Comments:
- Certificates generation: If you have other methods to generate the certificates
then use them. 2. The below instructions include a made-up domain (colored in green). You can and
should use use domains relevant to you; except of one case colored in red should be the postgresal DB user-name. I used postgres, but this is based on your postgresql DB user-name. 3. The directories in this instruction set may vary based on specific DB version, java
version. tomcat version and installation locations.. You can alter these instructions based your specific environment
Procedure:
On the postgresql server:
- sudo i- - cd /var/lib/postgresql/9.6/main - openssl genrsa -des3 -out server.key 1024 - openssl rsa -in server.key -out server.key - chmod 400 server.key - chown postgres.postgres server.key - openssl req -new -key server.key -days 3650 -out server.crt -x509 -subj '/C=CA/ST=British Columbia/L=Comox/O=TheBrain.ca/CN=thebrain.ca/emailAddress=info@thebrain.ca' - cp server.crt root.crt
Edit the file /etc/postgresql/9.6/main/pg_hba.conf as following:
# TYPE DATABASE USER CIDR-ADDRESS METHOD # "local" is for Unix domain socket connections only local all all trust # IPv4 local connections: hostssl all postgres 127.0.0.1/32 md5 clientcert=1 --> This is relevant if the manager is local, otherwise keep it as it was...
# IPv4 remote connections for authenticated users hostssl all postgres 0.0.0.0/0 md5 clientcert=1
Edit the file /etc/postgres/9.6/main/postgres.conf file as following:
- Unmark ssl = on --> Make sure this key is active... 2. Edit the below entries as following:
ssl_cert_file = '/var/lib/postgresql/9.6/main/server.crt' ssl_key_file = '/var/lib/postgresql/9.6/main/server.key' ssl_ca_file = '/var/lib/postgresql/9.6/main/root.crt' 3. Unmark key ssl_renegotiation_limit = 0 --> Make sure this key is active... 4. Edit entry listen_addresses to be as following: listen_addresses = '*'
- /etc/init.d/postgresql restart
On the manager server:
- sudo -i - openssl genrsa -des3 -out /tmp/postgresql.key 1024 - openssl rsa -in /tmp/postgresql.key -out /tmp/postgresql.key - openssl req -new -key /tmp/postgresql.key -out /tmp/postgresql.csr -subj '/C=CA/ST=British Columbia/L=Comox/O=TheBrain.ca/CN=postgres' - openssl x509 -req -in /tmp/postgresql.csr -CA root.crt -CAkey server.key -out /tmp/postgresql.crt -CAcreateserial
- openssl x509 -in server.crt -out server.crt.der -outform der - keytool -keystore /opt/jdk/jdk1.8.0_191/jre/lib/security/cacerts -alias postgresql -import -file - server.crt.der - chown user.user postgresql.key --> relevant only if the Manager is used with a different user than root, otherwise no need to execute this command.. - chmod 600 postgresql.key
Create a directory under /var/cache/intigua/ called: .postgresqland place there the following files: postgresql.key, postgresql.crt, root.crt (taken/FTP'd from the postgresql server...!) - openssl pkcs8 -topk8 -inform PEM -outform DER -in postgresql.key -out postgresql.pk8 -nocrypt - You can then delete the file postgresql.key or rename it to postgresql.key_old by using the Linux 'mv' command
Edit intigua.properties (usually under: /usr/share/tomcat/apache-tomcat-7.0.32/conf/ directory) as following:
db.url=jdbc:postgresql://IP_ADDRESS:5432/jetpacth?ssl=true&sslfactory=org.postgres ql.ssl.jdbc4.LibPQFactory&sslmode=require db.password=THE PASSWORD YOU GAVE db.username=postgres
Comments to connection string:
- The example uses jetpatch as the DB name... but it should be your DB name (i.e.
intiguadb) 2. In this example the sslmode is 'require'. It can also be 'verify-full', but in such
case the certificates should be prepared also to verify the host name
- stop and start tomcat
Comments
0 comments
Please sign in to leave a comment.