Configure an SSL certificate for an external Cloudbreak database

Perform these steps to configure Cloudbreak with an existing external database that uses SSL.

Prerequisites

Configure an existing external database for Cloudbreak as described in Configure external Cloudbreak database. Once done, perform the following steps.

Steps

Obtain your database’s SSL certificate:
- If your database instance runs on AWS, obtain the certificate from the link provided in the following AWS documentation: Using SSL with a PostgreSQL DB Instance.
- If your database instance runs on Azure, obtain the certificate from the link provided in the following Azure documentation: Configure SSL connectivity in Azure Database for PostgreSQL.
- If your database instance runs on GCP, you should provide your existing certificate or create a new certificate as described in the following GCP documentation: Connect to your Cloud SQL instance without encryption.
Access your Cloudbreak VM via SSH.
Download or copy the certificate to the certs directory in your Cloudbreak deployment directory. Ny default, this is /var/lib/cloudbreak-deployment/certs.

Set the following variables in your Profile file:


Variable	Description
PERISCOPE_DB_ENV_SSL	Default false. Set to true to enable SSL.
PERISCOPE_DB_ENV_CERT_FILE	Default empty. Set this to the location of your certificate relative to your certs directory within the Cloudbreak deployment directory. For example if your certificate is in `/var/lib/cloudbreak-deployment/certs/root.crt` set this variable to `root.crt`.
CB_DB_ENV_SSL	Default false. Set to true to enable SSL.
CB_DB_ENV_CERT_FILE	Default empty. Set this to the location of your certificate relative to your certs directory within the Cloudbreak deployment directory. For example if your certificate is in `/var/lib/cloudbreak-deployment/certs/root.crt` set this variable to `root.crt`.

This example assumes that root.crt is the name of the certificate file:

export PERISCOPE_DB_ENV_SSL=true
export PERISCOPE_DB_ENV_CERT_FILE-=root.crt
export CB_DB_ENV_SSL=true
export CB_DB_ENV_CERT_FILE=root.crt

Next, you should make changes in the uaa.yml file located in the Cloudbreak deployment directory. To make changes in the uaa.yml file, you should create a new file called uaa-changes.yml; This file will be used to regenerate your database settings in the uaa.yml file. The steps are:
1. Open your uaa.yml file and copy the entire “database” entry (which should include values such as driverClassName, maxactive, password, url, and username).
2. In the Cloudbreak deployment directory, create a new file called uaa-changes.yml.
3. Paste the copied content to the uaa-changes.yml file.
4. Update the value of the “url” by adding the following (replacing root.crt with the actual name of your certificate file):
```
?ssl=true&sslfactory=org.postgresql.ssl.SingleCertValidatingFactory&sslfactoryarg=file:///certs/root.crt
```
5. Save the uaa-changes.yml file.
After the update your uaa-changes.yml file should look similar to:
```
database:
  driverClassName: org.postgresql.Driver
  maxactive: 200
  password: ${IDENTITY_DB_PASS}
  url: jdbc:postgresql://${IDENTITY_DB_URL}/${IDENTITY_DB_NAME}?ssl=true&sslfactory=org.postgresql.ssl.SingleCertValidatingFactory&sslfactoryarg=file:///certs/root.crt
  username: ${IDENTITY_DB_USER}
```
Run the following to stop cbd:
```
cbd kill
```
Run the following to regenerate the uaa.yml file with the SSL information provided earlier:
```
cbd regenerate
```
Run the following to start Cloudbreak:
```
cbd start
```
Cloudbreak may take a few minutes to start.