SSL Certificates v23
If you set
enable_pg_backup_api: true in
config.yml or use the
--enable-pg-backup-api command line option during configure, instances
barman role will install pg-backup-api and set up an
apache proxy for client cert authentication. This apache proxy will use
an SSL CA generated for the cluster to generate its server and client
pg-backup-api status on the barman node running pg-backup-api - if
you get "OK" back, the pg-backup-api service is running.
To test that the proxy is working, run
If it's working, you'll get a large json output. You can compare this
with the output of
barman diagnose, they should match exactly.
The root certificate will be copied to
/etc/tpa/pg-backup-api/ by default.
A client certificate and key (
pg-backup-user.key) will be generated for testing (through
tpaexec test) or command line from the barman host. See
An apache proxy server certificate and key (
pg-backup-api.key) will also be generated
Each service needing to query the api will need to generate its own
client certificate separately. PEM agent role, for instance, generates a
client certificate during it's setup when both
--enable-pg-backup-api (or config.yml equivalent) are used.