Обсуждение: PostgreSQL 9.3.5 - Enable SSL
Hello All, I need help on following. Current Setup - We have PostgreSQL 9.3.5 running on RedHAT Linux 6 without SSL enabled & have database of size 150 GB & we have C & .Netapplication connecting to the database. Changes required in current Setup We need to enable SSL on PGSQL 9.3.5 . Please let me know the steps to be performed so that I can enable SSL & use existingdatabase. Also what is required for applications (C & .net) to connect to database. Thanks in advance. Regards Shyamkant The information contained in this electronic message and any attachments to this message are intended for the exclusive useof the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient,you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy allcopies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient shouldcheck this email and any attachments for the presence of viruses. The company accepts no liability for any damage causedby any virus transmitted by this email. www.wipro.com
Hello All,
I need help on following.
Current Setup -
We have PostgreSQL 9.3.5 running on RedHAT Linux 6 without SSL enabled & have database of size 150 GB & we have C & .Net application connecting to the database.
Changes required in current Setup
We need to enable SSL on PGSQL 9.3.5 . Please let me know the steps to be performed so that I can enable SSL & use existing database.
Also what is required for applications (C & .net) to connect to database.
Please let me know if I have existing non-ssl setup how I can migrate it to SSL enabled setup?
Also let me know in case streaming replication is on with non-SSL , do I need to follow same steps to enable SSL for replication server?
Sent: 21 February, 2016 3:29 PM
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.comTo: Shyamkant Dhamke (BAS) <shyamkant.dhamke@wipro.com>
Cc: scott.marlowe@gmail.com; drum.lucas@gmail.com; pgsql-admin <pgsql-admin@postgresql.org>
Subject: Re: [ADMIN] PostgreSQL 9.3.5 - Enable SSL
On Fri, Feb 19, 2016 at 5:28 PM, <shyamkant.dhamke@wipro.com> wrote:
Hello All,
I need help on following.
Current Setup -
We have PostgreSQL 9.3.5 running on RedHAT Linux 6 without SSL enabled & have database of size 150 GB & we have C & .Net application connecting to the database.
Changes required in current Setup
We need to enable SSL on PGSQL 9.3.5 . Please let me know the steps to be performed so that I can enable SSL & use existing database.
You need to have OpenSSL software installed on the database server. If not you can use yum install to install openssl software or can download the appropriate openssl version from the below link -
PostgreSQL needs to be compiled with "--with-openssl" option. Following link has the required information to generate certificate and key files post which you need to configure ssl* parameters in postgresql.conf file -
Also what is required for applications (C & .net) to connect to database.
"hostssl" entry needs to be made in the pg_hba.conf file for the application servers intending connect to PostgreSQL cluster in SSL mode. I believe you must be using npgsql driver to connect to PostgreSQL, you need to configure npgsql driver to send ssl mode connections to postgresql. By default SSL mode is "off" for npgsql driver. Please refer to the below link.
Regards,
Venkata B N
Fujitsu Australia
Many Thanks Venkata B N,
We have followed steps as mentioned by you. We are able to connect using PGAdmin, but now we are facing challenge while connecting from ASP.Net client.
My connection string is
<add key="ConnectPIAM_TRANS_DB" value="Server=10.200.201.79;Port=5555; User Id=postgres; Password=wipro@123;Database=PIAM_TRANS_DB;Protocol=3;SSL=true;sslMode=Require;"/>
Also attached cert file for your reference.
I am getting below error
“FATAL: 28000: connection requires a valid client certificate”
Hi Venkata B N,
Thanks for response. I have attached files for your reference. Yes we have made entry in pg_hba.conf file.
Please help. Thanks in advance.
Regards
Shyamkant
From: Venkata Balaji N [mailto:nag1010@gmail.com]
Sent: 24 February, 2016 2:29 AM
To: Shyamkant Dhamke (BAS) <shyamkant.dhamke@wipro.com>; pgsql-admin <pgsql-admin@postgresql.org>
Subject: Re: [ADMIN] PostgreSQL 9.3.5 - Enable SSL
On Wed, Feb 24, 2016 at 3:04 AM, <shyamkant.dhamke@wipro.com> wrote:
Many Thanks Venkata B N,
We have followed steps as mentioned by you. We are able to connect using PGAdmin, but now we are facing challenge while connecting from ASP.Net client.
My connection string is
<add key="ConnectPIAM_TRANS_DB" value="Server=10.200.201.79;Port=5555; User Id=postgres; Password=wipro@123;Database=PIAM_TRANS_DB;Protocol=3;SSL=true;sslMode=Require;"/>
Also attached cert file for your reference.
I am getting below error
“FATAL: 28000: connection requires a valid client certificate”
Did you make an hostssl entry in pg_hba.conf for the host from where pgAdmin-III is connecting ?
Can you get us the ssl* parameters configured in postgresql.conf file ?
Regards,
Venkata B N
Fujitsu Australia
Вложения
shyamkant.dhamke@wipro.com wrote: > We have followed steps as mentioned by you. We are able to connect using PGAdmin, but now we are > facing challenge while connecting from ASP.Net client. > > My connection string is > > <add key="ConnectPIAM_TRANS_DB" value="Server=10.200.201.79;Port=5555; User Id=postgres; > Password=wipro@123;Database=PIAM_TRANS_DB;Protocol=3;SSL=true;sslMode=Require;"/> > > Also attached cert file for your reference. > > I am getting below error > > “FATAL: 28000: connection requires a valid client certificate” The error message means that the client did not send a valid client certificate (i.e. one that can be verified using the server's certificate chain). What .NET provider are you using? Do you have a the server parameter ssl_ca_file point to your CA certificate? Does your provider send a client certificate? Yours, Laurenz Albe
Hello, I need sample C program ( running on Unix ) to connect to PostgreSQL 9.3.5 (SSL Enabled) database. Regards Shyamkant The information contained in this electronic message and any attachments to this message are intended for the exclusive useof the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient,you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy allcopies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient shouldcheck this email and any attachments for the presence of viruses. The company accepts no liability for any damage causedby any virus transmitted by this email. www.wipro.com
shyamkant.dhamke@wipro.com wrote:
> I need sample C program ( running on Unix ) to connect to PostgreSQL 9.3.5 (SSL Enabled) database.
#include <stdio.h>
#include <libpq-fe.h>
int main(int argc, char **argv) {
PGconn *conn;
conn = PQconnectdb("host=... port=... dbname=... user=... password=...");
if (conn == NULL) {
fprintf(stderr, "Out of memory.\n");
return 1;
}
if (PQstatus(conn) != CONNECTION_OK) {
fprintf(stderr, PQerrorMessage(conn));
PQfinish(conn);
return 1;
}
PQfinish(conn);
return 0;
}
Essentially, there's nothing special to do in the C code.
You have to have the server set up for SSL (ssl=on) and the certificate and key in place.
On the client side, you can add "sslmode=require" as connection option to make sure that
no unencrypted connection is attempted.
Yours,
Laurenz Albe