Inicio
Productos
Red Hat Satellite
5.8
Installation Guide
4.3. Configuring the PostgreSQL Database to use SSL

Este contenido no está disponible en el idioma seleccionado.

4.3. Configuring the PostgreSQL Database to use SSL

By default, Satellite connects to the PostgreSQL database through an unencrypted communication. However, you can set up your database connection to use SSL. An SSL connection encrypts communication between the Satellite and the database, which is an advantage if using a Managed or External database over a wide area network.

To enable SSL communication between the Satellite Server and PosgreSQL database server, complete the following procedures:

Prequisites

To enable SSL communication between the Satellite Server and PosgreSQL database server, you require the following. Consult your preferred Certificate Authority's documentation for instructions on how to create these files.

An SSL certificate for the Satellite Server, signed by a Certificate Authority. In the following procedures, the example filename is server.crt.
The private key with which you signed the certificate. In the following procedures, the example filename is server.key.
The Certificate Authority's certificate with which the certificate was signed. In the following procedures, the example filename is root-ca.cert.

Stop all Satellite services before configuring the database to use SSL.

spacewalk-service stop

[root@satellite ~]# spacewalk-service stop

Copy to Clipboard

Toggle word wrap

Procedure 4.1. Configuring SSL on the database server

Copy your signed certificate and private key to the required locations on the database server:

cp server.{key,crt} /var/opt/rh/rh-postgresql95/lib/pgsql/data/.
chown postgres:postgres /var/opt/rh/rh-postgresql95/lib/pgsql/data/server.{key,crt}
chmod 0400 /var/opt/rh/rh-postgresql95/lib/pgsql/data/server.key

[root@database~]# cp server.{key,crt} /var/opt/rh/rh-postgresql95/lib/pgsql/data/.
[root@database~]# chown postgres:postgres /var/opt/rh/rh-postgresql95/lib/pgsql/data/server.{key,crt}
[root@database~]# chmod 0400 /var/opt/rh/rh-postgresql95/lib/pgsql/data/server.key

Copy to Clipboard

Toggle word wrap

Edit the postgresql.conf file and add the following option:
```
ssl=on
```
```
ssl=on
```
Copy to Clipboard Toggle word wrap
Edit the pg_hba.conf file. This file is a permissions file for restricting access to the database. Look for a line similar to the following:
```
host    mydb mydbuser 192.168.122.0/24 md5
```
```
host    mydb mydbuser 192.168.122.0/24 md5
```
Copy to Clipboard Toggle word wrap
This line should contain your database name, database user, and IP address or range that allows connections. Change the host option to hostssl:
```
hostssl mydb mydbuser 192.168.122.0/24 md5
```
```
hostssl mydb mydbuser 192.168.122.0/24 md5
```
Copy to Clipboard Toggle word wrap
This changes the incoming communication protocol to use SSL and refuse any unencrypted PostgreSQL connections.
Restart the rh-postgresql95-postgresql service so the changes take effect:
```
service rh-postgresql95-postgresql restart
```
```
[root@database~]# service rh-postgresql95-postgresql restart
```
Copy to Clipboard Toggle word wrap

The database server now only accepts connections from clients using SSL. The next procedure sets up the Satellite Server to communicate with the database using SSL.

Procedure 4.2. Configuring SSL on the Satellite Server

Copy your root-ca.cert certificate:

cp root-ca.cert /etc/rhn/postgresql-db-root-ca.cert

[root@satellite ~]# cp root-ca.cert /etc/rhn/postgresql-db-root-ca.cert

Copy to Clipboard

Toggle word wrap

Edit the /etc/rhn/rhn.conf file and add the following option:
```
db_ssl_enabled = 1
```
```
db_ssl_enabled = 1
```
Copy to Clipboard Toggle word wrap

Add the certificate to Satellite's Java web server keystore:

openssl x509 -in /etc/rhn/postgresql-db-root-ca.cert -out server.der -outform der
keytool -keystore /etc/rhn/javatruststore.jks -alias postgresql -import -file server.der
rm server.der

[root@satellite ~]# openssl x509 -in /etc/rhn/postgresql-db-root-ca.cert -out server.der -outform der
[root@satellite ~]# keytool -keystore /etc/rhn/javatruststore.jks -alias postgresql -import -file server.der
[root@satellite ~]# rm server.der

Copy to Clipboard

Toggle word wrap

Important

The /etc/rhn/javatruststore.jks requires a password for any modifications to the keystore. Change this password if necessary using the following command:

keytool -storepasswd -keystore /etc/rhn/javatruststore.jks

[root@satellite ~]# keytool -storepasswd -keystore /etc/rhn/javatruststore.jks

Copy to Clipboard

Toggle word wrap

Restore the SELinux context of the new certificate files:
```
restorecon -R -F -v /etc/rhn/
```
```
[root@satellite ~]# restorecon -R -F -v /etc/rhn/
```
Copy to Clipboard Toggle word wrap
Start the Satellite services:
```
spacewalk-service start
```
```
[root@satellite ~]# spacewalk-service start
```
Copy to Clipboard Toggle word wrap

The Satellite Server now communicates with the database server using SSL.

Volver arriba

Este contenido no está disponible en el idioma seleccionado.

4.3. Configuring the PostgreSQL Database to use SSL

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Hacer que el código abierto sea más inclusivo

Acerca de Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links