Enabling TLS 1.2 for PostgreSQL Database Server
TLS 1.2 encrypts the connection between the PostgreSQL server and the Cloudera Manager server. You must enable TLS 1.2 for the PostgreSQL database before setting up Cloudera Manager.
- SSH into the PostgreSQL database host.
-
Start the PostgreSQL server by running the following command:
systemctl start postgresql-14 -
Verify whether TLS 1.2 is enabled on PostgreSQL by running the following command:
SHOW ssl;If TLS 1.2 is enabled, you see the value ofsslequal toon, as follows:ssl ----- on (1 row)
If TLS 1.2 is enabled, then you can skip the following steps and go to Importing the PostgreSQL root certificate. -
Create a certificate authority by running the following commands:
cd /var/lib/pgsql/14/data openssl genrsa -des3 -out server.key 1024 openssl rsa -in server.key -out server.key chmod 400 server.key -
Create a certificate for the server using the CA certificate generated earlier by
running the following command:
openssl req -new -key server.key -days 3650 -out server.crt -x509 -subj '/CN=hostname' -
Change the ownership and permissions of the files by running the following
commands:
chown postgres server.crt server.key chmod 400 server.key server.crt -
Go to /var/lib/pgsql/14/data and open the
postgresql.conf file. To enable and enforce TLS 1.2, add or update
the following parameters in the
postgresql.conffile:ssl = on ssl_cert_file = '/var/lib/pgsql/14/data/server.crt' ssl_key_file = '/var/lib/pgsql/14/data/server.key' # Add the following lines to enforce TLS 1.2: ssl_min_protocol_version = 'TLSv1.2' ssl_max_protocol_version = 'TLSv1.2' -
Update the
pg_hba.conffile to enforce SSL connections.To ensure PostgreSQL requires SSL for incoming connections from remote services (such as Hive), you must add ahostsslentry to the Host Based Authentication configuration.-
Open the
pg_hba.conffile (typically located in the same data directory aspostgresql.conf). -
Add a line to allow/enforce SSL connections for your network. For example, to allow
all remote hosts to connect through SSL using SCRAM-SHA-256:
cat <<EOF >> /var/lib/pgsql/14/data/pg_hba.conf # TYPE DATABASE USER ADDRESS METHOD hostssl all all 0.0.0.0/0 scram-sha-256 EOF -
Save the
pg_hba.conffile.
-
Open the
-
Restart the PostgreSQL server by running the following command:
systemctl restart postgresql-14.service # OR sudo -u postgres pg_ctl reload -
Check the TLS 1.2 status by running the following commands:
SELECT name, setting FROM pg_settings WHERE name LIKE '%ssl%';Sample output:+----------------------------------------+----------------------------+ | name | setting | +----------------------------------------+----------------------------+ | ssl | on | | ssl_ca_file | server.crt | | ssl_cert_file | server.crt | | ssl_ciphers | HIGH:MEDIUM:+3DES:!aNULL | | ssl_crl_dir | | | ssl_crl_file | | | ssl_dh_params_file | | | ssl_ecdh_curve | prime256v1 | | ssl_key_file | server.key | | ssl_library | OpenSSL | | ssl_max_protocol_version | | | ssl_min_protocol_version | TLSv1.2 | | ssl_passphrase_command | | | ssl_passphrase_command_supports_reload | off | | ssl_prefer_server_ciphers | on | +----------------------------------------+----------------------------+ (15 rows)
