Configuring SSL authentication on a Failover Manager cluster v4

Suggest edits

You can enable SSL authentication for Failover Manager. All connecting clients are required to use SSL authentication when connecting to any database server in the cluster. You must modify the connection methods currently used by existing clients.

To enable SSL on a Failover Manager cluster:

  1. Place a server.crt and server.key file in the data directory under your EDB Postgres Advanced Server installation. You can purchase a certificate signed by an authority or create your own self-signed certificate. For information about creating a self-signed certificate, see the PostgreSQL core documentation.

  2. Modify the postgresql.conf file on each database in the Failover Manager cluster, enabling SSL:

    ssl=on

    After modifying the postgresql.conf file, you must restart the server.

  3. Modify the pg_hba.conf file on each node of the Failover Manager cluster, adding the following line to the beginning of the file:

    hostnossl all all all reject

    The line instructs the server to reject any connections that aren't using SSL authentication. This enforces SSL authentication for any connecting clients. For information about modifying the pg_hba.conf file, see the PostgreSQL core documentation.

  4. After placing the server.crt and server.key files in the data directory, convert the certificate to a form that Java understands; you can use the command:

    openssl x509 -in server.crt -out server.crt.der -outform der

    For more information, see the Postgres JDBC documentation.

  5. Add the certificate to the Java trusted certificates file:

    keytool -keystore $JAVA_HOME/lib/security/cacerts -alias <alias_name> -import -file server.crt.der

    Where:

    $JAVA_HOME is the home directory of your Java installation.

    alias_name can be any string but must be unique for each certificate.

    You can use the keytool command to review a list of the available certificates or retrieve information about a specific certificate. For more information about using the keytool command, enter:

    man keytool

    The certificate from each database server must be imported into the trusted certificates file of each agent. The location of the cacerts file can vary on each system. For more information, see the Postgres JDBC documentation.

  6. Modify the efm.properties file on each node in the cluster, setting the jdbc.sslmode property.