Configuring SSL Authentication on a Failover Manager Cluster¶
The following steps enable SSL authentication for Failover Manager. Please note that all connecting clients will be required to use SSL authentication when connecting to any database server within the cluster; you will be required to modify the connection methods currently used by existing clients.
To enable SSL on a Failover Manager cluster, you must:
server.keyfile in the
datadirectory (under your Advanced Server installation). You can purchase a certificate signed by an authority, or create your own self-signed certificate. For information about creating a self-signed certificate, see the PostgreSQL core documentation at:
postgresql.conffile on each database within the Failover Manager cluster, enabling SSL:
After modifying the postgresql.conf file, you must restart the server.
pg_hba.conffile on each node of the Failover Manager cluster, adding the following line to the beginning of the file:
hostnossl all all all reject
The line instructs the server to reject any connections that are not using SSL authentication; this enforces SSL authentication for any connecting clients. For information about modifying the pg_hba.conf file, see the PostgreSQL core documentation at:
After placing the server.crt and server.key file in the data directory, convert the certificate to a form that Java understands; you can use the command:
openssl x509 -in server.crt -out server.crt.der -outform der
For more information, visit:
Then, add the certificate to the Java trusted certificates file:
keytool -keystore $JAVA_HOME/lib/security/cacerts -alias <alias_name> -import -file server.crt.der
$JAVA_HOMEis the home directory of your Java installation.
<alias_name> can be any string, but must be unique for each certificate.
You can use the
keytoolcommand to review a list of the available certificates or retrieve information about a specific certificate. For more information about using the keytool command, enter:
The certificate from each database server must be imported into the trusted certificates file of each agent. Note that the location of the cacerts file may vary on each system. For more information, visit:
Modify the efm.properties file on each node within the cluster, setting the