Configuring SSL authentication on a Failover Manager cluster v4
You can enable SSL authentication for Failover Manager. All connecting clients are required to use SSL authentication when connecting to any database server in the cluster. You must modify the connection methods currently used by existing clients.
To enable SSL on a Failover Manager cluster:
server.keyfile in the
datadirectory under your EDB Postgres Advanced Server installation. You can purchase a certificate signed by an authority or create your own self-signed certificate. For information about creating a self-signed certificate, see the PostgreSQL core documentation.
postgresql.conffile on each database in the Failover Manager cluster, enabling SSL:
After modifying the
postgresql.conffile, you must restart the server.
pg_hba.conffile on each node of the Failover Manager cluster, adding the following line to the beginning of the file:
The line instructs the server to reject any connections that aren't using SSL authentication. This enforces SSL authentication for any connecting clients. For information about modifying the
pg_hba.conffile, see the PostgreSQL core documentation.
After placing the
server.keyfiles in the data directory, convert the certificate to a form that Java understands; you can use the command:
For more information, see the Postgres JDBC documentation.
Add the certificate to the Java trusted certificates file:
$JAVA_HOMEis the home directory of your Java installation.
alias_namecan be any string but must be unique for each certificate.
You can use the
keytoolcommand to review a list of the available certificates or retrieve information about a specific certificate. For more information about using the
The certificate from each database server must be imported into the trusted certificates file of each agent. The location of the
cacertsfile can vary on each system. For more information, see the Postgres JDBC documentation.
Modify the efm.properties file on each node in the cluster, setting the