Jeanna Geier Wrote:
- In the docs, it says that when using SSL in Postgres "This requires that OpenSSL is installed on both client and server systems and that support in PostgreSQL is enabled at build time" - is this correct? Or can we use the certificates and keystore file we generated using the Jave keytool implementing SSL with Tomcat?
OpenSSL must be installed on the server and enabled at build time. OpenSSL does not have to be installed on the client. You are advised to use the OpenSSL tools to create the private/public key pair for the server as it will then be in the correct format. Assuming you know how to build/acquire a signed certificate that requires no parse phrase, place the certificate pair into the root data directory of PostgreSQL. The key pair should be named server.key and server.crt respectively. Make sure the permissions on these files are only readable by the postgres user account that runs the database. The line ssl=true must appear in the postgresql.conf file. A restart of the server will be required for ssl to be enabled. Now for the Java side of things. If your certificate was signed by a recognised authority you will need a copy of the public certificate used by the authority that signed your certificate. Place that public certificate into the Java key store. Most of the well known ones are already provided in the key store for Sun's VM. If you self signed the certificate on the server then simply place the public part of the key pair (server.crt) into your Java key store. The above will enable clients to connect using ssl. If you require client authenticaton using ssl then you will need the public key used to sign your client side certificates. You will need to place the public key into the root data directory of PostgreSQL and it must be named root.crt. User the pg_hba.conf file to force clients to use ssl or not. Hope that helps. Regards Donald Fraser
