Re: Beginning SSL Questions - Mailing list pgsql-admin

From Jeanna Geier
Subject Re: Beginning SSL Questions
Date
Msg-id 00bb01c6d810$100fb8e0$6700a8c0@geier
Whole thread Raw
In response to Beginning SSL Questions  ("Jeanna Geier" <jgeier@apt-cafm.com>)
List pgsql-admin
Thanks for the reply Michael.

I'm getting started and will report back on any issues I run into; this
mailing list is excellent at responding and helping troubleshoot!!  So
thanks to all for that!!!

----- Original Message -----
From: "Michael Fuhr" <mike@fuhr.org>
To: "Jeanna Geier" <jgeier@apt-cafm.com>
Cc: <pgsql-admin@postgresql.org>
Sent: Thursday, September 14, 2006 10:01 AM
Subject: Re: [ADMIN] Beginning SSL Questions


> On Thu, Sep 14, 2006 at 09:17:00AM -0500, Jeanna Geier wrote:
>> - In the docs, it says that when using SSL in Postgres "This requires
>> that OpenSSL is installed on both client and server systems and
>> that support in PostgreSQL is enabled at build time" - is this
>> correct?
>
> PostgreSQL must have been built with the --with-openssl configure
> option and the server needs "ssl = on" in postgresql.conf.
>
>> Or can we use the certificates and keystore file we generated using
>> the Jave keytool implementing SSL with Tomcat?
>
> You can use the same certificate and key but you'll need to copy
> them to your $PGDATA directory as server.crt and server.key (whether
> using the same certificate and key is a good idea is an administrative
> and/or security matter, but from a technical standpoint it should
> work).  If you want to require SSL client authentication then also
> install the CA certificate(s) as root.crt.  I'd suggest getting
> non-authenticated SSL working first and only then set up client
> authentication if you need it.
>
> If you want to require SSL connections (authenticated or not) then
> use "hostssl" in pg_hba.conf and make sure no other entry will match
> a non-SSL connection.
>
>> - In perusing the mailing list, it appears that this is not going
>> to be a 'simple' task...any pointers that anyone can give to me
>> before we start?  If possible, I'd like to avoid another hair-pulling
>> three week task! =o)
>
> Setting up SSL is simple.  Read "Secure TCP/IP Connections with
> SSL," "SSL Support," and "Client Authentication" in the documentation
> and follow the instructions therein.
>
> http://www.postgresql.org/docs/8.1/interactive/ssl-tcp.html
> http://www.postgresql.org/docs/8.1/interactive/libpq-ssl.html
> http://www.postgresql.org/docs/8.1/interactive/client-authentication.html
>
> If you have trouble then please report what you did, what you
> expected to happen, and what did happen (including client and server
> error messages).
>
> --
> Michael Fuhr
>


pgsql-admin by date:

Previous
From: Michael Fuhr
Date:
Subject: Re: Beginning SSL Questions
Next
From: "Donald Fraser"
Date:
Subject: Re: Beginning SSL Questions