Обсуждение: [ADMIN] Restart PostgreSQL service with SSL and private key pass phrase

Поиск
Список
Период
Сортировка

[ADMIN] Restart PostgreSQL service with SSL and private key pass phrase

От
sri bhav
Дата:

Hi,

      I currently have PostgreSQL 9.5 installed on a Windows 10 machine. I have enabled SSL and configured key & crt files with pass phrase. I know that I have to enter the PEM pass phrase everytime I try to restart. So I tried using pg_ctl to start Postgres, but I have few issues:

  1. Since I installed Postgres as Windows service, running pg_ctl does not start my service. I see postgresql exe instances running in Task manager but my windows service never gets updated to Running.
  2. After running the following command:

pg_ctl -D "c:\Program Files\PostgreSQL\9.5\data" restart -w

I was able to enter the PEM pass phrase since I got a prompt and was able to connect. But when my application is trying to establish the connection with Postgresql, the application is waiting since there are prompts on the command windows where I executed the pg_ctl command to enter the PEM pass phrase. I think this makes the application totally unusable.

  1. Per our security requirements, we cannot remove the PEM pass phrase, so how do I control the PostgreSQL service – start & restart with the pass phrase and without user interaction.

 

Please advise on how to achieve what I am doing or share any alternatives that someone already has for this situation.

 

Thank you

 

 

Sent from Mail for Windows 10

 

Re: [ADMIN] Restart PostgreSQL service with SSL and private key pass phrase

От
Bear Giles
Дата:
​I don't have answers for PostgreSQL specifically but servers usually don't require passphrases on their keys due to the need for human intervention.​ The alternative is running a key service - a server on a secure site that provides keys to servers as they come up - but that just moves the problem back by one step since you still have to have the authentication information for the key service on your server. An attacker could still steal that and obtain the key from the key service.

In the Unix/Linux world one approach is to put the key on an NFS server, or perhaps even a CD-ROM, and have the server startup script mount the drive, access the key on it, and then unmount the drive. That keeps the key off backup media(*) and invisible to the average attacker with illicit root access. A knowledgeable attacker would still know how to find the startup script and see how the key is retrieved but they're relatively uncommon. Needless to say the NFS server would be on an internal network and not visible to the outside world.

I don't know what's done in the Windows world.

(* the backup software should be smart enough to know that the keys shouldn't be backed up, e.g., by checking the extended attributes, but it's easy to misconfigure that.)

On Fri, Nov 17, 2017 at 2:19 PM, sri bhav <sri_bhav@hotmail.com> wrote:

Hi,

      I currently have PostgreSQL 9.5 installed on a Windows 10 machine. I have enabled SSL and configured key & crt files with pass phrase. I know that I have to enter the PEM pass phrase everytime I try to restart. So I tried using pg_ctl to start Postgres, but I have few issues:

  1. Since I installed Postgres as Windows service, running pg_ctl does not start my service. I see postgresql exe instances running in Task manager but my windows service never gets updated to Running.
  2. After running the following command:

pg_ctl -D "c:\Program Files\PostgreSQL\9.5\data" restart -w

I was able to enter the PEM pass phrase since I got a prompt and was able to connect. But when my application is trying to establish the connection with Postgresql, the application is waiting since there are prompts on the command windows where I executed the pg_ctl command to enter the PEM pass phrase. I think this makes the application totally unusable.

  1. Per our security requirements, we cannot remove the PEM pass phrase, so how do I control the PostgreSQL service – start & restart with the pass phrase and without user interaction.

 

Please advise on how to achieve what I am doing or share any alternatives that someone already has for this situation.

 

Thank you

 

 

Sent from Mail for Windows 10

 


Re: [ADMIN] Restart PostgreSQL service with SSL and private keypass phrase

От
Laurenz Albe
Дата:
sri bhav wrote:
> I currently have PostgreSQL 9.5 installed on a Windows 10 machine. I have enabled SSL and configured key & crt files
withpass phrase.
 
> I know that I have to enter the PEM pass phrase everytime I try to restart.

> Since I installed Postgres as Windows service, running pg_ctl does not start my service.
> I see postgresql exe instances running in Task manager but my windows service never gets updated to Running.

> Per our security requirements, we cannot remove the PEM pass phrase, so how do I control the PostgreSQL
> service – start & restart with the pass phrase and without user interaction.

Change the security requirements.

What good is a password on a key if you have to store it on the machine
anyway to allow automatic start of the PostgreSQL server?

Yours,
Laurenz Albe


-- 
Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin

Newbie looking for good tutorial to install PL/java for postgres 9.6

От
koffi BADOH
Дата:
Hi All,
Yes, I  know  I can google and find some tutorials.  But not allway 
fited for newbies.
So what I need  are steps to install and add PL/java as extention to my 
PostgresSQL 9.6 server.
Thanks lot for your help.
koff