Re: Beginning SSL Questions
| От | Jeanna Geier |
|---|---|
| Тема | Re: Beginning SSL Questions |
| Дата | |
| Msg-id | 00bb01c6d810$100fb8e0$6700a8c0@geier обсуждение исходный текст |
| Ответ на | Beginning SSL Questions ("Jeanna Geier" <jgeier@apt-cafm.com>) |
| Список | pgsql-admin |
Thanks for the reply Michael. I'm getting started and will report back on any issues I run into; this mailing list is excellent at responding and helping troubleshoot!! So thanks to all for that!!! ----- Original Message ----- From: "Michael Fuhr" <mike@fuhr.org> To: "Jeanna Geier" <jgeier@apt-cafm.com> Cc: <pgsql-admin@postgresql.org> Sent: Thursday, September 14, 2006 10:01 AM Subject: Re: [ADMIN] Beginning SSL Questions > On Thu, Sep 14, 2006 at 09:17:00AM -0500, Jeanna Geier wrote: >> - In the docs, it says that when using SSL in Postgres "This requires >> that OpenSSL is installed on both client and server systems and >> that support in PostgreSQL is enabled at build time" - is this >> correct? > > PostgreSQL must have been built with the --with-openssl configure > option and the server needs "ssl = on" in postgresql.conf. > >> Or can we use the certificates and keystore file we generated using >> the Jave keytool implementing SSL with Tomcat? > > You can use the same certificate and key but you'll need to copy > them to your $PGDATA directory as server.crt and server.key (whether > using the same certificate and key is a good idea is an administrative > and/or security matter, but from a technical standpoint it should > work). If you want to require SSL client authentication then also > install the CA certificate(s) as root.crt. I'd suggest getting > non-authenticated SSL working first and only then set up client > authentication if you need it. > > If you want to require SSL connections (authenticated or not) then > use "hostssl" in pg_hba.conf and make sure no other entry will match > a non-SSL connection. > >> - In perusing the mailing list, it appears that this is not going >> to be a 'simple' task...any pointers that anyone can give to me >> before we start? If possible, I'd like to avoid another hair-pulling >> three week task! =o) > > Setting up SSL is simple. Read "Secure TCP/IP Connections with > SSL," "SSL Support," and "Client Authentication" in the documentation > and follow the instructions therein. > > http://www.postgresql.org/docs/8.1/interactive/ssl-tcp.html > http://www.postgresql.org/docs/8.1/interactive/libpq-ssl.html > http://www.postgresql.org/docs/8.1/interactive/client-authentication.html > > If you have trouble then please report what you did, what you > expected to happen, and what did happen (including client and server > error messages). > > -- > Michael Fuhr >
В списке pgsql-admin по дате отправления: