Enabling TLS 1.2 for PostgreSQL Database Server

TLS 1.2 encrypts the connection between the PostgreSQL server and the Cloudera Manager server. You must enable TLS 1.2 for the PostgreSQL database before setting up Cloudera Manager.

SSH into the PostgreSQL database host.
Start the PostgreSQL server by running the following command:
```
systemctl start postgresql-14
```
Verify whether TLS 1.2 is enabled on PostgreSQL by running the following command:
```
SHOW ssl;
```
If TLS 1.2 is enabled, you see the value of ssl equal to on, as follows:
```
ssl 
-----
 on
(1 row)
 
```
If TLS 1.2 is enabled, then you can skip the following steps and go to Importing the PostgreSQL root certificate.

Create a certificate authority by running the following commands:

cd /var/lib/pgsql/14/data
openssl genrsa -des3 -out server.key 1024
openssl rsa -in server.key -out server.key
chmod 400 server.key

Create a certificate for the server using the CA certificate generated earlier by running the following command:
```
openssl req -new -key server.key -days 3650 -out server.crt -x509 -subj '/CN=hostname'
```
Change the ownership and permissions of the files by running the following commands:
```
chown postgres server.crt server.key
chmod 400 server.key server.crt
```
Go to /var/lib/pgsql/14/data and open the postgresql.conffile to update the following database configurations:
```
ssl = on
ssl_cert_file = '/var/lib/pgsql/14/data/server.crt'
ssl_key_file = '/var/lib/pgsql/14/data/server.key'
```
Restart the PostgreSQL server by running the following command:
```
systemctl restart postgresql-14.service
```

Check the TLS 1.2 status by running the following commands:

SELECT name, setting
FROM pg_settings
WHERE name LIKE '%ssl%';

Sample output:

+----------------------------------------+----------------------------+
| name                                   | setting                    |
+----------------------------------------+----------------------------+
| ssl                                    | on                         |
| ssl_ca_file                            | server.crt                 |
| ssl_cert_file                          | server.crt                 |
| ssl_ciphers                            | HIGH:MEDIUM:+3DES:!aNULL   |
| ssl_crl_dir                            |                            |
| ssl_crl_file                           |                            |
| ssl_dh_params_file                     |                            |
| ssl_ecdh_curve                         | prime256v1                 |
| ssl_key_file                           | server.key                 |
| ssl_library                            | OpenSSL                    |
| ssl_max_protocol_version               |                            |
| ssl_min_protocol_version               | TLSv1.2                    |
| ssl_passphrase_command                 |                            |
| ssl_passphrase_command_supports_reload | off                        |
| ssl_prefer_server_ciphers              | on                         |                       
+----------------------------------------+----------------------------+
(15 rows)

important

To change the default setting for ssl_ciphers from HIGH:MEDIUM:+3DES:!aNULL to HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:!PSK:AESGCM. Add the following line to the postgresql.conf file:

ssl_ciphers= 'HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:!PSK:AESGCM'

Restart the PostgreSQL server to check the new ssl_ciphers is reflected in the sample output.