SSL connection for PostgreSQL communication
The SSL connection configuration is possible thanks to the support made by PostgreSQL. For reference: https://www.postgresql.org/docs/14/ssl-tcp.html
MetaDefender Core is tested against this mode on particular version 4.21.1
Step 1: Generate SSL certificate for PostgreSQL server
Following instructions are for self-sign certificate. For production environment, making sure to use the certificate signed by your trusted CA.
1) Generate a private key
openssl genrsa -aes256 -out server.key 2048Sample output:
Generating RSA private key, 1024 bit long modulus ........++++++................++++++e is 65537 (0x10001)Enter pass phrase for server.key:Verifying - Enter pass phrase for server.key:Type your desired password / pass phrase to encrypt the private key
2) Remove the pass phrase to automatically start up the PostgreSQL server
openssl rsa -in server.key -out server.keyOn Linux, make sure to set permission on the server.key file
chmod og-rwx server.key3) Create a self-signed certificate
openssl req -new -key server.key -days 3650 -out server.crt -x509You will be prompted to enter detailed information which is incorporated into your self-signed certificate request.
For self-signed certificate, use the server ceriticate as the trusted root certificate:
cp server.crt root.crtCopy server.key, server.crt, root.crt to PostgreSQL data folder. For bundled local MetaDefender Core's PostgreSQL:
- Windows:
<Installation folder>\data\pg_data\ - Linux:
/var/lib/ometascan/pg_data/
Step 2: Configure PostgreSQL server for SSL authentication connection
1) Create a custom config file (e.g. ssl.conf) for PostgreSQL.
For bundled local MetaDefender Core's PostgreSQL:
- Windows:
<Installation folder>\postgres\ssl.conf - Linux:
/usr/lib/ometascan/postgres/ssl.conf
2) Content of ssl.conf:
3) Modify pg_hba.conf
For bundled local MetaDefender Core's PostgreSQL:
- Windows:
<Installation folder>\data\pg_data\pg_hba.conf - Linux:
/var/lib/ometascan/pg_data/pg_hba.conf
Add following (modify ::1/128 if needed to match with your environment requirement)
After the modify, the content of pg_hba.conf should be like this (example):
In a Linux environment, a local and host connection is required to upgrade from version 5.5.1 or earlier to version 5.6.0 or later.
4) Reload the services
- Standalone DB mode: Restart
ometascanservice (MetaDefender Core service) - Shared DB mode: Restart
ometascan-pg/ometascan-postgresqlservice (MetaDefender Core PostgreSQL service) and thenometascanservice (MetaDefender Core service)
Test your SSL database connection:
psql.exe "sslmode=require dbname=postgres user=postgres host=localhost port=5432"Password for user postgres:psql (12.7)WARNING: Console code page (437) differs from Windows code page (1252) 8-bit characters might not work correctly. See psql reference page "Notes for Windows users" for details.SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)Type "help" for help.This message indicate that you are now using SSL connection:
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
