Configuring certificate-based authentication for database connections

Available in ≥ 3.4.1-funcrel

Overview

Out-of-the-box, both CAST Storage Service and PostgreSQL are configured to accept unencrypted TCP/IP connections. However, certificate-based authentication (also known as “mutual TLS”) can be configured to secure connections between CAST Imaging and your database instances using both server and client certificates. This configuration includes:

  • Generate server and client keys and certificates for mutual certificate-based authentication - depending in the encryption mode you are using
  • Configure CAST Storage Service/PostgreSQL to accept client certificate authentication
  • Configure CAST components to present client certificates for database connections
  • Declare the secure CAST Storage Service/PostgreSQL instance(s) in the CAST Imaging UI

Requirements

Connecting to a CAST Storage Service or PostgreSQL instance configured to accept certificate-based authentication is supported in CAST Imaging 3.4.1-funcrel and later.

What is supported?

PostgreSQL/CAST Storage Service supports a variety of different certificate based authentication modes, and CAST supports them as follows:

Mode Description Client certificates required? Supported in CAST Imaging? Target OS
disable Do not use certificate based authentication. always all
allow Attempt non-certificate based authentication first; if that fails, use certificate based. ≥ 3.4.1 all
prefer Attempt certificate based authentication first; if that fails, fallback to non-certificate based authentication. ≥ 3.4.1 all
require Always use certificate based authentication. Do not validate the server certificate. ≥ 3.4.3 Linux/Docker only
verify-ca Use certificate based authentication and verify that the server certificate is signed by a trusted Certificate Authority. ≥ 3.4.1 all
verify-full Use certificate based authentication, verify the certificate is signed by a trusted CA, and ensure the hostname matches. ≥ 3.4.1 all

Technical notes

When installing CAST Imaging on Linux via Docker, CAST provides a database instance as a Docker image - see What are the database requirements?. By default, this instance will be used by CAST Imaging for both analysis data and persistence data storage needs. This instance cannot be configured to function with certificate-based authentication. However, you can install additional PostgreSQL instances for analysis data storage, setup certificate-based authentication and declare them in the CAST Imaging UI.

Configuration process

The instructions provided below assume that CAST Imaging is installed already and that your CAST Storage Service/PostgreSQL instances are not yet functioning with certificate-based authentication. Database instances are assumed to be either already declared in CAST Imaging, or not yet declared (i.e you can configure an existing or new database instance with certificate-based authentication). Additional documentation is provided for situations where you need to either install CAST Imaging from scratch or update it to a new release and your CAST Storage Service/PostgreSQL instance(s) are already configured with certificate-based authentication - see Installing or updating CAST Imaging with certificate-based database authentication below.

Installing or updating CAST Imaging with certificate-based database authentication

See Installing or updating CAST Imaging with certificate-based database authentication for more information about situations where you need to either install CAST Imaging from scratch or update it to a new release and your CAST Storage Service/PostgreSQL instance(s) are already configured with certificate-based authentication.