Background
openGauss supports the standard SSL (TLS 1.2). As a highly secure protocol, SSL authenticates bidirectional identification between the server and client using digital signatures and digital certificates to ensure secure data transmission.
Prerequisites
Formal certificates and keys for servers and clients have been obtained from the Certificate Authority (CA). Assume the private key and certificate for the server are server.key and server.crt, the private key and certificate for the client are client.key and client.crt, and the CA root certificate is cacert.pem.
Precautions
When a user remotely accesses the primary node of the database, the SHA-256 authentication method is used.
If internal servers are connected with each other, the trust authentication mode must be used. IP address whitelist authentication is supported.
Procedure
After a database is deployed, openGauss enables the SSL authentication mode by default. The server certificate, key, and root certificates have been configured. You need to set client parameters.
Set digital certificate parameters related to SSL authentication. For details, see Table 1.
Configure client parameters.
The default client certificate, key, root certificate, and key encrypted file have been obtained from the CA authentication center. Assume that the certificate, key, and root certificate are stored in the /home/omm directory.
For bidirectional authentication, set the following parameters:
export PGSSLCERT="/home/omm/client.crt"
export PGSSLKEY="/home/omm/client.key"
export PGSSLMODE="verify-ca"
export PGSSLROOTCERT="/home/omm/cacert.pem"
For unidirectional authentication, set the following parameters:
export PGSSLMODE="verify-ca"
export PGSSLROOTCERT="/home/omm/cacert.pem"
Change the client key permission.
The permission of the client root certificate, key, certificate, and encrypted key file should be 600. Otherwise, the client cannot connect to openGauss through SSL.
chmod 600 client.key
chmod 600 client.crt
chmod 600 client.key.cipher
chmod 600 client.key.rand
chmod 600 cacert.pem
NOTICE: You are advised to use bidirectional authentication for security purposes. The environment variables configured for a client must contain the absolute file paths.
Table 1 Authentication modes
Reference
In the postgresql.conf file on the server, set the related parameters. For details, see Table 2.
Table 2 Server parameters
Configure environment variables related to SSL authentication on the client. For details, see Table 3.
NOTE: The path of environment variables is set to /home/omm as an example. Replace it with the actual path.
Table 3 Client parameters
The following table describes the connection results based on the settings of the server parameters ssl and require_ssl and the client parameter sslmode.
ssl (Server)
sslmode (Client)
require_ssl (Client)
Result
on
disable
on
The connection fails, because the server requires SSL but the client has disabled it.
disable
off
The connection is not encrypted.
allow
on
The connection is encrypted.
allow
off
The connection is not encrypted.
prefer
on
The connection is encrypted.
prefer
off
The connection is encrypted.
require
on
The connection is encrypted.
require
off
The connection is encrypted.
verify-ca
on
The connection is encrypted and the server certificate is verified.
verify-ca
off
The connection is encrypted and the server certificate is verified.
verify-full
on
The connection is encrypted and the server certificate and host name are verified.
verify-full
off
The connection is encrypted and the server certificate and host name are verified.
off
disable
on
The connection is not encrypted.
disable
off
The connection is not encrypted.
allow
on
The connection is not encrypted.
allow
off
The connection is not encrypted.
prefer
on
The connection is not encrypted.
prefer
off
The connection is not encrypted.
require
on
The connection fails, because the client requires SSL but the server has disabled it.
require
off
The connection fails, because the client requires SSL but the server has disabled it.
verify-ca
on
The connection fails, because the client requires SSL but the server has disabled it.
verify-ca
off
The connection fails, because the client requires SSL but the server has disabled it.
verify-full
on
The connection fails, because the client requires SSL but the server has disabled it.
verify-full
off
The connection fails, because the client requires SSL but the server has disabled it.
A series of encryption and authentication algorithms with different strength are supported for SSL transmission. You can modify ssl_ciphers in postgresql.conf to specify the encryption algorithm used by the database server. Table 4 lists the encryption algorithms supported by the SSL.
Table 4 Encryption algorithm suites
NOTE:
Currently, only the six encryption algorithm suites listed in the preceding table are supported.
The default value of ssl_ciphers is ALL, indicating that all encryption algorithms listed in the table are supported. 为保持前向兼容保留了DHE算法套件,即DHE-RSA-AES128-GCM-SHA256和DHE-RSA-AES256-GCM-SHA384,根据CVE-2002-20001漏洞披露DHE算法存在一定安全风险,非兼容场景不建议使用,可将ssl_ciphers参数配置为仅支持ECDHE类型算法套件。
To specify the preceding cipher suites, set** ssl_ciphers** to the OpenSSL suite names in the preceding table. Use semicolons (;) to separate cipher suites. For example, set ssl_ciphers in postgresql.conf as follows: ssl_ciphers='ECDHE-RSA-AES128-GCM-SHA256;ECDHE-ECDSA-AES128-GCM-SHA256'
SSL authentication increases the time spent for login (creating the SSL environment) and logout processes (clearing the SSL environment), and requires extra time for encrypting the data to be transferred. It affects performance especially in frequent login, logout, and short-time query scenarios.
If the certificate validity period is less than seven days, an alarm is generated in the log when a user logs in to the system.
Top comments (0)