Thanks for the reply Michael.
I'm getting started and will report back on any issues I run into; this
mailing list is excellent at responding and helping troubleshoot!! So
thanks to all for that!!!
----- Original Message -----
From: "Michael Fuhr" <mike@xxxxxxxx>
To: "Jeanna Geier" <jgeier@xxxxxxxxxxxx>
Cc: <pgsql-admin@xxxxxxxxxxxxxx>
Sent: Thursday, September 14, 2006 10:01 AM
Subject: Re: [ADMIN] Beginning SSL Questions
On Thu, Sep 14, 2006 at 09:17:00AM -0500, Jeanna Geier wrote:
- In the docs, it says that when using SSL in Postgres "This requires
that OpenSSL is installed on both client and server systems and
that support in PostgreSQL is enabled at build time" - is this
correct?
PostgreSQL must have been built with the --with-openssl configure
option and the server needs "ssl = on" in postgresql.conf.
Or can we use the certificates and keystore file we generated using
the Jave keytool implementing SSL with Tomcat?
You can use the same certificate and key but you'll need to copy
them to your $PGDATA directory as server.crt and server.key (whether
using the same certificate and key is a good idea is an administrative
and/or security matter, but from a technical standpoint it should
work). If you want to require SSL client authentication then also
install the CA certificate(s) as root.crt. I'd suggest getting
non-authenticated SSL working first and only then set up client
authentication if you need it.
If you want to require SSL connections (authenticated or not) then
use "hostssl" in pg_hba.conf and make sure no other entry will match
a non-SSL connection.
- In perusing the mailing list, it appears that this is not going
to be a 'simple' task...any pointers that anyone can give to me
before we start? If possible, I'd like to avoid another hair-pulling
three week task! =o)
Setting up SSL is simple. Read "Secure TCP/IP Connections with
SSL," "SSL Support," and "Client Authentication" in the documentation
and follow the instructions therein.
http://www.postgresql.org/docs/8.1/interactive/ssl-tcp.html
http://www.postgresql.org/docs/8.1/interactive/libpq-ssl.html
http://www.postgresql.org/docs/8.1/interactive/client-authentication.html
If you have trouble then please report what you did, what you
expected to happen, and what did happen (including client and server
error messages).
--
Michael Fuhr