://s3.amazonaws.com/redshift-downloads/redshift-keytool.jar).
1. Do one of the following:
+ To import the Amazon Redshift Certificate Authority bundle into a Java TrustStore, run the following command.
```
java -jar redshift-keytool.jar -s
```
+ To import the Amazon Redshift Certificate Authority bundle into your private TrustStore, run the following command:
```
java -jar redshift-keytool.jar -k -p
```
## Using other SSL connection types
Follow the steps in this section if you connect using any of the following:
+ Open source ODBC driver
+ Open source JDBC driver
+ The [Amazon Redshift RSQL](https://docs.aws.amazon.com/redshift/latest/mgmt/rsql-query-tool.html) command line interface
+ Any language bindings based on libpq, such as psycopg2 (Python) and ruby-pg (Ruby)
**To use ACM certificates with other SSL connection types:**
1. Download the Amazon Redshift certificate authority bundle. For download information, see [SSL](connecting-ssl-support.md#connect-using-ssl).
1. Place the certificates from the bundle in your `root.crt` file.
+ On Linux and macOS X operating systems, the file is `~/.postgresql/root.crt`.
+ On Microsoft Windows, the file is `%APPDATA%\postgresql\root.crt`.