When striving to keep information in your PostgreSQL database safe, the first thing you need to do is to encrypt all connections to it for protecting authentication credentials (usernames / passwords) and stored data from interception. This guide is intended to help you in establishing secure SSL connection to your PostgreSQL container, hosted at CirrusGrid Cloud.
Below, we’ll explore the appropriate database server adjustment, required for SSL enabling, and certificates generation for it. Then, we’ll create and add certs for client machine and, lastly, will establish secure connection to our server via pgAdmin tool. So, let’s go on!
Obviously, for this tutorial we’ll use an environment with PostgreSQL database inside – you can easily create such if you haven’t done this yet.
1. To start with, connect to your database server via CirrusGrid SSH Gate.
Tip: In case you haven’t performed similar operation before, you need to:
2. Now, in order to make it work with SSL, you need to add the following three files to the /var/lib/pgsql/data server directory:
Within this tutorial, we’ll briefly consider how you can generate them by yourselves.
Tip:
So, navigate to the mentioned folder and proceed with steps below.
3. First of all, let’s create the first file – private key:
cd /var/lib/pgsql/data openssl genrsa -des3 -out server.key 1024
During the server.key generation, you’ll be asked for a pass phrase – specify any and confirm it to finish creation.
openssl rsa -in server.key -out server.key
Re-enter pass phrase one more time for confirmation.
chmod 400 server.key chown postgres.postgres server.key
4. Now, you need to create server certificate based on your server.key file, e.g.:
openssl req -new -key server.key -days 3650 -out server.crt -x509 -subj '/C=US/ST=California/L=PaloAlto/O=Jelastic/CN=mysite.com/[email protected]'
Note: It’s required to set your personal data for the subj parameter if the certificate is intended to be used in production:
5. Since we are going to sign certs by ourselves, the generated server certificate can be used as a trusted root certificate as well, so just make its copy with the appropriate name:
cp server.crt root.crt
Now, as you have all three certificate files, you can proceed to PostgreSQL database configurations, required for SSL activation and usage.
6. Open the pg_hba.conf file, located in the same folder, for editing with any preferable terminal editor (vim for example) or directly via dashboard.
Replace its default content with the following lines:
# TYPE DATABASE USER CIDR-ADDRESS METHOD # "local" is for Unix domain socket connections only local all all trust # IPv4 local connections: host all all 127.0.0.1/32 trust # IPv4 remote connections for authenticated users hostssl all webadmin 0.0.0.0/0 md5 clientcert=1
Tip: In case you are going to work with database not as default webadmin user, change the appropriate value within the last line of the file to the required name. Note that in this case you’ll need to use the same user name for all the further commands (we’ll denote where this is required).
Save the updated file.
7. To finish configurations, you need apply some more changes to the postgresql.conf file.
Navigate to its Security and Authentication section (approximately at the 80th line) and activate SSL usage itself, through uncommenting the same-named setting and changing its value to “on”. Also, add the new ssl_ca_file parameter below:
ssl = on ssl_ca_file = 'root.crt'
Don’t forget to save these changes.
8. Lastly, restart your PostgreSQL container in order to apply new settings:
sudo service postgresql restart
Now, let’s create one more set of SSL certificate files for client instance, in order to support secure connection on both sides.
1. Return to the terminal window with SSH connection to your PostgreSQL server you’ve operated through during server setup (or reconnect to it) – you’ll need your server certificates for further actions.
Once inside, generate a private key for client (also without a pass phrase, just as it was done in the previous section), for example within the tmp directory:
openssl genrsa -des3 -out /tmp/postgresql.key 1024 openssl rsa -in /tmp/postgresql.key -out /tmp/postgresql.key
2. Next, create SSL certificate for your PostgreSQL database user (webadmin by default) and sign it with our trusted root.crt file on server.
openssl req -new -key /tmp/postgresql.key -out /tmp/postgresql.csr -subj '/C=US/ST=California/L=PaloAlto/O=Jelastic/CN=webadmin' openssl x509 -req -in /tmp/postgresql.csr -CA root.crt -CAkey server.key -out /tmp/postgresql.crt -CAcreateserial
Note:
3. After the files – postgresql.key, postgresql.crt, root.crt – are ready, you need to move them to to the .postgresql folder at your client machine (for that, you can use FTP add-on or just copy and paste files content).
Tip: If such directory does not exist yet, create it with mkdir ~/.postgresql or similar command according to your OS distribution.
Also, if needed, you can set the key read permission for owner only with the chmod 0400 ~/.postgresql/postgresql.key command to achieve more security.
Tip: Don’t forget to remove keys from the tmp directory on your DB server afterwards.
Eventually, after server and client configurations are done, you are ready to establish the connection. In our case, we’ll use the pgAdmin 3 tool as an example, so get this application (or any other preferred one) installed beforehand.
1. In order to connect to the DB server via SSL, you need either public IP or endpoint being attached for your PostgreSQL database container.
We’ll consider the latter case – access environment Settings, switch to the Endpoints section and Add new endpoint with the same-named button at the top pane.
2. Now, when you have an access point, run your pgAdmin 3 client and select the New Server Registration option.
In the Properties tab of the opened window, specify the following data:
The rest of the fields can be left unchanged or adjusted according your requirements.
3. Next, switch to the SSL tab and, for the same-named line, select the require option from the drop-down list.
That’s all! The required certificates will be loaded automatically during the first connection establishment, so just click OK to start managing your database via secure connection.
Now you can connect your application to database (use the Connect to Database guide as an example) and enable SSL configurations for your project to encrypt your data while fetching/transferring.
If you face any issues while configuring your SSL connection, feel free to appeal for our technical experts' assistance at Stackoverflow.
Powered by BetterDocs
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.