Drop Down MenusCSS Drop Down MenuPure CSS Dropdown Menu

SSL setup in PostgreSQL

-
PostgreSQL has native support for using SSL connections to encrypt client/server communications for increased security. This requires that OpenSSL is installed on both client and server systems and that support in PostgreSQL is enabled at build time.

With SSL support compiled in, the PostgreSQL server can be started with SSL enabled by setting the parameter ssl to on in postgresql.conf. The server will listen for both normal and SSLconnections on the same TCP port, and will negotiate with any connecting client on whether to use SSL. By default, this is at the client's option;

PostgreSQL reads the system-wide OpenSSL configuration file. By default, this file is named openssl.cnf and is located in the directory reported by openssl version -d. This default can be overridden by setting environment variable OPENSSL_CONF to the name of the desired configuration file.

OpenSSL supports a wide range of ciphers and authentication algorithms, of varying strength. While a list of ciphers can be specified in the OpenSSL configuration file, you can specify ciphers specifically for use by the database server by modifying ssl_ciphers in postgresql.conf.

Server 1
Step 1
[root@localhost Desktop]# systemctl stop firewalld.service
[root@localhost Desktop]# su - postgres
-bash-4.2$ mkdir -p 9.6/data
-bash-4.2$ cd ..
-bash-4.2$ pwd
/var/lib/pgsql
-bash-4.2$ initdb -D 9.6/data/
Step 2
-bash-4.2$ logout
[root@localhost Desktop]# mkdir /var/lib/CA
[root@localhost Desktop]# cd /var/lib/CA/
[root@localhost CA]# openssl genrsa -out rootCA.key 2048

[root@localhost CA]# openssl req -x509 -new -key rootCA.key -days 1000 -out rootCA.crt
[root@localhost CA]# mkdir server
[root@localhost CA]# cd server/
 
[root@localhost server]# openssl genrsa -out server.key 2048
[root@localhost server]# openssl req -new -key server.key -out server.csr

Note: Common Name (eg, your name or your server's hostname) []:localhost.lo
[root@localhost server]# openssl x509 -req -in server.csr -CA ../rootCA.crt -CAkey ../rootCA.key -CAcreateserial -out server.crt -days 5000[root@localhost server]# cd ..
[root@localhost CA]# mkdir client
[root@localhost CA]# cd client/
[root@localhost client]# openssl genrsa -out client.key 2048
[root@localhost client]# openssl req -new -key client.key -out client.csr
Note :Common Name (eg, your name or your server's hostname) []:edb_username for another server
[root@localhost client]# openssl x509 -req -in client.csr -CA ../rootCA.crt -CAkey ../rootCA.key -CAcreateserial -out client.crt -days 5000
Signature ok
[root@localhost client]# su - postgres 
Last login: Mon May  7 21:18:04 IST 2018 on pts/0
-bash-4.2$ cd 9.6/data/
-bash-4.2$ cp /var/lib/CA/rootCA.crt .
-bash-4.2$ cp /var/lib/CA/server/server.crt .
-bash-4.2$ cp /var/lib/CA/server/server.key .
-bash-4.2$ chmod 600 server.key 
-bash-4.2$ vi postgresql.conf 
 
ssl = on                                # (change requires restart)
ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
                                        # (change requires restart)
ssl_prefer_server_ciphers = on          # (change requires restart)
ssl_ecdh_curve = 'prime256v1'           # (change requires restart)
ssl_cert_file = 'server.crt'            # (change requires restart)
ssl_key_file = 'server.key'             # (change requires restart)
ssl_ca_file = 'rootCA.crt'
-bash-4.2$ vi pg_hba.conf 
#secure client
host     testdb          anil            192.168.184.170/32      trust 
-bash-4.2$ pg_ctl -D ./ start
-bash-4.2$ 
-bash-4.2$ psql -U postgres
psql.bin (9.6.4)
Type "help" for help.
postgres=# 
postgres=# create role edb with login;
CREATE ROLE
postgres=# create database anildb with owner edb;
CREATE DATABASE
postgres=# \q

Server 2 :
[root@localhost Desktop]# systemctl stop firewalld.service
[root@localhost Desktop]# su - edb
[edb@localhost Desktop]$ mkdir ~/.postgres
[edb@localhost Desktop]$ scp root@192.168.184.159:/var/lib/CA/rootCA.crt ~/.postgres
[edb@localhost Desktop]$ scp root@192.168.184.159:/var/lib/CA/rootCA.crt ~/.postgres/root.crt
[edb@localhost Desktop]$ scp root@192.168.184.159:/var/lib/CA/client/client.crt ~/.postgres/postgresql.crt
[edb@localhost Desktop]$ scp root@192.168.184.159:/var/lib/CA/client/client.key ~/.postgres/postgresql.key
[edb@localhost Desktop]$ chmod 600 ~/.postgres/postgresql.key
[edb@localhost Desktop]$ psql -h 192.168.184.159 -U edb anildb
psql (9.2.7, server 9.6.4)
WARNING: psql version 9.2, server version 9.6.
         Some psql features might not work.
SSL connection (cipher: ECDHE-RSA-AES256-SHA, bits: 256)
Type "help" for help.
anildb=>


Written BY :- Raghavan Rao

Comments

Post a Comment

Popular posts from this blog

How to find the server is whether standby (slave) or primary(master) in Postgresql replication ?

-
Method 1 You can check the mode of the server using "pg_controldata". [pgsql@test~]$ pg_controldata /usr/local/pgsql/data84/ Database cluster state: in archive recovery --> This is Standby Database Database cluster state: in production --> This is Production Database [Master] Method 2 You can use pg_is_in_recovery() which returns True if recovery is still in progress(so the server is running in standby mode or slave) postgres=# select pg_is_in_recovery(); pg_is_in_recovery ------------------- t (1 row) If Return    false   so the server is running in primary mode or master postgres=# select pg_is_in_recovery(); pg_is_in_recovery ------------------- f (1 row)
Read more

7 Steps to configure BDR replication in postgresql

-
Image
 The  BDR  (Bi-Directional Replication) project adds multi-master replication to PostgreSQL 9.4.  Postgres-BDR has a lower impact on the masters(s) than trigger-based replication solutions. There is no write-amplification, as it does not require triggers to write to queue tables in order to replicate writes.   Here We are using  postgres version 9.4.12 and bdr version 1.0.2. for configuring  multi master replication . Simply Following 7 steps you can configure the multi master replication in postgresql. To download the bdr in below link. .   https://github.com/2ndQuadrant/bdr/archive/bdr-pg/REL9_4_12-1.tar.gz $ tar -xzvf REL9_4_12-1.tar.gz $ wget https://github.com/2ndQuadrant/bdr/archive/bdr-plugin/1.0.2.tar.gz $ tar -xzvf 1.0.2.tar.gz 1. To install BDR. $ cd ~/bdr-bdr-pg-REL9_4_12-1 $ ./configure --prefix=/usr/lib/postgresql/9.4 --enable-debug --with-openssl $ make -j4 -s install-world $ cd ~/bdr-bdr-plugin-1.0.2 $ PATH=/usr/lib/postgresql/9.4/bin:"$PATH" ./c
Read more

How to Get Table Size, Database Size, Indexes Size, schema Size, Tablespace Size, column Size in PostgreSQL Database

-
In this post, I am sharing few important function for finding the size of database, table and index in PostgreSQL. Finding object size in postgresql database is very important and common. Is it very useful to know the exact size occupied by the object at the tablespace. The object size in the following scripts is in GB. The scripts have been formatted to work very easily with PUTTY SQL Editor. 1. Checking table size excluding table dependency: SELECT pg_size_pretty(pg_relation_size('mhrordhu_shk.mut_kharedi_audit')); pg_size_pretty ---------------- 238 MB (1 row) 2. Checking table size including table dependency: SELECT pg_size_pretty(pg_total_relation_size('mhrordhu_shk.mut_kharedi_audit')); pg_size_pretty ---------------- 268 MB (1 row) 3. Finding individual postgresql database size SELECT pg_size_pretty(pg_database_size('db_name')); 4. Finding individual table size for postgresql database -including dependency index: SELECT pg_size_pretty(pg_total_rel
Read more

Ora2PG - Oracle/MySQL to Postgres DB migration Version 20.0

-
Ora2Pg is a free tool used to  migrate  an  Oracle  or MySQL database to a  PostgreSQL  compatible schema. It connects your  Oracle  database, scan it automatically and extracts its structure or data, it then generates SQL scripts that you can load into your  PostgreSQL  database. ora2pg version 20.0 software : ora2pg-20.0.tar ora2pg-20.0   https://github.com/darold/ora2pg/releases/tag/v20.0 Some Blogs about DB Migration : https://2ndquadrant.in/postgresmigration/oracle-to-postgresql-migration/ https://2ndquadrant.in/database-migration-from-oracle-to-postgres/ INSTALLATION All Perl modules can always be found at CPAN ( http://search.cpan.org/ ). Just type the full name of the module (ex: DBD::Oracle) into the search input box, it will brings you the page for download. Releases of Ora2Pg stay at SF.net ( https://sourceforge.net/projects/ora2pg/ ). Under Windows you should install Strawberry Perl ( http://strawberryperl.com/ ) and the OSes corresponding Oracle clients. I
Read more

PostgreSQL Introduction

-
PostgreSQL tutorial provides basic and advanced concepts of SQL. Our PostgreSQL tutorial is designed for beginners and professionals. PostgreSQL is an opens-source object-relational database management system (ORDBMS). Our PostgreSQL tutorial includes all topics of PostgreSQL language such as create database, create table, drop database, drop table, select database, select table, insert record, update record, delete record, triggers, functions, procedures, cursors etc. There are also given PostgreSQL interview questions and quizzes to help you better understand the PostgreSQL language. Prerequisite: Before you start doing practice with various types of examples given in this reference, I'm making an assumption that you are already aware about what is database, especially RDBMS and what is a computer programming language. you must have the basic knowledge of SQL Problem: We assure that you will not find any problem in this PostgreSQL tutorial. But if there is any mistake
Read more