Scribd
Upload
30 views

SSL in Postgres 9.5

4

Uploaded by

Stephen Efange Efange
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
30 views

SSL in Postgres 9.5

4

Uploaded by

Stephen Efange Efange
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 3

postgres=# SHOW ssl;

ssl
-----
off
(1 row)

postgres=# SELECT name, setting, source FROM pg_settings WHERE name = 'ssl';
name | setting | source
------+---------+---------
ssl | off | default
(1 row)

postgres=# \q
postgres@solaris11a:~$ whoami
postgres
postgres@solaris11a:~$ openssl req -new -text -out server.req
Generating a 2048 bit RSA private key
..........+++
....................................+++
writing new private key to 'privkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:US
State or Province Name (full name) []:Virginia
Locality Name (eg, city) []:Reston
Organization Name (eg, company) []:FAA
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:faa.gov
Email Address []:

Please enter the following 'extra' attributes


to be sent with your certificate request
A challenge password []:
An optional company name []:
postgres@solaris11a:~$ ls -l
total 19
-rw-r--r-- 1 postgres postgres 156 Mar 6 20:55 local.cshrc
-rw-r--r-- 1 postgres postgres 97 Mar 6 20:55 local.login
-rw-r--r-- 1 postgres postgres 171 Mar 6 23:20 local.profile
-rw-r--r-- 1 postgres postgres 1834 Mar 7 08:22 privkey.pem
-rw-r--r-- 1 postgres postgres 3459 Mar 7 08:22 server.req
postgres@solaris11a:~$ openssl rsa -in privkey.pem -out server.key && rm
privkey.pem
Enter pass phrase for privkey.pem:
writing RSA key
postgres@solaris11a:~$ openssl req -x509 -in server.req -text -key server.key -out
server.crt
postgres@solaris11a:~$ echo $PGDATA

postgres@solaris11a:~$ cp server.key server.crt /usr/local/pgsql/data/


postgres@solaris11a:~$ ls -l /usr/local/pgsql/data/
total 134
-rw------- 1 postgres postgres 4 Mar 6 23:10 PG_VERSION
drwx------ 5 postgres postgres 5 Mar 6 23:10 base
drwx------ 2 postgres postgres 54 Mar 6 23:14 global
drwx------ 2 postgres postgres 3 Mar 6 23:10 pg_clog
drwx------ 2 postgres postgres 2 Mar 6 23:10 pg_commit_ts
drwx------ 2 postgres postgres 2 Mar 6 23:10 pg_dynshmem
-rw------- 1 postgres postgres 4468 Mar 6 23:10 pg_hba.conf
-rw------- 1 postgres postgres 1636 Mar 6 23:10 pg_ident.conf
drwx------ 4 postgres postgres 4 Mar 6 23:10 pg_logical
drwx------ 4 postgres postgres 4 Mar 6 23:10 pg_multixact
drwx------ 2 postgres postgres 3 Mar 6 23:12 pg_notify
drwx------ 2 postgres postgres 2 Mar 6 23:10 pg_replslot
drwx------ 2 postgres postgres 2 Mar 6 23:10 pg_serial
drwx------ 2 postgres postgres 2 Mar 6 23:10 pg_snapshots
drwx------ 2 postgres postgres 2 Mar 6 23:10 pg_stat
drwx------ 2 postgres postgres 5 Mar 7 08:24 pg_stat_tmp
drwx------ 2 postgres postgres 3 Mar 6 23:10 pg_subtrans
drwx------ 2 postgres postgres 2 Mar 6 23:10 pg_tblspc
drwx------ 2 postgres postgres 2 Mar 6 23:10 pg_twophase
drwx------ 3 postgres postgres 4 Mar 6 23:10 pg_xlog
-rw------- 1 postgres postgres 88 Mar 6 23:10 postgresql.auto.conf
-rw------- 1 postgres postgres 21495 Mar 6 23:10 postgresql.conf
-rw------- 1 postgres postgres 59 Mar 6 23:12 postmaster.opts
-rw------- 1 postgres postgres 79 Mar 6 23:12 postmaster.pid
-rw-r--r-- 1 postgres postgres 4346 Mar 7 08:25 server.crt
-rw-r--r-- 1 postgres postgres 1679 Mar 7 08:25 server.key

cd /usr/local/pgsql/data/

chown postgres server.key


chmod 600 server.key

ls -l

-rw-r--r-- 1 postgres postgres 4346 Mar 7 08:25 server.crt


-rw------- 1 postgres postgres 1679 Mar 7 08:25 server.key

vi postgresql.conf

ssl = on
ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL'
ssl_cert_file = 'server.crt'
ssl_key_file = 'server.key'
password_encryption = on

Verify:

#authentication_timeout = 1min # 1s-600s


ssl = on # (change requires restart)
ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
# (change requires restart)
#ssl_prefer_server_ciphers = on # (change requires restart)
#ssl_ecdh_curve = 'prime256v1' # (change requires restart)
ssl_cert_file = 'server.crt' # (change requires restart)
ssl_key_file = 'server.key' # (change requires restart)
#ssl_ca_file = '' # (change requires restart)
#ssl_crl_file = '' # (change requires restart)
password_encryption = on
#db_user_namespace = off
#row_security = on

postgres@solaris11a:/usr/local/pgsql/data$ nano postgresql.conf


postgres@solaris11a:/usr/local/pgsql/data$ less postgresql.conf
postgres@solaris11a:/usr/local/pgsql/data$ pg_ctl -D /usr/local/pgsql/data -l
/usr/local/pgsql/data/postmaster.log restart
waiting for server to shut down.... done
server stopped
server starting
postgres@solaris11a:/usr/local/pgsql/data$ psql
psql (9.5.22)
Type "help" for help.

postgres=# show ssl;


ssl
-----
on
(1 row)

You might also like