Greetings, * Raj kumar (rajkumar820999@xxxxxxxxx) wrote: > Thanks Stephen. 😊 Sure. Also- just to be clear, if you already have an Active Directory environment, then you already have a KDC- you don't need to stand up another one (though you certainly could and could use a cross-realm trust relationship between the AD environment to the MIT/Heimdal one, if you wanted, and allow AD authenticated users to connect to the PG server in the MIT/Heimdal realm using Kerberos). Thanks, Stephen > On Mon, 18 May 2020, 21:10 Stephen Frost, <sfrost@xxxxxxxxxxx> wrote: > > > Greetings, > > > > * Raj kumar (rajkumar820999@xxxxxxxxx) wrote: > > > 1) The encryption support means that the encryption between the Client > > and > > > the Server over the network, which was previously possible only through > > SSL > > > or previously, not encrypted at all. Now, instead of SSL, we can change > > > pg_hba.conf with the parameters "hostgssenc" and hostnogssenc" to support > > > encryption over the network directly using gssapi. > > > > Yes. > > > > > 2) We need to have a client server, a service server and a Key > > Distribution > > > Center Server which should have Kerberose installed in it. Kerberose is > > > available as opensource. > > > > Not sure what you mean by 'client server' and 'service server' here, > > but, yes you do need a client, a PG server, and a KDC. There's multiple > > Kerberos implementations available as open source- MIT Kerberos and > > Heimdal are the popular ones. > > > > > Please help me if my understanding is correct and let me know about the > > > major improvement on this feature with PG12. I have referred > > Documentation > > > and some blogs. But, couldn't get the right picture. Your reply is > > > appreciable. > > > > As usual, you'll want to run the most recent minor version of PG, > > particularly when working with new features. We've had a few issues in > > the GSSAPI encryption which have been fixed in the latest PG12 minor > > release (12.3). > > > > Generally speaking, if you've got a Kerberos environment and have PG > > working with Kerberos, GSSAPI encryption will just start happening, > > though it is recommended to use the 'hostgssenc' lines on the server > > side pg_hba.conf, as you mention, and on the client side set > > 'gssencmode=require' on the client, to ensure the communication will > > be using GSSAPI encryption (the default is only 'prefer', similar to > > SSL). > > > > Thanks, > > > > Stephen > >
Attachment:
signature.asc
Description: PGP signature