Drop Down MenusCSS Drop Down MenuPure CSS Dropdown Menu

PostgreSQL SSL configuration

-
PREREQUEST :
============
1. OpenSSL should be install on both client and server systems
2. Confirm whether openssl is installed or not .
nijam@2ndquadrant.in:~ # rpm -qa|grep -i openssl
openssl-1.0.2j-60.52.1.x86_64
libopenssl1_0_0-1.0.2j-60.52.1.x86_64
python-pyOpenSSL-16.0.0-4.17.1.noarch
3. Checking openSSL version  :
nijam@2ndquadrant.in:~ # openssl version
OpenSSL 1.0.2j-fips  26 Sep 2016
4. We can print the OpenSSL directory with version -d option like below.
nijam@2ndquadrant.in:~ # openssl version -d
OPENSSLDIR: "/etc/ssl"

nijam@2ndquadrant.in:~ # openssl version -a
OpenSSL 1.0.2j-fips  26 Sep 2016
built on: reproducible build, date unspecified
platform:
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: cc -I. -I.. -I../include  -g
OPENSSLDIR: "/etc/ssl"
5. Collecting the postgres Server details:
nijam@2ndquadrant.in:/home/nijam> ps -ef|grep -i postgres|grep -v -edle
nijam   2693  2641  0 21:12 pts/1    00:00:00 grep --color=auto -i postgres
nijam  19150     1  0 Jun11 ?        00:10:54 /ins_path/10.5/bin/postgres -D /data/nijam
nijam  19151 19150  0 Jun11 ?        00:00:00 postgres: logger process
nijam  19153 19150  0 Jun11 ?        00:00:31 postgres: checkpointer process
nijam  19154 19150  0 Jun11 ?        00:07:15 postgres: writer process
nijam  19155 19150  0 Jun11 ?        00:03:48 postgres: wal writer process
nijam  19156 19150  0 Jun11 ?        00:01:19 postgres: autovacuum launcher process
nijam  19157 19150  0 Jun11 ?        00:00:04 postgres: archiver process   last was 000000010000000100000027
nijam  19158 19150  0 Jun11 ?        00:03:45 postgres: stats collector process
nijam  19159 19150  0 Jun11 ?        00:00:01 postgres: bgworker: logical replication launcher

CONFIGURATION :
===============
This describes how to set up ssl certificates to enable encrypted connections from PgAdmin on some client machine to postgresql on a server machine. The assumption is that postgresql (compiled with ssl support) and openssl are already installed and functional on the server (Linux). PgAdmin is already installed on the client (either Windows or Linux).
On the server, three certificates are required in the data directory. CentOS default is /var/lib/pgsql/data/: 
    1.root.crt (trusted root certificate) 
    2.server.crt (server certificate) 
    3.server.key (private key)

connect as root user and go to postgres data directory path then generate SSL certificate form there only .
Step 1.
=====
$ sudo su -
# cd /data/nijam
Step 2. Generate a private key (you must provide a passphrase):
=====
2ndquadrant.in:/data/nijam # openssl genrsa -des3 -passout pass:gsahdg -out server.key 1024
Generating RSA private key, 1024 bit long modulus
........++++++
...++++++
e is 65537 (0x10001)
Step 3. Remove the passphrase.
=======
2ndquadrant.in:/data/nijam # openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:
writing RSA key

Note : Give below inputs if prompt 
gsahdg   (it is like password you can give whatever you want).

Step 4. Set appropriate permission and owner on the private key file.
=====
# chmod 400 server.key
# chown nijam.nijam server.key

Step 5. Create the server certificate. 
=====
-subj is a shortcut to avoid prompting for the info. 
-x509 produces a self signed certificate rather than a certificate request.
2ndquadrant.in:/data/nijam # openssl req  -nodes -new -x509 -days 3650  -keyout server.key -out server.crt
Generating a 2048 bit RSA private key
.....................................................+++
.......................................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Step 6. Since we are self-signing, we use the server certificate as the trusted root certificate. 
=====
2ndquadrant.in:/data/nijam # cp server.crt root.crt
You'll need to edit pg_hba.conf. For example:
# TYPE  DATABASE        USER            ADDRESS                 METHOD
host    all             all             127.0.0.1/32            trust
# IPv6 local connections:
host    all             all             ::1/128                 trust
#hostssl    all             all            0.0.0.0/0             trust  clientcert=1
# "local" is for Unix domain socket connections only
local   all             all                                     trust
# IPv4 local connections:
# host    all             all             127.0.0.1/32            pam
# IPv6 local connections:
# host    all             all             ::1/128                 pam
# Allow replication connections from localhost, by a user with the
# replication privilege.
local   replication     all                                     peer
host    replication     all             127.0.0.1/32            pam
host    replication     all             ::1/128                 pam
hostssl         DB      DB_writer 53.126.142.211/32        trust clientcert=1
hostssl         DB      DB_reader 53.126.142.222/32      trust clientcert=1
======================================(OR)===============================================
if you don't want to use client certificate means you can ignore clientcert=1 , so connection will not authenticate by using client certifcate , its network encryption-decryption only. below is the sample configuration setup.
# TYPE  DATABASE        USER            ADDRESS                 METHOD
host    all             all             127.0.0.1/32            trust
# IPv6 local connections:
host    all             all             ::1/128                 trust

# "local" is for Unix domain socket connections only
 local   all             all                                     trust
# IPv4 local connections:
# host    all             all             127.0.0.1/32            pam
# IPv6 local connections:
# host    all             all             ::1/128                 pam
# Allow replication connections from localhost, by a user with the
# replication privilege.
local   replication     all                                     peer
host    replication     all             127.0.0.1/32            pam
host    replication     all             ::1/128                 pam
hostssl         DB      DB_writer 53.126.142.211/32        password
hostssl         DB      DB_reader 53.126.142.222/32        password

Step 7. You need to edit postgresql.conf to actually activate ssl. 
====
ssl = on
#ssl_cert_file = 'server.crt'
#ssl_key_file = 'server.key'
ssl_ca_file = 'root.crt'

Step 8. Postgresql server must be restarted. 
=====
nijam@2ndquadrant.in:/data/nijam> pg_ctl restart $DATA
waiting for server to shut down.... done
server stopped
waiting for server to start....2019-07-03 21:45:14.785 CST [5594] LOG:  listening on IPv4 address "0.0.0.0", port 25084
2019-07-03 21:45:14.785 CST [5594] LOG:  listening on IPv6 address "::", port 25084
2019-07-03 21:45:14.792 CST [5594] LOG:  listening on Unix socket "/var/run/postgresql/.s.PGSQL.25084"
2019-07-03 21:45:14.804 CST [5594] LOG:  listening on Unix socket "/tmp/.s.PGSQL.25084"
2019-07-03 21:45:14.815 CST [5594] LOG:  redirecting log output to logging collector process
2019-07-03 21:45:14.815 CST [5594] HINT:  Future log output will appear in directory "log".
 done
server started

POSTREQUEST SERVER SIDE :
==========================
Step 1 . Checking postgres SSL .
=====
nijam@2ndquadrant.in:/data/nijam> psql -h localhost
psql (10.5)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.

nijam=#

Step 2 . Verifying certificate.
=====
nijam@2ndquadrant.in:/data/nijam>  openssl verify -CAfile root.crt server.crt
server.crt: OK

nijam=# show ssl_cert_file;
 ssl_cert_file
---------------
 server.crt
(1 row)

nijam=# show ssl_key_file;
 ssl_key_file
--------------
 server.key
(1 row)

nijam=# show ssl_ca_file;
 ssl_ca_file
-------------
 root.crt
(1 row)

nijam=# show ssl_crl_file;
 ssl_crl_file
--------------

(1 row)

Step 3. Checking SSL mode with Require .
=====
nijam@2ndquadrant.in:/data/nijam> psql "postgresql://localhost/?sslmode=require"
psql (10.5)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.

nijam=#

CLIENT SIDE CONFIGURATION :
==========================
If the server fails to (re)start, look in the postgresql startup log, /var/lib/pgsql/pgstartup.log default for CentOS, for the reason.
On the client, we need three files. For Windows, these files must be in %appdata%\postgresql\ directory. 
You need to create the directory on the client machine if linux ( mkdir ~/.postgresql )
  • root.crt (trusted root certificate) 
  • postgresql.crt (client certificate) 
  • postgresql.key (private key)
Step 1.
====
Generate the the needed files on the server machine, and then copy them to the client. We'll generate the needed files in the /tmp/directory.
First create the private key postgresql.key for the client machine, and remove the passphrase.
2ndquadrant.in:~ # openssl genrsa -des3 -passout pass:gsahdg -out /tmp/postgresql.key 1024
Generating RSA private key, 1024 bit long modulus
.++++++
...++++++
e is 65537 (0x10001)

2ndquadrant.in:~ # openssl rsa -in /tmp/postgresql.key -passout pass:gsahdg -out /tmp/postgresql.key
Enter pass phrase for /tmp/postgresql.key:
writing RSA key

Note : Give gsahdg while prompting
Step 2.
=====
Then create the certificate postgresql.crt. It must be signed by our trusted root (which is using the private key file on the server machine). Also, the certificate common name (CN) must be set to the database user name we'll connect as.
2ndquadrant.in:~ # openssl req -new -key /tmp/postgresql.key -out /tmp/postgresql.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Step 3. Extending SSL validation expiry.
=====
2ndquadrant.in:~ # openssl x509 -days 3650 -req -in /tmp/postgresql.csr -CA root.crt -CAkey server.key -out /tmp/postgresql.crt -CAcreateserial
Signature ok

subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
Error opening CA Certificate root.crt
139936769549968:error:02001002:system library:fopen:No such file or directory:bss_file.c:407:fopen('root.crt','re')
139936769549968:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:409:
unable to load certificate
Reason:
Reroot.crt file path is missing
Solution :
2ndquadrant.in:~ # cd /data/nijam/
2ndquadrant.in:/data/nijam # openssl x509 -days 3650 -req -in /tmp/postgresql.csr -CA root.crt -CAkey server.key -out /tmp/postgresql.crt -CAcreateserial
Signature ok
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
Getting CA Private Key
Copy the three files we created from the server /tmp/ directory to the client machine. 
Copy the trusted root certificate root.crt from the server machine to the client machine (for Windows pgadmin %appdata%\postgresql\ or for Linux pgadmin ~/.postgresql/). Change the file permission of postgresql.key to restrict access to just you (probably not needed on Windows as the restricted access is already inherited). Remove the files from the server /tmp/ directory.
(After copying the three files from the server (/tmp/{postgresql.key,postgresql.crt,root.crt}) to the client machine (into directory ~/.postgresql/), you'll need to set the permission of the key to not world readable: chmod 0400 ~/.postgresql/postgresql.key
On windows, permissions in the are handled automatically for you.)
========================================END===========================================
Basic Issues while configuring SSL certificate :
ISSUES-1 :
$ psql "postgresql://localhost/?sslmode=verify-ca"
psql: root certificate file "/home/nijam/.postgresql/root.crt" does not exist
Either provide the file or change sslmode to disable server certificate verification.
Solution :
$ cp /data/nijam/root.crt /home/nijam/.postgresql/
nijam@2ndquadrant.in:/home/nijam> mkdir /home/nijam/.postgresql/

$ psql "postgresql://localhost/?sslmode=verify-ca"
psql (10.5)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.

ISSUES-2 :
In client side should be change permissions as
chmod 0600 .postgresql/postgresql.key

from client 53.126.142.211 :
password_encryption = md5 
psql -h 2ndquadrant.in -p 5432 -U DB_writer -d DB
check localdomain account.
For server side :
chmod 400 server.crt
chown nijam.nijam server.crt
chmod 400 root.crt
chown nijam.nijam root.crt

Comments

Post a Comment

Popular posts from this blog

How to find the server is whether standby (slave) or primary(master) in Postgresql replication ?

-
Method 1 You can check the mode of the server using "pg_controldata". [pgsql@test~]$ pg_controldata /usr/local/pgsql/data84/ Database cluster state: in archive recovery --> This is Standby Database Database cluster state: in production --> This is Production Database [Master] Method 2 You can use pg_is_in_recovery() which returns True if recovery is still in progress(so the server is running in standby mode or slave) postgres=# select pg_is_in_recovery(); pg_is_in_recovery ------------------- t (1 row) If Return    false   so the server is running in primary mode or master postgres=# select pg_is_in_recovery(); pg_is_in_recovery ------------------- f (1 row)
Read more

7 Steps to configure BDR replication in postgresql

-
Image
 The  BDR  (Bi-Directional Replication) project adds multi-master replication to PostgreSQL 9.4.  Postgres-BDR has a lower impact on the masters(s) than trigger-based replication solutions. There is no write-amplification, as it does not require triggers to write to queue tables in order to replicate writes.   Here We are using  postgres version 9.4.12 and bdr version 1.0.2. for configuring  multi master replication . Simply Following 7 steps you can configure the multi master replication in postgresql. To download the bdr in below link. .   https://github.com/2ndQuadrant/bdr/archive/bdr-pg/REL9_4_12-1.tar.gz $ tar -xzvf REL9_4_12-1.tar.gz $ wget https://github.com/2ndQuadrant/bdr/archive/bdr-plugin/1.0.2.tar.gz $ tar -xzvf 1.0.2.tar.gz 1. To install BDR. $ cd ~/bdr-bdr-pg-REL9_4_12-1 $ ./configure --prefix=/usr/lib/postgresql/9.4 --enable-debug --with-openssl $ make -j4 -s install-world $ cd ~/bdr-bdr-plugin-1.0.2 $ PATH=/usr/lib/postgresql/9.4/bin:"$PATH" ./c
Read more

How to Get Table Size, Database Size, Indexes Size, schema Size, Tablespace Size, column Size in PostgreSQL Database

-
In this post, I am sharing few important function for finding the size of database, table and index in PostgreSQL. Finding object size in postgresql database is very important and common. Is it very useful to know the exact size occupied by the object at the tablespace. The object size in the following scripts is in GB. The scripts have been formatted to work very easily with PUTTY SQL Editor. 1. Checking table size excluding table dependency: SELECT pg_size_pretty(pg_relation_size('mhrordhu_shk.mut_kharedi_audit')); pg_size_pretty ---------------- 238 MB (1 row) 2. Checking table size including table dependency: SELECT pg_size_pretty(pg_total_relation_size('mhrordhu_shk.mut_kharedi_audit')); pg_size_pretty ---------------- 268 MB (1 row) 3. Finding individual postgresql database size SELECT pg_size_pretty(pg_database_size('db_name')); 4. Finding individual table size for postgresql database -including dependency index: SELECT pg_size_pretty(pg_total_rel
Read more

Ora2PG - Oracle/MySQL to Postgres DB migration Version 20.0

-
Ora2Pg is a free tool used to  migrate  an  Oracle  or MySQL database to a  PostgreSQL  compatible schema. It connects your  Oracle  database, scan it automatically and extracts its structure or data, it then generates SQL scripts that you can load into your  PostgreSQL  database. ora2pg version 20.0 software : ora2pg-20.0.tar ora2pg-20.0   https://github.com/darold/ora2pg/releases/tag/v20.0 Some Blogs about DB Migration : https://2ndquadrant.in/postgresmigration/oracle-to-postgresql-migration/ https://2ndquadrant.in/database-migration-from-oracle-to-postgres/ INSTALLATION All Perl modules can always be found at CPAN ( http://search.cpan.org/ ). Just type the full name of the module (ex: DBD::Oracle) into the search input box, it will brings you the page for download. Releases of Ora2Pg stay at SF.net ( https://sourceforge.net/projects/ora2pg/ ). Under Windows you should install Strawberry Perl ( http://strawberryperl.com/ ) and the OSes corresponding Oracle clients. I
Read more

PostgreSQL Introduction

-
PostgreSQL tutorial provides basic and advanced concepts of SQL. Our PostgreSQL tutorial is designed for beginners and professionals. PostgreSQL is an opens-source object-relational database management system (ORDBMS). Our PostgreSQL tutorial includes all topics of PostgreSQL language such as create database, create table, drop database, drop table, select database, select table, insert record, update record, delete record, triggers, functions, procedures, cursors etc. There are also given PostgreSQL interview questions and quizzes to help you better understand the PostgreSQL language. Prerequisite: Before you start doing practice with various types of examples given in this reference, I'm making an assumption that you are already aware about what is database, especially RDBMS and what is a computer programming language. you must have the basic knowledge of SQL Problem: We assure that you will not find any problem in this PostgreSQL tutorial. But if there is any mistake
Read more