SSL connection for PostgreSQL communication
The SSL connection configuration is possible thanks to the support made by PostgreSQL. For reference: https://www.postgresql.org/docs/13/ssl-tcp.html
MetaDefender Core is tested against this mode on particular version 4.21.1
Generate SSL certificate for PostgreSQL server
Following instructions are for self-sign certificate. For production environment, making sure to use the certificate signed by your trusted CA.
- Generate a private key
openssl genrsa -des3 -out server.key 1024Sample output:
Generating RSA private key, 1024 bit long modulus ........++++++................++++++e is 65537 (0x10001)Enter pass phrase for server.key:Verifying - Enter pass phrase for server.key:Type your desired password / pass phrase to encrypt the private key
- Remove the pass phrase to automatically start up the PostgreSQL server
openssl rsa -in server.key -out server.keyOn Linux, make sure to set permission on the server.key file
chmod og-rwx server.key- Create a self-signed certificate
openssl req -new -key server.key -days 3650 -out server.crt -x509You will be prompted to enter detailed information which is incorporated into your self-signed certificate request.
For self-signed certificate, use the server ceriticate as the trusted root certificate:
cp server.crt root.crtCopy server.key, server.crt, root.crt to PostgreSQL data folder. For bundled local MetaDefender Core's PostgreSQL:
- Windows:
<Installation folder>\data\pg_data\ - Linux:
/var/lib/ometascan/pg_data/
Configure PostgreSQL server for SSL authentication connection
Create a custom config file (e.g.
ssl.conf) for PostgreSQL. For bundled local MetaDefender Core's PostgreSQL:- Windows:
<Installation folder>\postgres\ssl.conf - Linux:
/var/lib/ometascan/postgres/ssl.conf
- Windows:
Content of
ssl.conf:
- Modify
pg_hba.conf
For bundled local MetaDefender Core's PostgreSQL:
- Windows:
<Installation folder>\data\pg_data\pg_hba.conf - Linux:
/var/lib/ometascan/pg_data/pg_hba.conf
Add following (modify ::1/128 if needed to match with your environment requirement)
After the modify, the content of ssl.conf should be like this (example):
Commenting out all lines starting with "host" if you only want SSL connections to your PostgreSQL.
- Reload the services
- Standalone DB mode: Restart
ometascanservice (MetaDefender Core service) - Shared DB mode: Restart
ometascan-pg/ometascan-postgresqlservice (MetaDefender Core PostgreSQL service) and thenometascanservice (MetaDefender Core service)
Test your SSL database connection:
psql.exe "sslmode=require dbname=postgres user=postgres host=localhost port=5432"Password for user postgres:psql (12.7)WARNING: Console code page (437) differs from Windows code page (1252) 8-bit characters might not work correctly. See psql reference page "Notes for Windows users" for details.SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)Type "help" for help.This message indicate that you are now using SSL connection:
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
