Scenario: Authenticating PostgreSQL Server

Expand all | Collapse all

We recommend that you use a TLS certificate to authenticate the PostgreSQL server. You can use a certificate from a trusted certification authority (CA) or a self-signed certificate. Use a certificate from a trusted CA because a self-signed certificate provides only limited protection.

Administration Server supports both one-way and two-way SSL authentication for PostgreSQL.

Authenticating PostgreSQL Server proceeds in stages:

1. Generating a certificate for the PostgreSQL server

   In an OpenSSL-based cross-platform utility, execute the following commands:

   openssl req -new -x509 -days 365 -nodes -text -out psql.crt -keyout psql.key -subj "/CN=psql"

   chmod og-rwx psql.key

2. Generating a certificate for the Administration Server

   Run the following commands. The CN value should match the name of the user that connects to PostgreSQL on behalf of the Administration Server. The username is set to postgres by default.

   openssl req -new -x509 -days 365 -nodes -text -out postgres.crt -keyout postgres.key -subj "/CN=postgres"

   chmod og-rwx postgres.key

3. Configuring client certificate authentication

   Modify pg_hba.conf as follows:

   hostssl all all 0.0.0.0/0 md5

   Ensure that pg_hba.conf doesn't include a record that starts with host.

4. Specifying the PostgreSQL certificate

   One-way SSL authentication

   Modify postgresql.conf as follows (specify the correct path to the .crt and .key files):

   listen_addresses ='localhost, server-ip'

   ssl = on

   ssl_cert_file = '<psql.crt>'

   ssl_key_file = '<psql.key>'

   Two-way SSL authentication

   Modify postgresql.conf as follows (specify the correct path to the .crt and .key files):

   listen_addresses ='localhost, server-ip'

   ssl = on

   ssl_ca_file = '<postgres.crt>'

   ssl_cert_file = '<psql.crt>'

   ssl_key_file = '<psql.key>'

5. Restarting the PostgreSQL daemon

   Run the following command:

   systemctl restart postgresql-14.service

6. Specifying the server flag for the Administration Server

   One-way SSL authentication

   Use the klscflag utility to create the KLSRV_POSTGRES_OPT_SSL_CA server flag and specify the path to the certificate as its value.

   Run the Windows command prompt by using administrator rights, and then change your current directory to the directory with the klscflag utility. The klscflag utility is located in the folder where Administration Server is installed. The default installation path is <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center.

   Run the following command:

   klscflag -fset -pv klserver -n KLSRV_POSTGRES_OPT_SSL_CA -v <path to psql.crt> -t s

   Two-way SSL authentication

   Use the klscflag utility to create the server flags and specify the path to the certificate files as their values.

   Run the Windows command prompt by using administrator rights, and then change your current directory to the directory with the klscflag utility. The klscflag utility is located in the folder where Administration Server is installed. The default installation path is <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center.

   Run the following commands:

   klscflag -fset -pv klserver -n KLSRV_POSTGRES_OPT_SSL_CA -v <path to psql.crt> -t s

   klscflag -fset -pv klserver -n KLSRV_POSTGRES_OPT_SSL_CERT -v <path to postgres.crt> -t s

   klscflag -fset -pv klserver -n KLSRV_POSTGRES_OPT_SSL_KEY -v <path to postgres.key> -t s

   If the postgres.key requires a passphrase, create a KLSRV_POSTGRES_OPT_TLS_PASPHRASE flag and specify the passphrase as its value:

   klscflag -fset -pv klserver -n KLSRV_POSTGRES_OPT_TLS_PASPHRASE -v <passphrase> -t s

7. Restarting the Administration Server service

Page top