...
Modify postgresql.conf configuration file to enable ssl and provide paths to certificates:
Code Block language none ssl = on ssl_cert_file = '<path to server certificate>' ssl_key_file = '<path to server key>' ssl_ca_file = '<path to root CA>'
Modify pg_hba.conf configuration file. Add the hostssl (or change the existing host to hostssl)entries with clientcert authentication option. This option can be set to
verify-ca
orverify-full
. Both options require the client to present a valid (trusted) SSL certificate. More details can be found here https://www.postgresql.org/docs/current/auth-pg-hba-conf.htmlCode Block language none hostssl all all 127.0.0.1/32 scram-sha-256 clientcert=verify-ca
Restart PostgreSQL service
Code Block language bash sudo service postgresql restart
Central Server (< 7.3.0)
Steps to configure Central Server to use mTLS for database connections:
Modify /etc/xroad/db.properties. Provide paths to root CA and client certificates.
Code Block database=centerui_production?sslmode=verify-ca&sslrootcert=<ROOT_CA>&sslcert=<PATH_TO_CLIENT_CERT>&sslkey=<PATH_TO_CLIENT_KEY>
Note. JDBC client supports key file format PKCS-12 or PKCS-8. To convert PEM key the following command can be used:
Code Block language bash openssl pkcs8 -topk8 -inform PEM -in client.key -outform DER -out client.pk8 -nocrypt
Note:
We should consider to update db.properties file and provide jdbc connection url (like in Security Server). The database property is not supposed to be used in this way.
Restart the Central Server
Code Block supervisorctl restart xroad-center
Verify Central Server started successfully.
Security Server / Central Server (>= 7.3.0)
Steps to configure Security Server to use mTLS for database connections:
...