5.5. Configuring the PostgreSQL Database to use SSL
Satellite initially connects to the PostgreSQL database through an unencrypted communication. However, you can set up your database connection to use SSL. An SSL connection encrypts the communication between the Satellite and the database, which is advantageous if using a Managed or External database over a wide area network.
The process for setting up SSL database communication requires two main piece of configuration. First, the database server requires configuration to receive SSL connections. Second, the Satellite server requires configuration to send database requests over SSL. The following procedures show how to setup each server.
For this procedure you need the following SSL certificate files:
server.crt
- Signed certificateserver.key
- Private key for certificateroot-ca.cert
- Certificate of root-ca that signed the certificate
It is also recommended to stop all Satellite services before configuring the database to use SSL:
[root@satellite ~]# spacewalk-service stop
Procedure 5.1. Configuring SSL on the database server
- Login to the database server as
root
. - Copy your signed certificate and private key to the required locations on the database server:
[root@database~]# cp server.{key,crt} /opt/rh/postgresql92/root/var/lib/pgsql/data/. [root@database~]# chown postgres:postgres /opt/rh/postgresql92/root/var/lib/pgsql/data/server.{key,crt} [root@database~]# chmod 0400 /opt/rh/postgresql92/root/var/lib/pgsql/data/server.key
- Edit the
postgresql.conf
file and add the following option:ssl=on
- Edit the
pg_hba.conf
file. This file is a permissions file for restricting access to the database. Look for a line similar to the following:host mydb mydbuser 192.168.122.0/24 md5
This line should contain your database name, database user, and IP address or range that allows connections. Change thehost
option tohostssl
:hostssl mydb mydbuser 192.168.122.0/24 md5
This changes the incoming communication protocol to use SSL and refuse any unencrypted PostgreSQL connections. - Restart the
postgresql
service so the changes take effect:[root@database~]# service postgresql92-postgresql restart
The database server now only accepts connections from clients using SSL. The next procedure sets up the Satellite server to communicate to the database using SSL.
Procedure 5.2. Configuring SSL on the Satellite server
- Login to the Satellite server as
root
. - Copy your
root-ca.cert
certificate to the following location:[root@satellite ~]# cp root-ca.cert /etc/rhn/postgresql-db-root-ca.cert
- Edit the
/etc/rhn/rhn.conf
file and add the following option:db_ssl_enabled = 1
- Add the certificate to Satellite's Java web server keystore:
[root@satellite ~]# openssl x509 -in /etc/rhn/postgresql-db-root-ca.cert -out server.der -outform der [root@satellite ~]# keytool -keystore /etc/rhn/javatruststore.jks -alias postgresql -import -file server.der [root@satellite ~]# rm server.der
Important
The/etc/rhn/javatruststore.jks
requires a password for any modifications to the keystore. Change this password if necessary using the following command:[root@satellite ~]# keytool -storepasswd -keystore /etc/rhn/javatruststore.jks
- Restore the SELinux context of the new certificate files:
[root@satellite ~]# restorecon -R -F -v /etc/rhn/
- Start the Satellite services:
[root@satellite ~]# spacewalk-service start
The Satellite server now communicates with the database server using SSL.