Configuring PostgreSQL for TLS
  • 1 Minute to read
  • PDF

Configuring PostgreSQL for TLS

  • PDF

Article summary

By default, PostgreSQL uses unencrypted connections. For more secure connections, you can enable Transport Layer Security (TLS) support on the PostgreSQL server.

Note

All communication between the edge filer, Drive Connect, and Drive Share/Protect is encrypted. The communication between postgreSQL running on the primary database server and the secondary, replication server is not encrypted by default.

You cannot configure PostgreSQL for TLS the portal uses a self-signed certificate or if the certificate has expired.

To enable TLS support on PostgreSQL:

  1. Using SSH, log in as root to the CTERA Portal primary database server.
  2. Edit the /usr/local/ctera/data/pg_ident.conf file by adding a mapname and system username for your installation:
    # MAPNAME       SYSTEM-USERNAME         PG-USERNAME
    ctera           /^(.*){DNS}$            postgres
    
    For example, when the DNS name is mycompany.com:
    # MAPNAME       SYSTEM-USERNAME                 PG-USERNAME
    ctera           /^(.*)mycompany\.com$           postgres
    
    
    Note

    Before each period in the DNS, add a backslash character ().

  3. Restart the portal by running the following command: portal-manage.sh restart
  4. Using SSH, log in as root to every server in the portal cluster and edit the /usr/local/ctera/data/pg_ident.conf file by making the same changes that were made on the primary database server.
  5. On the primary database server, run the following command: postgres-ssl-mode changingSSLMode true

The portal restarts automatically.

Note

If a server was down when the portal restarts, when that server restarts, the configuration change will be automatically applied to it and it will then automatically restart.

Adding a New Server to the Portal Cluster

If you add a new server to the portal cluster, after connecting the new server to the cluster, log in as root to the new server and edit the /usr/local/ctera/data/pg_ident.conf file as you did to the other servers.


Was this article helpful?