Configuring PostgreSQL for TLS

By default, PostgreSQL uses unencrypted connections. For more secure connections, you can enable Transport Layer Security (TLS) support on the PostgreSQL server.

You cannot configure PostgreSQL for TLS if the portal uses a self-signed certificate or if the certificate has expired.

To enable TLS support for all PostgreSQL communication:

1. Using SSH, log in as root to the CTERA Portal primary database server.
2. Edit the /usr/local/ctera/data/pg_ident.conf file by adding a mapname and system username for your installation:

   # MAPNAME       SYSTEM-USERNAME         PG-USERNAME
   ctera           /^(.*){DNS}$            postgres
   

   For example, when the DNS name is mycompany.com:

   # MAPNAME       SYSTEM-USERNAME                 PG-USERNAME
   ctera           /^(.*)mycompany\.com$           postgres
   
   

   Note

   Before each period in the DNS, add a backslash character ().

3. Restart the portal by running the following command: portal-manage.sh restart
4. Using SSH, log in as root to every server in the portal cluster and edit the /usr/local/ctera/data/pg_ident.conf file by making the same changes that were made on the primary database server.
5. On the primary database server, run the following command: postgres-ssl-mode changingSSLMode true
6. Restart all the portal servers. You can restart the servers from the user interface, described in Restarting or Shutting Down a Server.

Adding a New Server to the Portal Cluster

If you add a new server to the portal cluster, after connecting the new server to the cluster, log in as root to the new server and edit the /usr/local/ctera/data/pg_ident.conf file as you did to the other servers.