红帽全球峰会此内容没有您所选择的语言版本。
5.5. Configuring the PostgreSQL Database to use SSL
Satellite initially connects to the PostgreSQL database through an unencrypted communication. However, you can set up your database connection to use SSL. An SSL connection encrypts the communication between the Satellite and the database, which is advantageous if using a Managed or External database over a wide area network.
The process for setting up SSL database communication requires two main piece of configuration. First, the database server requires configuration to receive SSL connections. Second, the Satellite server requires configuration to send database requests over SSL. The following procedures show how to setup each server.
For this procedure you need the following SSL certificate files:
server.crt- Signed certificateserver.key- Private key for certificateroot-ca.cert- Certificate of root-ca that signed the certificate
It is also recommended to stop all Satellite services before configuring the database to use SSL:
spacewalk-service stop
[root@satellite ~]# spacewalk-service stop
Procedure 5.1. Configuring SSL on the database server
- Login to the database server as
root. - Copy your signed certificate and private key to the required locations on the database server:
cp server.{key,crt} /opt/rh/postgresql92/root/var/lib/pgsql/data/. chown postgres:postgres /opt/rh/postgresql92/root/var/lib/pgsql/data/server.{key,crt} chmod 0400 /opt/rh/postgresql92/root/var/lib/pgsql/data/server.key[root@database~]# cp server.{key,crt} /opt/rh/postgresql92/root/var/lib/pgsql/data/. [root@database~]# chown postgres:postgres /opt/rh/postgresql92/root/var/lib/pgsql/data/server.{key,crt} [root@database~]# chmod 0400 /opt/rh/postgresql92/root/var/lib/pgsql/data/server.keyCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Edit the
postgresql.conffile and add the following option:ssl=on
ssl=onCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Edit the
pg_hba.conffile. This file is a permissions file for restricting access to the database. Look for a line similar to the following:host mydb mydbuser 192.168.122.0/24 md5
host mydb mydbuser 192.168.122.0/24 md5Copy to Clipboard Copied! Toggle word wrap Toggle overflow This line should contain your database name, database user, and IP address or range that allows connections. Change thehostoption tohostssl:hostssl mydb mydbuser 192.168.122.0/24 md5
hostssl mydb mydbuser 192.168.122.0/24 md5Copy to Clipboard Copied! Toggle word wrap Toggle overflow This changes the incoming communication protocol to use SSL and refuse any unencrypted PostgreSQL connections. - Restart the
postgresqlservice so the changes take effect:service postgresql92-postgresql restart
[root@database~]# service postgresql92-postgresql restartCopy to Clipboard Copied! Toggle word wrap Toggle overflow
The database server now only accepts connections from clients using SSL. The next procedure sets up the Satellite server to communicate to the database using SSL.
Procedure 5.2. Configuring SSL on the Satellite server
- Login to the Satellite server as
root. - Copy your
root-ca.certcertificate to the following location:cp root-ca.cert /etc/rhn/postgresql-db-root-ca.cert
[root@satellite ~]# cp root-ca.cert /etc/rhn/postgresql-db-root-ca.certCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Edit the
/etc/rhn/rhn.conffile and add the following option:db_ssl_enabled = 1
db_ssl_enabled = 1Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Add the certificate to Satellite's Java web server keystore:
openssl x509 -in /etc/rhn/postgresql-db-root-ca.cert -out server.der -outform der keytool -keystore /etc/rhn/javatruststore.jks -alias postgresql -import -file server.der rm server.der
[root@satellite ~]# openssl x509 -in /etc/rhn/postgresql-db-root-ca.cert -out server.der -outform der [root@satellite ~]# keytool -keystore /etc/rhn/javatruststore.jks -alias postgresql -import -file server.der [root@satellite ~]# rm server.derCopy to Clipboard Copied! Toggle word wrap Toggle overflow Important
The/etc/rhn/javatruststore.jksrequires a password for any modifications to the keystore. Change this password if necessary using the following command:keytool -storepasswd -keystore /etc/rhn/javatruststore.jks
[root@satellite ~]# keytool -storepasswd -keystore /etc/rhn/javatruststore.jksCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Restore the SELinux context of the new certificate files:
restorecon -R -F -v /etc/rhn/
[root@satellite ~]# restorecon -R -F -v /etc/rhn/Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Start the Satellite services:
spacewalk-service start
[root@satellite ~]# spacewalk-service startCopy to Clipboard Copied! Toggle word wrap Toggle overflow
The Satellite server now communicates with the database server using SSL.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}