Configuring an SSL Connection for the PostgreSQL agent (4229097)

Configuring an SSL Connection for the PostgreSQL agent

This article outlines the steps required to configure an encrypted SSL connection between the PostgreSQL Agent and a PostgreSQL server. For full details on secure connections, refer to the Secure TCP/IP Connections with SSL section in the PostgreSQL documentation for your version.

1. Server-Side Configuration

• Ensure ssl = on is set in postgresql.conf.
• Place the server certificate and private key in the data directory or a configured path.
• If client certificates are required, configure pg_hba.conf to require certificate authentication and ensure root CA certificates are present.

2. Client-Side Configuration

The agent supports two methods for accessing certificates:

Method A: Using the Filesystem

• Provide certificate paths via agent properties (see KB article 4229786).
• If using a key file, convert it to PKCS8 format:

openssl pkcs8 -topk8 -inform PEM -outform DER -in postgresql.key -out postgresql.pk8 -nocrypt
    

To keep the key encrypted, omit -nocrypt and provide the password in agent properties.

Method B: Using the Java Truststore

• Convert the server certificate to DER format:

openssl x509 -outform DER -in server.crt -out server.crt.der
    

• Import into the truststore using keytool:

keytool.exe -import -file server.crt.der -keystore ..\lib\security\cacerts -alias postgresql
    

Default password for cacerts is changeit.

To preserve the truststore across upgrades, copy cacerts to a custom location (e.g., [FGLAM_HOME]\truststore).

 

3. Configure JVM Parameters

Edit baseline.jvmargs.config in [FGLAM_HOME]\state\default\config:

vmparameter.0 = "-Djavax.net.ssl.trustStore="C:/Quest/Foglight Agent Manager/truststore/cacerts"";
vmparameter.1 = "-Djavax.net.ssl.trustStorePassword=changeit";
    

Escape quotes and adjust paths to match your environment.

 

4. Restart FglAM

Restart the Foglight Agent Manager to apply changes.

The default truststore (cacerts) ships with multiple well known 3rd party CA certificates for convenience but using the -Djavax.net.ssl.trustStore parameter overrides the default trust store for the JRE that runs the FglAM. If additional CA certificates are required, use the default cacerts as a starting point; import the additional CA certificates into cacerts and make a copy of this file as the custom trust store to take advantage of the existing CA certificates.