SSL connection for PostgreSQL communication

The SSL connection configuration is possible thanks to the support made by PostgreSQL. For reference: https://www.postgresql.org/docs/14/ssl-tcp.html

MetaDefender Core is tested against this mode on particular version 4.21.1

Step 1: Generate SSL certificate for PostgreSQL server

Following instructions are for self-sign certificate. For production environment, making sure to use the certificate signed by your trusted CA.

1) Generate a private key

Bash
    
 
openssl genrsa -aes256 -out server.key 2048
Copy

Sample output:

Bash
    
 
Generating RSA private key, 1024 bit long modulus ........++++++................++++++e is 65537 (0x10001)Enter pass phrase for server.key:Verifying - Enter pass phrase for server.key:
Copy

Type your desired password / pass phrase to encrypt the private key

2) Remove the pass phrase to automatically start up the PostgreSQL server

Bash
    
 
openssl rsa -in server.key -out server.key
Copy

On Linux, make sure to set permission on the server.key file

Bash
    
 
chmod og-rwx server.key
Copy

3) Create a self-signed certificate

Bash
    
 
openssl req -new -key server.key -days 3650 -out server.crt -x509
Copy

You will be prompted to enter detailed information which is incorporated into your self-signed certificate request.

For self-signed certificate, use the server ceriticate as the trusted root certificate:

Bash
    
 
cp server.crt root.crt
Copy

Copy server.key, server.crt, root.crt to PostgreSQL data folder. For bundled local MetaDefender Core's PostgreSQL:

Windows: <Installation folder>\data\pg_data\
Linux: /var/lib/ometascan/pg_data/

Step 2: Configure PostgreSQL server for SSL authentication connection

1) Create a custom config file (e.g. ssl.conf) for PostgreSQL.

For bundled local MetaDefender Core's PostgreSQL:

Windows: <Installation folder>\postgres\ssl.conf
Linux: /usr/lib/ometascan/postgres/ssl.conf

2) Content of ssl.conf:

3) Modify pg_hba.conf

For bundled local MetaDefender Core's PostgreSQL:

Windows: <Installation folder>\data\pg_data\pg_hba.conf
Linux: /var/lib/ometascan/pg_data/pg_hba.conf

Add following (modify ::1/128 if needed to match with your environment requirement)

After the modify, the content of pg_hba.conf should be like this (example):

In a Linux environment, a local and host connection is required to upgrade from version 5.5.1 or earlier to version 5.6.0 or later.

4) Reload the services

Standalone DB mode: Restart ometascan service (MetaDefender Core service)
Shared DB mode: Restart ometascan-pg/ometascan-postgresql service (MetaDefender Core PostgreSQL service) and then ometascan service (MetaDefender Core service)

Test your SSL database connection:

Bash
    
 
psql.exe "sslmode=require dbname=postgres user=postgres host=localhost port=5432"Password for user postgres:psql (12.7)WARNING: Console code page (437) differs from Windows code page (1252)         8-bit characters might not work correctly. See psql reference         page "Notes for Windows users" for details.SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)Type "help" for help.
Copy

This message indicate that you are now using SSL connection:

Bash
    
 
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Copy

Last updated on

Was this page helpful?