Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

4.3. Configuring the PostgreSQL Database to use SSL

By default, Satellite connects to the PostgreSQL database through an unencrypted communication. However, you can set up your database connection to use SSL. An SSL connection encrypts communication between the Satellite and the database, which is an advantage if using a Managed or External database over a wide area network.
To enable SSL communication between the Satellite Server and PosgreSQL database server, complete the following procedures:
Prequisites

To enable SSL communication between the Satellite Server and PosgreSQL database server, you require the following. Consult your preferred Certificate Authority's documentation for instructions on how to create these files.

  • An SSL certificate for the Satellite Server, signed by a Certificate Authority. In the following procedures, the example filename is server.crt.
  • The private key with which you signed the certificate. In the following procedures, the example filename is server.key.
  • The Certificate Authority's certificate with which the certificate was signed. In the following procedures, the example filename is root-ca.cert.
Stop all Satellite services before configuring the database to use SSL.
Copy to Clipboard Toggle word wrap 
[root@satellite ~]# spacewalk-service stop

Procedure 4.1. Configuring SSL on the database server

  1. Login to the database server as root.
  2. Copy your signed certificate and private key to the required locations on the database server:
    Copy to Clipboard Toggle word wrap 
    [root@database~]# cp server.{key,crt} /var/opt/rh/rh-postgresql95/lib/pgsql/data/.
[root@database~]# chown postgres:postgres /var/opt/rh/rh-postgresql95/lib/pgsql/data/server.{key,crt}
[root@database~]# chmod 0400 /var/opt/rh/rh-postgresql95/lib/pgsql/data/server.key
  3. Edit the postgresql.conf file and add the following option:
    Copy to Clipboard Toggle word wrap 
    ssl=on
  4. Edit the pg_hba.conf file. This file is a permissions file for restricting access to the database. Look for a line similar to the following:
    Copy to Clipboard Toggle word wrap 
    host    mydb mydbuser 192.168.122.0/24 md5
    This line should contain your database name, database user, and IP address or range that allows connections. Change the host option to hostssl:
    Copy to Clipboard Toggle word wrap 
    hostssl mydb mydbuser 192.168.122.0/24 md5
    This changes the incoming communication protocol to use SSL and refuse any unencrypted PostgreSQL connections.
  5. Restart the rh-postgresql95-postgresql service so the changes take effect:
    Copy to Clipboard Toggle word wrap 
    [root@database~]# service rh-postgresql95-postgresql restart
The database server now only accepts connections from clients using SSL. The next procedure sets up the Satellite Server to communicate with the database using SSL.

Procedure 4.2. Configuring SSL on the Satellite Server

  1. Login to the Satellite Server as root.
  2. Copy your root-ca.cert certificate:
    Copy to Clipboard Toggle word wrap 
    [root@satellite ~]# cp root-ca.cert /etc/rhn/postgresql-db-root-ca.cert
  3. Edit the /etc/rhn/rhn.conf file and add the following option:
    Copy to Clipboard Toggle word wrap 
    db_ssl_enabled = 1
  4. Add the certificate to Satellite's Java web server keystore:
    Copy to Clipboard Toggle word wrap 
    [root@satellite ~]# openssl x509 -in /etc/rhn/postgresql-db-root-ca.cert -out server.der -outform der
[root@satellite ~]# keytool -keystore /etc/rhn/javatruststore.jks -alias postgresql -import -file server.der
[root@satellite ~]# rm server.der

    Important

    The /etc/rhn/javatruststore.jks requires a password for any modifications to the keystore. Change this password if necessary using the following command:
    Copy to Clipboard Toggle word wrap 
    [root@satellite ~]# keytool -storepasswd -keystore /etc/rhn/javatruststore.jks
  5. Restore the SELinux context of the new certificate files:
    Copy to Clipboard Toggle word wrap 
    [root@satellite ~]# restorecon -R -F -v /etc/rhn/
  6. Start the Satellite services:
    Copy to Clipboard Toggle word wrap 
    [root@satellite ~]# spacewalk-service start
The Satellite Server now communicates with the database server using SSL.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat, Inc.