Scenario: Authenticating PostgreSQL Server
We recommend that you use a TLS certificate to authenticate the PostgreSQL server. You can use a certificate from a trusted certification authority (CA) or a self-signed certificate.
Administration Server supports both one-way and two-way SSL authentication for PostgreSQL.
Follow these steps to configure SSL authentication for PostgreSQL:
- Generate a certificate for the PostgreSQL server.
Run the following commands:
openssl req -new -x509 -days 365 -nodes -text -out psql.crt -keyout psql.key -subj "/CN=psql"
chmod og-rwx psql.key
- Generate a certificate for the Administration Server.
Run the following commands. The CN value should match the name of the user that connects to PostgreSQL on behalf of the Administration Server. The username is set to postgres by default.
openssl req -new -x509 -days 365 -nodes -text -out postgres.crt -keyout postgres.key -subj "/CN=postgres"
chmod og-rwx postgres.key
- Configure client certificate authentication.
Modify pg_hba.conf as follows:
hostssl mydb myuser 192.168.1.0/16 scram-sha-256
Ensure that pg_hba.conf doesn't include a record that starts with
host
. - Specify the PostgreSQL certificate.
- Restart the PostgreSQL daemon.
Run the following command:
systemctl restart postgresql-14.service
- Specify the server flag for the Administration Server.
- Restart the Administration Server service.