Configuring certificate-based authentication for database connections
Overview
Out-of-the-box, both CAST Storage Service and PostgreSQL are configured to accept unencrypted TCP/IP connections. However, certificate-based authentication (also known as “mutual TLS”) can be configured to secure connections between CAST Imaging and your database instances using both server and client certificates. This configuration includes:
- Generate server and client keys and certificates for mutual certificate-based authentication
- Configure CAST Storage Service/PostgreSQL to require client certificate authentication
- Configure CAST components to present client certificates for database connections
- Declare the secure CAST Storage Service/PostgreSQL instance(s) in the CAST Imaging UI
ssl=require
(i.e. without client certificates) are not supported.
Requirements
Connecting to a CAST Storage Service or PostgreSQL instance configured to accept certificate-based authentication is supported in CAST Imaging 3.4.1-funcrel and later.
Technical notes
When installing CAST Imaging on Linux via Docker, CAST provides a database instance as a Docker image - see What are the database requirements?. By default, this instance will be used by CAST Imaging for both analysis data and persistence data storage needs. This instance cannot be configured to function with certificate-based authentication. However, you can install additional PostgreSQL instances for analysis data storage, setup certificate-based authentication and declare them in the CAST Imaging UI.
Configuration process
The instructions provided below assume that CAST Imaging is installed already and that your CAST Storage Service/PostgreSQL instances are not yet functioning with certificate-based authentication. Database instances are assumed to be either already declared in CAST Imaging, or not yet declared (i.e you can configure an existing or new database instance with certificate-based authentication). Additional documentation is provided for situations where you need to either install CAST Imaging from scratch or update it to a new release and your CAST Storage Service/PostgreSQL instance(s) are already configured with certificate-based authentication - see Installing or updating CAST Imaging with certificate-based database authentication below.
Installing or updating CAST Imaging with certificate-based database authentication
See Installing or updating CAST Imaging with certificate-based database authentication for more information about situations where you need to either install CAST Imaging from scratch or update it to a new release and your CAST Storage Service/PostgreSQL instance(s) are already configured with certificate-based authentication.