Doc Map

Primary/Standby Certificate Authentication Configuration

Scenarios

In the Lite scenario, the SSL certificate is required for direct authentication of the primary and standby nodes.

Prerequisites

The formal certificates and keys for the server and client have been obtained from the CA.

Precautions

Currently, openGauss supports only the X509v3 certificate in PEM format.

Procedure

  1. Prepare certificates and private keys.

    Conventions for configuration file names on the server:

    • Certificate name: server.crt
    • Private key name: server.key
    • Private key password and encrypted file: server.key.cipher and server.key.rand

    Conventions for configuration file names on the client:

    • Certificate name: client.crt
    • Private key name: client.key
    • Private keypassword and encrypted file: client.key.cipher and client.key.rand
    • Root certificate name: cacert.pem
    • CRL file name: sslcrl-file.crl

  2. Copy the certificates to the data directory of each node.

    1. Copy the configuration files server.crt, server.key, server.key.cipher, and server.key.rand on the server to the corresponding directories.
    2. Copy the configuration files client.crt, client.key, client.key.cipher, client.key.rand, and cacert.pem (if a CRL needs to be configured, the CRL must contain sslcrl-file.crl) on the client to the corresponding directories.

  3. (Optional) Encrypt the user password (skip this step if private keys have been generated for the certificates).

    • Primary node: gs_guc encrypt -M server -K key password -D ${GAUSSDATA}/
    • Standby node: gs_guc encrypt -M client -K key password -D ${GAUSSDATA}/

    ${GAUSSDATA} indicates the data directory.

  4. Configure SSL.

    gs_guc set -D ${GAUSSDATA} -c "ssl=on" 
gs_guc set -D ${GAUSSDATA} -c "ssl_ciphers = 'ALL'" 
gs_guc set -D ${GAUSSDATA} -c "ssl_cert_file = 'server.crt'" 
gs_guc set -D ${GAUSSDATA} -c "ssl_key_file = 'server.key'" 
gs_guc set -D ${GAUSSDATA} -c "ssl_ca_file = 'cacert.pem'"

  5. Export the following environment variables from the standby node (the file permission cannot be greater than 600):

    export PGSSLCERT="${GAUSSDATA}/client.crt"

    export PGSSLKEY="${GAUSSDATA}/client.key"

    export PGSSLROOTCERT="${GAUSSDATA}/cacert.pem"

  6. Restart the primary and standby openGauss in sequence.

    gs_ctl restart -D ${GAUSSDATA}
Feedback
编组 3备份

您对 openGauss文档 的整体满意度如何?

0
0-不满意10-非常满意

0/500

感谢您的反馈,如需帮助可联系contact@opengauss.org

问题反馈

contact@opengauss.org

    openGauss 2024-07-27 00:59:22
    cancel