Windows Deployments
This page describes in detail how you can achieve the following tasks:
- Use an external PostgreSQL server instead of the built-in database
- Configure HTTPS communication for the web server
Use an external database
Production deployments of MetaDefender Storage Security should ensure high availability and/or load-balancing at the database level by using an external PostgreSQL (or any compatible service) instead of the built-in database that is included with the basic installation.
We recommend using a version of PostgreSQL that is the same as the built-in database version from the requirements page.
How to setup an external PostgreSQL in MetaDefender Storage Security
These steps should be performed immediately after the installation (before completing the onboarding or any other UI configuration) because any existing data will be lost.
- Ensure that your external PostgreSQL is properly configured and ready to accept remote connections
Note: it is recommended to setup access control for your external database as well as taking the necessary network security measures to ensure that only the server running MetaDefender Storage Security can access the database.
- Locate the configuration file
customer.envcreated by the installer (by default it is located at C:\Program Files\OPSWAT\MetaDefender Storage Security\config) - Add the following configuration line:
- Please check the connection string documentation for more information. Make sure you add "mdss" as the target database as shown in the example above.
- Save the file.
- Reinstall the internal components by running the following PowerShell command
- Continue to the onboarding process.
PostgreSQL SSL Configuration
To enable SSL/TLS certificate validation for the PostgreSQL connection, update the POSTGRESQL_URL variable in the customer.env file.
File Location
By default, the customer.env file is located at:
C:\Program Files\OPSWAT\MetaDefender Storage Security\config
The installer creates this file automatically.
Configuring POSTGRESQL_URL
The POSTGRESQL_URL variable can include additional parameters for SSL/TLS. By default SSL Mode is set to "prefer".
POSTGRESQL_URL=Host=postgres;Port=5432;Username=user;Password=password;Database=dbName;SSL Mode=VerifyFull;Root Certificate=<path to root CA certificate>SSL Mode Options
• prefer (default): Attempts to connect using SSL. If SSL fails, falls back to unencrypted. No certificate validation.
• require: Requires SSL encryption. Certificate validation is skipped — allows self-signed, expired, or otherwise invalid certifications.
• verify-full: Requires SSL and performs full certificate validation, including hostname match and trusted CA.
Important Notes
• If certificate validation is required, use verify-full and provide a valid CA-signed certificate via the Root Certificate parameter.
• If using a self-signed or otherwise invalid certificate, use require, which skips validation but still encrypts the connection.
• The Root Certificate must point to the CA file if using verify-ca or verify-full.
How to modify it
Set the parameter in your customer.env file. Please find here more details on how to update the configuration file.
PostgreSQL advanced setup
For special use cases you may need to backup your database or restore it. MetaDefender Storage Security allows you to do this by using the following commands
Running this command will create a dump file in the install directory. This file can be use afterwards as a restore file using the import command:
The import_db utility will use the latest file as restore point
Configure HTTPS communication for the web server
Production deployments should ensure that any HTTP traffic between clients (browsers or other API client) and MetaDefender Storage Security is encrypted using HTTPS.
Click here for detailed instructions on how to setup a certificate for NGINX web server.