Uploaded image for project: 'PuppetDB'
  1. PuppetDB
  2. PDB-765

Puppetdb connection to postgresql using client certificate

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: DOCS
    • Labels:
    • Template:
    • Story Points:
      3

      Description

      For people wanting to authenticate on a posgresql server, using a X509 client certificate, this procedure might help.
      This procedure does it in the java way, ie it take a jks store, not pem files.

      First create a jks with the private key for your account and put in it all the needed certificates in the chain (both server and user). The cn for user certificate should match the username used latter.

      Add to your JVM args :

      -Djavax.net.ssl.trustStore=.../puppetdb.jks -Djavax.net.ssl.trustStorePassword=<JKS password> -Djavax.net.ssl.keyStore=.../puppetdb.jks -Djavax.net.ssl.keyStorePassword=<JKS password>

      In case of problems, -Djavax.net.debug=ssl,defaultctx might help.
      My database.ini is :

      [database]
      classname = org.postgresql.Driver
      subprotocol = postgresql
      subname = //localhost:5432/puppetdb?ssl=true
      username = puppetdb

      In pg_hba.conf, I added :

      hostssl all all 0.0.0.0/0 cert clientcert=1

      And in postgresql.conf :

      ssl = on
      ssl_cert_file = 'server.crt'
      ssl_key_file = 'server.key'
      ssl_ca_file = 'root.crt'

      The file root.crt contains all the needed certificates (both client and server)
      The file server.crt contains only the server certificate
      The file server.key contains the private key.

      Those 3 files are stored as PEM files.

      org.postgresql.ssl.LibPQFactory is used if you want to mimic the psql client configuration and use PEM files instead of JKS, and it take the same arguments, some documentation can be found at :
      http://www.postgresql.org/docs/8.4/static/libpq-connect.html#LIBPQ-CONNECT-SSLMODE

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                fbacchella Fabrice Bacchella
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Zendesk Support