Configuring SSL Authentication on a Failover Manager Cluster

The following steps enable SSL authentication for Failover Manager. Please note that all connecting clients will be required to use SSL authentication when connecting to any database server within the cluster; you will be required to modify the connection methods currently used by existing clients.

To enable SSL on a Failover Manager cluster, you must:

  1. Place a server.crt and server.key file in the data directory (under

    your Advanced Server installation). You can purchase a certificate signed by an authority, or create your own self-signed certificate. For information about creating a self-signed certificate, see the PostgreSQL core documentation at:

    https://www.postgresql.org/docs/10/static/ssl-tcp.html#ssl-certificate-creation

  2. Modify the postgresql.conf file on each database within the Failover

    Manager cluster, enabling SSL:

    ssl=on

    After modifying the postgresql.conf file, you must restart the server.

  3. Modify the pg_hba.conf file on each node of the Failover Manager

    cluster, adding the following line to the beginning of the file:

    hostnossl all all all reject

    The line instructs the server to reject any connections that are not using SSL authentication; this enforces SSL authentication for any connecting clients.  For information about modifying the pg_hba.conf file, see the PostgreSQL core documentation at:

    https://www.postgresql.org/docs/10/static/auth-pg-hba-conf.html

  4. After placing the server.crt and server.key file in the data

    directory, convert the certificate to a form that Java understands; you can use the command:

    openssl x509 -in server.crt -out server.crt.der -outform der

    For more information, visit:

https://jdbc.postgresql.org/documentation/94/ssl-client.html

  1. Then, add the certificate to the Java trusted certificates file:

    keytool -keystore $JAVA_HOME/lib/security/cacerts -alias <alias_name> -import -file server.crt.der

    Where

    $JAVA_HOME is the home directory of your Java installation.

    <alias_name> can be any string, but must be unique for each certificate.

    You can use the keytool command to review a list of the available certificates or retrieve information about a specific certificate. For more information about using the keytool command, enter:

    man keytool

    The certificate from each database server must be imported into the trusted certificates file of each agent. Note that the location of the cacerts file may vary on each system. For more information, visit:

https://jdbc.postgresql.org/documentation/94/ssl-client.html

  1. Modify the efm.properties file on each node within the cluster,
    setting the jdbc.sslmode property.