Skip to main content

Configuring the PostgreSQL Server

The instructions in this section are to be performed on the Key Manager Database. Also, the PostgreSQL server must be initialized before performing the commands in this section.

On the Key Manager Database, you must:

  • Set up the server key and server certificates.

  • Configure PostgreSQL to receive SSL connections.

  • Allow client connections from Key Manager Servers.

  1. Move to the data location (replace example path with your data location):

    # cd /var/lib/pgsql/16/data

    The data location is typically one of the following locations:

    • /usr/local/pgsql/data

    • /var/lib/pgsql/data

    • /var/lib/pgsql/version_number/data (replace version_number with the PostgreSQL version, such as 16).

    The following instructions assume that they are run from the data location.

  2. Place the server key, and the server certificate into the data location of the PostgreSQL server.

    You can use the pgdbca.key and pgdbca.crt as the server key and the server certificate respectively (these were created previously, in Creating SSL Certificates.

  3. After you have placed the server key and the server certificate to the data location, rename the files to the following:

    • Server key: server.key

    • Server certificate: server.crt

  4. Place certificates of the certificate authorities you trust in the file root.crt. In this example, this can be accomplished by copying the server.crt to root.crt.

    # cp server.crt root.crt

  5. Set the required permissions and file ownership for the files:

    # chmod 0600 server.key
    # chown postgres:postgres server.key
    # chown postgres:postgres server.crt
    # chown postgres:postgres root.crt

    You have now set up the key and certificate files on the PostgreSQL server. Next up, you must configure the PostgreSQL server to use SSL.

  6. Enable SSL for the PostgreSQL database. Also, tell PostgreSQL what the certificate files are named. To do this, edit the database settings in postgresql.conf. By default, this file is also located in the data location.

    In the postgresql.conf file, find the following settings and change them to the specified values:

    listen_addresses = '*'

    ssl = on

    ssl_cert_file = 'server.crt'

    ssl_key_file = 'server.key'

    ssl_ca_file = 'root.crt'

    Remember to uncomment any settings that you have changed.

    Save and close the file.

  7. Configure the PostgreSQL database to accept SSL connections from the Key Manager Servers. To do this, open the pg_hba.conf located in the data location. Append a line like the following to the file:

    hostssl keymanagerdb keymanager address_of_client/32 cert

    In the example line, replace the values as follows:

    • keymanagerdb: The name of the database.

    • keymanager: The name of the database owner.

    • address_of_client: The address of the Key Manager Server

    Add one such line for each Key Manager Server.

    Save and close the file.

  8. Restart the PostgreSQL server to apply the settings.