Imaging V3 - db

Follow

{{% version-badge %}}Available in ≥ 3.4.1-funcrel{{% /version-badge %}}

{{% alert color="info" %}}This documentation is valid for situations where you need to add a new PostgreSQL/CAST Storage Service configured with certificate based authentication to an existing CAST Imaging installation. See this documentation if you need to install or update CAST Imaging and your PostgreSQL/CAST Storage Service(s) is already using certificate based authentication.{{% /alert %}}

Overview

This step involves configuring your CAST Storage Service/PostgreSQL instance(s) to function with certificate-based authentication and accept secure incoming connections from clients:

  • deal with server keys and certificates
  • apply required permissions and ownership rights to server keys/certificates (Linux only)
  • modifying postgresql.conf to enable certificate-based authentication and define server certificates
  • modifying pg_hba.conf to accept incoming secure connections

You will need to repeat each action for all CAST Storage Service/PostgreSQL instance(s) you want to secure.

Deal with server keys and certificates

Find the three server keys and certificates generated in Step 1 - Generate certificates and keys:

  • server.key - server private key file
  • server.crt - server certificate file
  • root.crt - trusted root certificate that ensures clients present a signed certificate when they connect

Copy these files to the folder on the CAST Storage Service/PostgreSQL instance containing the postgresql.conf file, as located below:

# Microsoft Windows:
%PROGRAMFILES%\CAST\CASTStorageService4\db_data

# Linux:
# Run the following commands in psql to locate the postgresql.conf file:

psql -U postgres
show config_file;

Apply required permissions and ownership rights to server keys/certificates (Linux only)

{{% alert color="info" %}}This action is only required where PostgreSQL is installed on a Linux operating system.{{% /alert %}}

You'll need to ensure that PostgreSQL has access to the files and set the private key file permissions to disallow access to world or group:

chown postgres:postgres /path/to/server.{crt,key}
chown postgres:postgres /path/to/root.crt
chmod 0600 /path/to/server.key

Modify postgresql.conf to enable certificate-based authentication

Edit the postgresql.conf file to enable certificate-based authentication and define the location of the server keys and certificates. Modify the file as follows and then save it:

# - SSL -

ssl = on
ssl_cert_file = 'server.crt'
ssl_key_file = 'server.key'
ssl_ca_file = 'root.crt'

Modify pg_hba.conf to accept incoming secure connections

Edit the pg_hba.conf file to accept incoming secure connections. This file is usually stored in the same folder as the postgresql.conf file.

Modify the file to allow IPv4 and IPv6 (where appropriate) secure connections by adding hostssl entries and an appropriate authentication METHOD (see https://www.postgresql.org/docs/current/auth-pg-hba-conf.html for more information about this):

# TYPE      DATABASE        USER            ADDRESS                 METHOD

# "local" is for Unix domain socket connections only
local       all             all                                     peer
# IPv4 connections:
host        all             all             127.0.0.1/32            scram-sha-256
host        all             all             0.0.0.0/0               scram-sha-256
# Allow any IPv4 with SSL + password + a check on SSL cert
hostssl     all             all             127.0.0.1/32            scram-sha-256 clientcert=1
hostssl     all             all             0.0.0.0/0               scram-sha-256 clientcert=1
# IPv6 connections:
host        all             all             ::1/128                 scram-sha-256
host        all             all             ::0/0                   scram-sha-256
# Allow any IPv6 with SSL + password + a check on SSL cert
hostssl     all             all             ::1/128                 scram-sha-256 clientcert=1
hostssl     all             all             ::0/0                   scram-sha-256 clientcert=1
  • The hostssl entries given above are purely for example only. Please ensure that you tailor this file to your own environment and that the authentication METHOD is appropriate.
  • The mix of host and hostssl entries above will allow both secure and unencrypted connections. If you prefer to block unencrypted connections, comment out all the lines starting with host by adding a # at the start of the line.

Restart CAST Storage Service/PostgreSQL instance

Finally restart your CAST Storage Service or PostgreSQL instance to ensure the changes you have made are taken into account.

What's next?

See Step 3 - Configure CAST components to function with certificate-based authentication.

Note: Please refer to the original article at https://doc.castsoftware.com/install/db/encrypted/db/.
Have more questions? Submit a request

Comments

Powered by Zendesk