Configuring certificate-based authentication for database connections

Available in ≥ 3.4.1-funcrel

Overview

Out-of-the-box, both CAST Storage Service and PostgreSQL are configured to accept unencrypted TCP/IP connections. However, certificate-based authentication (also known as “mutual TLS”) can be configured to secure connections between CAST Imaging and your database instances using both server and client certificates. This configuration includes:

Generate server and client keys and certificates for mutual certificate-based authentication
Configure CAST Storage Service/PostgreSQL to require client certificate authentication
Configure CAST components to present client certificates for database connections
Declare the secure CAST Storage Service/PostgreSQL instance(s) in the CAST Imaging UI

Mutual TLS requires both server and client certificates for authentication. Simple SSL/TLS connections with ssl=require (i.e. without client certificates) are not supported.

Requirements

Connecting to a CAST Storage Service or PostgreSQL instance configured to accept certificate-based authentication is supported in CAST Imaging 3.4.1-funcrel and later.

Technical notes

When installing CAST Imaging on Linux via Docker, CAST provides a database instance as a Docker image - see What are the database requirements?. By default, this instance will be used by CAST Imaging for both analysis data and persistence data storage needs. This instance cannot be configured to function with certificate-based authentication. However, you can install additional PostgreSQL instances for analysis data storage, setup certificate-based authentication and declare them in the CAST Imaging UI.

Configuration process

The instructions provided below assume that CAST Imaging is installed already and that your CAST Storage Service/PostgreSQL instances are not yet functioning with certificate-based authentication. Database instances are assumed to be either already declared in CAST Imaging, or not yet declared (i.e you can configure an existing or new database instance with certificate-based authentication). Additional documentation is provided for situations where you need to either install CAST Imaging from scratch or update it to a new release and your CAST Storage Service/PostgreSQL instance(s) are already configured with certificate-based authentication - see Installing or updating CAST Imaging with certificate-based database authentication below.

Step 1

Generate server and client keys and certificates

Step 2

/ Configure CAST Storage Service/PostgreSQL

Step 3

Configure CAST Imaging v3 components

Step 4

Step 4 - Declare the CAST Storage Service/PostgreSQL

Installing or updating CAST Imaging with certificate-based database authentication

See Installing or updating CAST Imaging with certificate-based database authentication for more information about situations where you need to either install CAST Imaging from scratch or update it to a new release and your CAST Storage Service/PostgreSQL instance(s) are already configured with certificate-based authentication.