Skip to main content

PostgreSQL with SSL auth (Java client)

PostgreSQL Server

1. Generate certificates

Download easyrsa2 from github and extract it
 
# ./easyrsa build-ca
# ./easyrsa build-server-full postgresql-server
# ./easyrsa build-client-full postgresql-client
 
This will generate ca.crt in pki folder, postgres-server.crt, postgres-client.crt in pki/issued folder and postgres-server.key and postgres-client.key in pki/private folder.
 
PostgreSQL JDBC library cannot read .key file, which is why we have to convert the key to DER format (.pk8) file.
 
openssl pkcs8 -topk8 -outform DER -in postgres-client.key -out postgres-client.key.pk8 -nocrypt 
 
Give proper unix permissions to the certificates and keys, for eg.
 
# chown postgres:postgres postgres-server.key 
# chown postgres:postgres postgres-server.crt
# chmod go-r postgres-server.key
  

2. Edit postgresql.conf

ssl = on         
ssl_cert_file = '/opt/postgres-sec/postgres-server.crt'   
ssl_key_file = '/opt/postgres-sec/postgres-server.nopass.key'
ssl_ca_file = '/opt/postgres-sec/ca.crt'

2. Edit pg_hba.conf

On PostgreSQL > 12.0
 
hostssl    all     all      0.0.0.0/0     cert
 
On PostgreSQL < 12.0
 
hostssl    all     all      0.0.0.0/0     cert     clientcert=verify-ca
 
This will allow only remote machines with ssl turned on to connect to the server with a password and a valid certificate without verifying 'cn' attribute in the certificate with the hostname. More details on pg_hba.conf file and options supported are available here.
 
Note that, in older PostgreSQL servers, the only option is full certificate verification including cn. So, make sure that your client certificate has cn equal to your username.

Java Client

Using ConnectionPooling (Apache DBCP2)



Using Plain JDBC


Labels:
Location: Kurla, Mumbai, Maharashtra, India

Comments

Post a Comment

Popular posts from this blog

Multimaster replication with Symmetric DS

Symmetric DS is an awesome tool for trigger based replication whcih works for all major database vendors, including but not limited to PostgreSQL, MySQL, MSSQL, Oracle and many others. Symmetric-DS is a java application and can execute on any platform on whcih JRE is available including Windows and Linux. Trigger based replication, in constrast to disk based (eg. DRBD ) or transaction log file shipping based or statement based , works by registering triggers on DMLs and sending the data thus generated to remote machines. Another very popular trigger based DB replication tool is Slony . Symmetric-DS in addition to being database agnostic also supports multi-master replication (MMR). MMR usecase involves multiple database nodes, connected in a pool with DML updates coming from any of them. This is different from the normal master-slave replication, where slaves are not expected to generate any data events, and the sole authority of database is the master. MMR requirement causes d...
1 comment
Read more

Reset root password RHEL/Rocky/CentOS 9

Unlike the earlier versions of Rethat variants, version 9 doesn't allow single user mode to change password, as maintanance mode in 9 requires root password . Single user mode (runlevel 1) can easily be obtained by appending the word ' single ' at the end of the line starting with 'linux' by editing the entry in boot menu by pressing ' e ' at boot menu. To reset the root password on the other hand, one requires to follow a specific set of commands, At the boot menu, edit rescue mode to append 'rd.break ' at the end of the line starting with kernel. Boot with the edited line by pressing Ctrl+X or F10. At the new prompt starting with switch_root, type the following commands, mount -o remount, rw /sysroot chroot /sysroot touch /.autorelabel passwd <new root password> exit reboot       
Post a Comment
Read more

Devstack installation with cells in multiple machines

  Devstack is a testing and development package for OpenStack . The official devstack website has excellent but terse installation instructions, which could be daunting to a newbie. Normally, a traditional install is pretty straightforward but problems creep in when you have to go for some particular configuration or installation like cells or a simple code-test-debug setup, the information on the main site is insufficient. In this blog, I will enumerate the steps for setting up a cell-ular devstack installation with one parent and one child. Parent will not be instantiating any VMs s it's only a 'command centre'. 1. On both machines, install git and vim, clone the devstack repo using git. yum install git vim git clone https://git.openstack.org/openstack-dev/devstack 2. On both machines, open up the file 'local.conf' inside the cloned directory 'devstack' cd devstack; vim local.conf 3. Copy the parameters below to the file...
1 comment
Read more