Using SSL

EDB Postgres Advanced Server provides native support for using SSL connections to encrypt client/server communications for increased security. In OCL, it is controlled by setting the sslmode parameter to verify-full or verify-ca, and providing the system with a root certificate to verify against.

Steps of SSL configuration:

  1. Configure the Server and Client Side Certificates; for detailed information about configuring SSL client and server side certificates, refer to the PostgreSQL SSL documentation.

  2. Enable the SSL OCL Connection:

    In an OCL client application, you can enable SSL mode by setting the EDB_ATTR_SSL attribute in Session.

char*sslmode= "verify-full";
retValue=OCIAttrSet((dvoid*)authp,(ub4)OCI_HTYPE_SESSION,
           (dvoid*)sslmode,(ub4)strlen((char*)sslmode),
               (ub4)EDB_ATTR_SSL, errhp);

Note

EDB_ATTR_SSL is defined in edboci.h header file available in installation directory.

  1. After setting SSL attribute, you can use the OCILogon function to create a connection:
OCILogon(pEnv,pError,&pSvc,(OraText*)pUsername,ub4)UsernameLen,
            (OraText*)pPassword,(ub4)PasswordLen,
            (OraText*)pDatabase,(ub4)DatabaseLen);

Once the server is authenticated, then the client is ready to pass sensitive data.

For more information about the supported SSL mode options, please see:

https://www.postgresql.org/docs/12/libpq-ssl.html#LIBPQ-SSL-SSLMODE-STATEMENTS