We recommend that you use a TLS certificate to authenticate the PostgreSQL server. You can use a certificate from a trusted certification authority (CA) or a self-signed certificate. Use a certificate from a trusted CA because a self-signed certificate provides only limited protection.
Administration Server supports both one-way and two-way SSL authentication for PostgreSQL.
Follow these steps to configure SSL authentication for PostgreSQL:
Generate a certificate for the PostgreSQL server.
In an OpenSSL-based cross-platform utility, execute the following commands:
Generate a certificate for the Administration Server.
Run the following commands. The CN value should match the name of the user that connects to PostgreSQL on behalf of the Administration Server. The username is set to postgres by default.
Use the klscflag utility to create the KLSRV_POSTGRES_OPT_SSL_CA server flag and specify the path to the certificate as its value.
klscflag -fset -pv klserver -n KLSRV_POSTGRES_OPT_SSL_CA -v <path to psql.crt> -t s
The klscflag utility is located in the directory where the Administration Server is installed. The default installation path is /opt/kaspersky/ksc64/sbin.
Use the klscflag utility to create the server flags and specify the path to the certificate files as their values:
klscflag -fset -pv klserver -n KLSRV_POSTGRES_OPT_SSL_CA -v <path to psql.crt> -t s
klscflag -fset -pv klserver -n KLSRV_POSTGRES_OPT_SSL_CERT -v <path to postgres.crt> -t s
klscflag -fset -pv klserver -n KLSRV_POSTGRES_OPT_SSL_KEY -v <path to postgres.key> -t s
If the postgres.key requires a passphrase, create a KLSRV_POSTGRES_OPT_TLS_PASPHRASE flag and specify the passphrase as its value:
klscflag -fset -pv klserver -n KLSRV_POSTGRES_OPT_TLS_PASPHRASE -v <passphrase> -t s
The klscflag utility is located in the directory where the Administration Server is installed. The default installation path is /opt/kaspersky/ksc64/sbin.