I have just verified that the SSL support added into the 7.4 driver is
working correctly, even against the new v3 protocol of a 7.4 database.
Here are my notes on how to enable SSL on both the server and jdbc client.
build ssl support into postgres server
./configure --with-openssl
make
make install
enable ssl in postgresql.conf
ssl = true
add ssl to pg_hba.conf file:
hostssl ....
Create a quick self-signed certificate using the following OpenSSL command:
openssl req -new -text -out server.req
Fill out the information that openssl asks for. The challenge password
can be left blank. The programm will generate a key that is passphrase
protected; it will not accept a passphrase that is less than four
characters long. To remove the passphrase (as you must if you want
automatic start-up of the server), run the commands
openssl rsa -in privkey.pem -out server.key
rm privkey.pem
Enter the old passphrase to unlock the existing key. Now do
openssl req -x509 -in server.req -text -key server.key -out server.crt
chmod og-rwx server.key
to turn the certificate into a self-signed certificate and copy the key
and certificate to the data directory of the server.
Now convert the server.crt to a format java can import on the client:
openssl x509 -in server.crt -out server.crt.der -outform der
Now import the cert into the java keystore:
keytool -keystore [your java home here]/lib/security/cacerts -alias
[any name for the cert you like (i.e. postgres)] -import -file
server.crt.der
enter the password for the cacerts keystore (default is 'changeit').
Say yes to trust this cert.
Restart the database server and you are done.
To use SSL in jdbc add "?ssl" to the connection url.
I tested the above against both a 7.3 and 7.4 database using the current
development sources on java1.4.
thanks,
--Barry
