Skip to main content

Configuring Key Manager Servers to Connect to the Database

This section provides instructions for enabling additional Key Manager Servers to connect to the PostgreSQL database on the primary Key Manager Server. These instructions are to be performed after installing the sshmgr rpm package, and before running ssh-mgr-setup on the secondary Key Manager Server.

Note that these instructions are only applicable for enabling connections to PostgreSQL databases that have been set up using setup-pgsql (as detailed previously, in Local PostgreSQL Database Setup). For instructions about configuring connectivity to regularly set-up PostgreSQL databases, see Setting Up SSL Connection to PostgreSQL Databases.

setup-pgsql automatically configures the PostgreSQL database to use secured database connections. To enable database connections from additional Key Manager Server, you must upload the PostgreSQL client certificates to the additional Key Manager Servers, and configure them to use the certificates:

  1. Configure the Key Manager Server to connect to the PostgreSQL database. To do this, obtain the required certificates for connecting to the database. This can be done by running the following command on the primary Key Manager Server (replace address_of_secondary_host with the IP address of the current host):

    # /opt/sshmgr/bin/setup-pgsql --add-client address_of_secondary_host

    The above command creates a tar package named pgcerts-address_of_secondary_host.tar in your working directory. Copy this tar package to the current host.

    The previous command changes the PostgreSQL access rules. Changed access rules need to be applied by restarting the PostgreSQL database (replace postgresql with the name of the PostgreSQL database service):

    service postgresql restart
    note

    The exact name of the PostgreSQL database service varies depending on the version. In typical cases, the service name is either postgresql or postgresql-<version> (such as postgresql-16).

  2. Run the following command on the secondary Key Manager Server to set up the certificates (replace path/to/tar/package with the actual path to which you copied the tar package):

    # /opt/sshmgr/bin/setup-pgsql --setup-client path/to/tar/package

This sets up the necessary client certificates for allowing this Key Manager Server to connect to the database. The client certificates are set up at /var/lib/sshmgr/.postgresql (you will need to provide this path during Key Manager setup). Next, you should run Key Manager setup ssh-mgr-setup to finalize the configuration.