Jeanna Geier Wrote:
> - In the docs, it says that when using SSL in Postgres "This requires that
> OpenSSL is installed on both client and server systems and that support in
> PostgreSQL is enabled at build time" - is this correct? Or can we use the
> certificates and keystore file we generated using the Jave keytool
> implementing SSL with Tomcat?
OpenSSL must be installed on the server and enabled at build time.
OpenSSL does not have to be installed on the client.
You are advised to use the OpenSSL tools to create the private/public key pair
for the server as it will then be in the correct format. Assuming you know how
to build/acquire a signed certificate that requires no parse phrase, place the
certificate pair into the root data directory of PostgreSQL. The key pair
should be named server.key and server.crt respectively. Make sure the
permissions on these files are only readable by the postgres user account that
runs the database.
The line ssl=true must appear in the postgresql.conf file.
A restart of the server will be required for ssl to be enabled.
Now for the Java side of things.
If your certificate was signed by a recognised authority you will need a copy
of the public certificate used by the authority that signed your certificate.
Place that public certificate into the Java key store. Most of the well known
ones are already provided in the key store for Sun's VM.
If you self signed the certificate on the server then simply place the public
part of the key pair (server.crt) into your Java key store.
The above will enable clients to connect using ssl.
If you require client authenticaton using ssl then you will need the public key
used to sign your client side certificates. You will need to place the public
key into the root data directory of PostgreSQL and it must be named root.crt.
User the pg_hba.conf file to force clients to use ssl or not.
Hope that helps.
Regards
Donald Fraser