On Thu, Sep 14, 2006 at 09:17:00AM -0500, Jeanna Geier wrote: > - In the docs, it says that when using SSL in Postgres "This requires > that OpenSSL is installed on both client and server systems and > that support in PostgreSQL is enabled at build time" - is this > correct? PostgreSQL must have been built with the --with-openssl configure option and the server needs "ssl = on" in postgresql.conf. > Or can we use the certificates and keystore file we generated using > the Jave keytool implementing SSL with Tomcat? You can use the same certificate and key but you'll need to copy them to your $PGDATA directory as server.crt and server.key (whether using the same certificate and key is a good idea is an administrative and/or security matter, but from a technical standpoint it should work). If you want to require SSL client authentication then also install the CA certificate(s) as root.crt. I'd suggest getting non-authenticated SSL working first and only then set up client authentication if you need it. If you want to require SSL connections (authenticated or not) then use "hostssl" in pg_hba.conf and make sure no other entry will match a non-SSL connection. > - In perusing the mailing list, it appears that this is not going > to be a 'simple' task...any pointers that anyone can give to me > before we start? If possible, I'd like to avoid another hair-pulling > three week task! =o) Setting up SSL is simple. Read "Secure TCP/IP Connections with SSL," "SSL Support," and "Client Authentication" in the documentation and follow the instructions therein. http://www.postgresql.org/docs/8.1/interactive/ssl-tcp.html http://www.postgresql.org/docs/8.1/interactive/libpq-ssl.html http://www.postgresql.org/docs/8.1/interactive/client-authentication.html If you have trouble then please report what you did, what you expected to happen, and what did happen (including client and server error messages). -- Michael Fuhr
