Configuring certificate-based authentication for database connections
Overview
Out-of-the-box, both CAST Storage Service and PostgreSQL are configured to accept unencrypted TCP/IP connections. However, certificate-based authentication (also known as “mutual TLS”) can be configured to secure connections between CAST Imaging and your database instances using both server and client certificates. This configuration includes:
- Generate server and client keys and certificates for mutual certificate-based authentication - depending in the encryption mode you are using
- Configure CAST Storage Service/PostgreSQL to accept client certificate authentication
- Configure CAST components to present client certificates for database connections
- Declare the secure CAST Storage Service/PostgreSQL instance(s) in the CAST Imaging UI
Requirements
Connecting to a CAST Storage Service or PostgreSQL instance configured to accept certificate-based authentication is supported in CAST Imaging 3.4.1-funcrel and later.
What is supported?
PostgreSQL/CAST Storage Service supports a variety of different certificate based authentication modes, and CAST supports them as follows:
Mode | Description | Client certificates required? | Supported in CAST Imaging? | Target OS |
---|---|---|---|---|
disable | Do not use certificate based authentication. | ❌ | always | all |
allow | Attempt non-certificate based authentication first; if that fails, use certificate based. | ❌ | ≥ 3.4.1 | all |
prefer | Attempt certificate based authentication first; if that fails, fallback to non-certificate based authentication. | ❌ | ≥ 3.4.1 | all |
require | Always use certificate based authentication. Do not validate the server certificate. | ❌ | ≥ 3.4.3 | Linux/Docker only |
verify-ca | Use certificate based authentication and verify that the server certificate is signed by a trusted Certificate Authority. | ✅ | ≥ 3.4.1 | all |
verify-full | Use certificate based authentication, verify the certificate is signed by a trusted CA, and ensure the hostname matches. | ✅ | ≥ 3.4.1 | all |
Technical notes
When installing CAST Imaging on Linux via Docker, CAST provides a database instance as a Docker image - see What are the database requirements?. By default, this instance will be used by CAST Imaging for both analysis data and persistence data storage needs. This instance cannot be configured to function with certificate-based authentication. However, you can install additional PostgreSQL instances for analysis data storage, setup certificate-based authentication and declare them in the CAST Imaging UI.
Configuration process
The instructions provided below assume that CAST Imaging is installed already and that your CAST Storage Service/PostgreSQL instances are not yet functioning with certificate-based authentication. Database instances are assumed to be either already declared in CAST Imaging, or not yet declared (i.e you can configure an existing or new database instance with certificate-based authentication). Additional documentation is provided for situations where you need to either install CAST Imaging from scratch or update it to a new release and your CAST Storage Service/PostgreSQL instance(s) are already configured with certificate-based authentication - see Installing or updating CAST Imaging with certificate-based database authentication below.
Installing or updating CAST Imaging with certificate-based database authentication
See Installing or updating CAST Imaging with certificate-based database authentication for more information about situations where you need to either install CAST Imaging from scratch or update it to a new release and your CAST Storage Service/PostgreSQL instance(s) are already configured with certificate-based authentication.