-
Title
Configuring an Encrypted Connection for the PostgreSQL agent -
Description
The below instructions cover common steps used to configure an encrypted connection from the PostgreSQL Agent client. For full information on secure connections and server-side configuration, refer to the 18.9 Secure TCP/IP Connections with SSL section of the PostgreSQL documentation for your version. -
Resolution
In order to use SSL, the ssl parameter must be set in the PostgreSQL server’s postgresql.conf file and the server certificate and private key must exist and be in the default data directory or another directory specified in the configuration.
If the client is required to supply a trusted certificate, root CAs must also be present on the server and the pg_hba.conf file should require the connecting user to provide a certificate.
For more information on client-side SSL configuration, refer to the Using SSL section of the PostgreSQL JDBC Driver documentation. From here, the agent can use two methods to access certificates, covered in the following sections. When finished, restart the FglAM and continue with the agent configuration.
Using the FilesystemThe first is simply accessing them on the filesystem of the FglAM host. File paths are provided to the agent through the file path agent properties in the Setting SSL Connection Parameters section Knowledgebase article 4229686.
If using an SSL Key file, it must be converted to PKCS8 format with the following command:
openssl pkcs8 -topk8 -inform PEM -outform DER -in postgresql.key -out postgresql.pk8 -nocrypt
The “-nocrypt” argument can be dropped to leave the key encrypted, however a password must be created during encryption and provided in the agent properties.
Using the Java Truststore
The other method requires the certificates to be imported into the Java truststore. On older versions of the JRE, the server certificate will first need to be converted into a different format, using this command:
openssl x509 -outform DER -in server.crt -out server.crt.der
Then, it must be imported into the FglAM truststore. You can use the bundled keytool, which will be located in the [FGLAM_HOME]\jre\1.8.0.72\jre\bin directory, or the equivalent on your system, with these commands:
keytool.exe -import -file server.crt.der -keystore ..\lib\security\cacerts -alias postgresql
If you have not changed the password for the keystore, the default password will be “changeit”.
Since the previous command imports the certificate into the JRE default truststore, this can be lost after an upgrade. To preserve this truststore, make a copy of the cacerts file and save it somewhere else in the FglAM installation directory, e.g. [FGLAM_HOME]\truststore
Next, edit the baseline.jvmargs.config file in the [FGLAM_HOME]\state\default\config directory and add the following parameters with file paths and passwords appropriate for your system. Escape any quotes with a ‘\’. The paths should be adjusted to meet the current environment.
vmparameter.0 = "-Djavax.net.ssl.trustStore=\"C:/Quest/Foglight Agent Manager/truststore/cacerts\"";
vmparameter.1 = "-Djavax.net.ssl.trustStorePassword=changeit" -
Additional Information
The default truststore (cacerts) ships with multiple well known 3rd party CA certificates for convenience but using the -Djavax.net.ssl.trustStore parameter overrides the default trust store for the JRE that runs the FglAM. If additional CA certificates are required, use the default cacerts as a starting point; import the additional CA certificates into cacerts and make a copy of this file as the custom trust store to take advantage of the existing CA certificates.