-
Open a command console session. Create a private key and certificate signing request (CSR) by typing a command similar to the following at the command prompt:
openssl req -newkey rsa:2048 -nodes -keyout postgresql.key -out postgresql.csr
and press enter to generate a key file named postgresql.key.
-
Type responses to the prompts that correspond to your country, state, locality, city, company, organization, common name, and email address. The certificate common name (CN) must be set to the database user name used to connect to postgreSQL on the client. Leave password and optional company name blank.
-
Convert the generated key file from PEM format to PKCS8 format by typing the following command at the command prompt:
openssl pkcs8 -topk8 -inform PEM -outform DER -in postgresql.key -out postgresql.pk8 -nocrypt
and press enter.
-
Grant read permission on the key file for the group by typing the following command at the command prompt:
chmod 640 postgresql.pk8
and press enter to generate a converted key file named postgresql.pk8.
-
Generate a signed client certificate from the trusted root.crt and server.key in the PostgreSQL data directory by typing the following command at the command prompt:
openssl x509 -req -in postgresql.csr -CA root.crt -CAkey server.key -out postgresql.crt -CAcreateserial -outform pem
and press enter.
-
Verify the client certificate, postgresql.crt, with the trusted root certificate by typing the following command at the command prompt:
openssl verify -CAfile root.crt -purpose sslclient postgresql.crt
and press enter.
-
Copy root.crt (trusted root certificate), postgresql.crt (client certificate), and postgresql.key (private key) to the client machine pgadmin %appdata%\postgresql for Windows or pgadmin ~/.postgresql/ for Linux.
-
Change the file permissions for postgresql.key to restrict access to just you.
-
Delete the root.crt (trusted root certificates), postgresql.crt (client certificate), and postgresql.key (private key) files from the server /tmp/ directory.
-
Open a command console session and navigate to the Connect CDC kernel directory on the client machine, which by default is <Precisely_Connect_Install>\ConnectCDCV57\kernel>.
-
Extract the PostgreSQL.properties file from Omni.jar to kernel folder using the Java jar utility. Type the following commands at the command prompt. Run:
jar xf Omni.jar omnienterprise/gdbc/PostgresSQL.properties mv omnienterprise/gdbc/PostgresSQL.properties .
-
Using a text editor, open PostgreSQL.properties for editing and change the value of the JDBC URL parameter with TLS encryption parameters, similar to the following:
url=jdbc:postgresql://%HOST:%PORT/%SERVER?ssl=true &autosave=always&sslmode=verify-full &sslcert={location of client certificate}&sslkey={location of private key} &sslrootcert={location of trusted root certificate}.
It is recommended to use sslmode=verify-full for highest level of security. Please refer to
https://www.postgresql.org/docs/9.1/libpq-ssl.html
(Protection Provided in Different Modes) for description of other options to use and trade-offs between security and performance.