Step 2 - Configure CAST Storage Service/PostgreSQL
Overview
This step involves configuring your CAST Storage Service/PostgreSQL instance(s) to function with certificate-based authentication and accept secure incoming connections from clients:
- deal with server keys and certificates
- apply required permissions and ownership rights to server keys/certificates (Linux only)
- modifying
postgresql.confto enable certificate-based authentication and define server certificates - modifying
pg_hba.confto accept incoming secure connections
You will need to repeat each action for all CAST Storage Service/PostgreSQL instance(s) you want to secure.
Deal with server keys and certificates
Find the three server keys and certificates generated in Step 1 - Generate certificates and keys:
server.key- server private key fileserver.crt- server certificate fileroot.crt- trusted root certificate that ensures clients present a signed certificate when they connect
Copy these files to the folder on the CAST Storage Service/PostgreSQL instance containing the postgresql.conf file, as located below:
# Microsoft Windows:
%PROGRAMFILES%\CAST\CASTStorageService4\db_data
# Linux:
# Run the following commands in psql to locate the postgresql.conf file:
psql -U postgres
show config_file;
Apply required permissions and ownership rights to server keys/certificates (Linux only)
You’ll need to ensure that PostgreSQL has access to the files and set the private key file permissions to disallow access to world or group:
chown postgres:postgres /path/to/server.{crt,key}
chown postgres:postgres /path/to/root.crt
chmod 0600 /path/to/server.key
Modify postgresql.conf to enable certificate-based authentication
Edit the postgresql.conf file to enable certificate-based authentication and define the location of the server keys and certificates. Modify the file as follows and then save it:
# - SSL -
ssl = on
ssl_cert_file = 'server.crt'
ssl_key_file = 'server.key'
ssl_ca_file = 'root.crt'
Modify pg_hba.conf to accept incoming secure connections
Edit the pg_hba.conf file to accept incoming secure connections. This file is usually stored in the same folder as the postgresql.conf file.
Modify the file to allow IPv4 and IPv6 (where appropriate) secure connections by adding hostssl entries and an appropriate authentication METHOD (see https://www.postgresql.org/docs/current/auth-pg-hba-conf.html for more information about this):
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all peer
# IPv4 connections:
host all all 127.0.0.1/32 scram-sha-256
host all all 0.0.0.0/0 scram-sha-256
# Allow any IPv4 with SSL + password + a check on SSL cert
hostssl all all 127.0.0.1/32 scram-sha-256 clientcert=1
hostssl all all 0.0.0.0/0 scram-sha-256 clientcert=1
# IPv6 connections:
host all all ::1/128 scram-sha-256
host all all ::0/0 scram-sha-256
# Allow any IPv6 with SSL + password + a check on SSL cert
hostssl all all ::1/128 scram-sha-256 clientcert=1
hostssl all all ::0/0 scram-sha-256 clientcert=1
- The
hostsslentries given above are purely for example only. Please ensure that you tailor this file to your own environment and that the authenticationMETHODis appropriate. - The mix of
hostandhostsslentries above will allow both secure and unencrypted connections. If you prefer to block unencrypted connections, comment out all the lines starting withhostby adding a#at the start of the line.
Restart CAST Storage Service/PostgreSQL instance
Finally restart your CAST Storage Service or PostgreSQL instance to ensure the changes you have made are taken into account.
What’s next?
See Step 3 - Configure CAST components to function with certificate-based authentication.