Greetings, * Raj kumar (rajkumar820999@xxxxxxxxx) wrote: > 1) The encryption support means that the encryption between the Client and > the Server over the network, which was previously possible only through SSL > or previously, not encrypted at all. Now, instead of SSL, we can change > pg_hba.conf with the parameters "hostgssenc" and hostnogssenc" to support > encryption over the network directly using gssapi. Yes. > 2) We need to have a client server, a service server and a Key Distribution > Center Server which should have Kerberose installed in it. Kerberose is > available as opensource. Not sure what you mean by 'client server' and 'service server' here, but, yes you do need a client, a PG server, and a KDC. There's multiple Kerberos implementations available as open source- MIT Kerberos and Heimdal are the popular ones. > Please help me if my understanding is correct and let me know about the > major improvement on this feature with PG12. I have referred Documentation > and some blogs. But, couldn't get the right picture. Your reply is > appreciable. As usual, you'll want to run the most recent minor version of PG, particularly when working with new features. We've had a few issues in the GSSAPI encryption which have been fixed in the latest PG12 minor release (12.3). Generally speaking, if you've got a Kerberos environment and have PG working with Kerberos, GSSAPI encryption will just start happening, though it is recommended to use the 'hostgssenc' lines on the server side pg_hba.conf, as you mention, and on the client side set 'gssencmode=require' on the client, to ensure the communication will be using GSSAPI encryption (the default is only 'prefer', similar to SSL). Thanks, Stephen
Attachment:
signature.asc
Description: PGP signature
