Thanks for the reply Michael.
I'm getting started and will report back on any issues I run into; this
mailing list is excellent at responding and helping troubleshoot!! So
thanks to all for that!!!
----- Original Message -----
From: "Michael Fuhr" <mike@fuhr.org>
To: "Jeanna Geier" <jgeier@apt-cafm.com>
Cc: <pgsql-admin@postgresql.org>
Sent: Thursday, September 14, 2006 10:01 AM
Subject: Re: [ADMIN] Beginning SSL Questions
> On Thu, Sep 14, 2006 at 09:17:00AM -0500, Jeanna Geier wrote:
>> - In the docs, it says that when using SSL in Postgres "This requires
>> that OpenSSL is installed on both client and server systems and
>> that support in PostgreSQL is enabled at build time" - is this
>> correct?
>
> PostgreSQL must have been built with the --with-openssl configure
> option and the server needs "ssl = on" in postgresql.conf.
>
>> Or can we use the certificates and keystore file we generated using
>> the Jave keytool implementing SSL with Tomcat?
>
> You can use the same certificate and key but you'll need to copy
> them to your $PGDATA directory as server.crt and server.key (whether
> using the same certificate and key is a good idea is an administrative
> and/or security matter, but from a technical standpoint it should
> work). If you want to require SSL client authentication then also
> install the CA certificate(s) as root.crt. I'd suggest getting
> non-authenticated SSL working first and only then set up client
> authentication if you need it.
>
> If you want to require SSL connections (authenticated or not) then
> use "hostssl" in pg_hba.conf and make sure no other entry will match
> a non-SSL connection.
>
>> - In perusing the mailing list, it appears that this is not going
>> to be a 'simple' task...any pointers that anyone can give to me
>> before we start? If possible, I'd like to avoid another hair-pulling
>> three week task! =o)
>
> Setting up SSL is simple. Read "Secure TCP/IP Connections with
> SSL," "SSL Support," and "Client Authentication" in the documentation
> and follow the instructions therein.
>
> http://www.postgresql.org/docs/8.1/interactive/ssl-tcp.html
> http://www.postgresql.org/docs/8.1/interactive/libpq-ssl.html
> http://www.postgresql.org/docs/8.1/interactive/client-authentication.html
>
> If you have trouble then please report what you did, what you
> expected to happen, and what did happen (including client and server
> error messages).
>
> --
> Michael Fuhr
>