Sophie

Sophie

distrib > Mandriva > 2010.0 > i586 > media > contrib-release > by-pkgid > a866202fe868538f89a755dbcabc378b > files > 743

postgresql8.2-docs-8.2.14-1mdv2010.0.i586.rpm

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML
><HEAD
><TITLE
>Secure TCP/IP Connections with SSL</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
REV="MADE"
HREF="mailto:pgsql-docs@postgresql.org"><LINK
REL="HOME"
TITLE="PostgreSQL 8.2.14 Documentation"
HREF="index.html"><LINK
REL="UP"
TITLE="Operating System Environment"
HREF="runtime.html"><LINK
REL="PREVIOUS"
TITLE="Encryption Options"
HREF="encryption-options.html"><LINK
REL="NEXT"
TITLE="Secure TCP/IP Connections with SSH Tunnels"
HREF="ssh-tunnels.html"><LINK
REL="STYLESHEET"
TYPE="text/css"
HREF="stylesheet.css"><META
HTTP-EQUIV="Content-Type"
CONTENT="text/html; charset=ISO-8859-1"><META
NAME="creation"
CONTENT="2009-09-04T05:25:47"></HEAD
><BODY
CLASS="SECT1"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="5"
ALIGN="center"
VALIGN="bottom"
>PostgreSQL 8.2.14 Documentation</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="top"
><A
HREF="encryption-options.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="top"
><A
HREF="runtime.html"
>Fast Backward</A
></TD
><TD
WIDTH="60%"
ALIGN="center"
VALIGN="bottom"
>Chapter 16. Operating System Environment</TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="top"
><A
HREF="runtime.html"
>Fast Forward</A
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="top"
><A
HREF="ssh-tunnels.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="SSL-TCP"
>16.7. Secure TCP/IP Connections with SSL</A
></H1
><A
NAME="AEN19496"
></A
><P
>   <SPAN
CLASS="PRODUCTNAME"
>PostgreSQL</SPAN
> has native support for using
   <ACRONYM
CLASS="ACRONYM"
>SSL</ACRONYM
> connections to encrypt client/server communications
   for increased security. This requires that
   <SPAN
CLASS="PRODUCTNAME"
>OpenSSL</SPAN
> is installed on both client and
   server systems and that support in <SPAN
CLASS="PRODUCTNAME"
>PostgreSQL</SPAN
> is
   enabled at build time (see <A
HREF="installation.html"
>Chapter 14</A
>).
  </P
><P
>   With <ACRONYM
CLASS="ACRONYM"
>SSL</ACRONYM
> support compiled in, the
   <SPAN
CLASS="PRODUCTNAME"
>PostgreSQL</SPAN
> server can be started with
   <ACRONYM
CLASS="ACRONYM"
>SSL</ACRONYM
> enabled by setting the parameter
   <A
HREF="runtime-config-connection.html#GUC-SSL"
>ssl</A
> to <TT
CLASS="LITERAL"
>on</TT
> in
   <TT
CLASS="FILENAME"
>postgresql.conf</TT
>. When
   starting in <ACRONYM
CLASS="ACRONYM"
>SSL</ACRONYM
> mode, the server will look for the
   files <TT
CLASS="FILENAME"
>server.key</TT
> and <TT
CLASS="FILENAME"
>server.crt</TT
> in the
   data directory, which must contain the server private key
   and certificate, respectively. These files must be set up correctly
   before an <ACRONYM
CLASS="ACRONYM"
>SSL</ACRONYM
>-enabled server can start. If the private key is
   protected with a passphrase, the server will prompt for the
   passphrase and will not start until it has been entered.
  </P
><P
>   The server will listen for both standard and <ACRONYM
CLASS="ACRONYM"
>SSL</ACRONYM
>
   connections on the same TCP port, and will negotiate with any
   connecting client on whether to use <ACRONYM
CLASS="ACRONYM"
>SSL</ACRONYM
>.  By default,
   this is at the client's option; see <A
HREF="auth-pg-hba-conf.html"
>Section 20.1</A
> about how to set up the server to
   require use of <ACRONYM
CLASS="ACRONYM"
>SSL</ACRONYM
> for some or all connections.
  </P
><P
>   For details on how to create your server private key and certificate,
   refer to the <SPAN
CLASS="PRODUCTNAME"
>OpenSSL</SPAN
> documentation. A
   self-signed certificate can be used for testing, but a
   certificate signed by a certificate authority (<ACRONYM
CLASS="ACRONYM"
>CA</ACRONYM
>)
   (either one of the global
   <ACRONYM
CLASS="ACRONYM"
>CAs</ACRONYM
> or a local one) should be used in production so the
   client can verify the server's identity. To create a quick
   self-signed certificate, use the following
   <SPAN
CLASS="PRODUCTNAME"
>OpenSSL</SPAN
> command:
</P><PRE
CLASS="PROGRAMLISTING"
>openssl req -new -text -out server.req</PRE
><P>
   Fill out the information that <TT
CLASS="COMMAND"
>openssl</TT
> asks for. Make sure
   that you enter the local host name as <SPAN
CLASS="QUOTE"
>"Common Name"</SPAN
>; the challenge
   password can be left blank. The program will generate a key that is
   passphrase protected; it will not accept a passphrase that is less
   than four characters long. To remove the passphrase (as you must if
   you want automatic start-up of the server), run the commands
</P><PRE
CLASS="PROGRAMLISTING"
>openssl rsa -in privkey.pem -out server.key
rm privkey.pem</PRE
><P>
   Enter the old passphrase to unlock the existing key. Now do
</P><PRE
CLASS="PROGRAMLISTING"
>openssl req -x509 -in server.req -text -key server.key -out server.crt
chmod og-rwx server.key</PRE
><P>
   to turn the certificate into a self-signed certificate and to copy the
   key and certificate to where the server will look for them.
  </P
><P
>   If verification of client certificates is required, place the
   certificates of the <ACRONYM
CLASS="ACRONYM"
>CA</ACRONYM
>(s) you wish to check for in
   the file <TT
CLASS="FILENAME"
>root.crt</TT
> in the data directory.  When
   present, a client certificate will be requested from the client
   during SSL connection startup, and it must have been signed by one of
   the certificates present in <TT
CLASS="FILENAME"
>root.crt</TT
>.  (See <A
HREF="libpq-ssl.html"
>Section 29.16</A
> for a description of how to set up client
   certificates.) Certificate Revocation List (CRL) entries are also
   checked if the file <TT
CLASS="FILENAME"
>root.crl</TT
> exists.
  </P
><P
>   When the <TT
CLASS="FILENAME"
>root.crt</TT
> file is not present, client
   certificates will not be requested or checked.  In this mode, SSL
   provides communication security but not authentication.
  </P
><P
>   The files <TT
CLASS="FILENAME"
>server.key</TT
>, <TT
CLASS="FILENAME"
>server.crt</TT
>,
   <TT
CLASS="FILENAME"
>root.crt</TT
>, and <TT
CLASS="FILENAME"
>root.crl</TT
>
   are only examined during server start; so you must restart 
   the server to make changes in them take effect.
  </P
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="encryption-options.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="ssh-tunnels.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Encryption Options</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="runtime.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Secure TCP/IP Connections with <SPAN
CLASS="APPLICATION"
>SSH</SPAN
> Tunnels</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional