設定CA認證來強化PostgreSQL的安全性的教程,capostgresql

來源:互聯網
上載者:User

設定CA認證來強化PostgreSQL的安全性的教程,capostgresql

在經曆了多次的摸索實驗後我終於成功地實現了SSL認證認證的功能,因此我想這次我要把這些步驟記錄下來供日後查閱。

出於安全和方便的原因,我要在一台單獨的專用機器上籤署客戶的認證,這台機器也稱為 認證授證中心(CA)。

這讓我們在授權新的用戶端時不必先登入到PostgreSQL伺服器然後再簽署認證或者修改pg_hba.conf。

我們要建立一個特殊的資料庫組,叫sslcertusers。這個組裡的所有使用者都可以通過由CA簽署的認證進行串連。

在下面的例子中,請將"trustly"替換成你的公司名或組織名。所有的命令都是基於Ubuntu Linux 12.04 LTS。
 
設定CA
CA應該是一台離線的處於高度安全環境中的電腦。

產生CA私密金鑰
 

sudo openssl genrsa -des3 -out /etc/ssl/private/trustly-ca.key 2048sudo chown root:ssl-cert /etc/ssl/private/trustly-ca.keysudo chmod 640 /etc/ssl/private/trustly-ca.key

產生CA認證
 

sudo openssl req -new -x509 -days 3650 \-subj '/C=SE/ST=Stockholm/L=Stockholm/O=Trustly/CN=trustly' \-key /etc/ssl/private/trustly-ca.key \-out /usr/local/share/ca-certificates/trustly-ca.crtsudo update-ca-certificates

配置PostgreSQL伺服器
產生PostgreSQL伺服器私密金鑰
 

# Remove default snakeoil certssudo rm /var/lib/postgresql/9.1/main/server.keysudo rm /var/lib/postgresql/9.1/main/server.crt# Enter a passphrasesudo -u postgres openssl genrsa -des3 -out /var/lib/postgresql/9.1/main/server.key 2048# Remove the passphrasesudo -u postgres openssl rsa -in /var/lib/postgresql/9.1/main/server.key -out /var/lib/postgresql/9.1/main/server.keysudo -u postgres chmod 400 /var/lib/postgresql/9.1/main/server.key

產生PostgreSQL伺服器憑證簽署請求(CSR)

 

sudo -u postgres openssl req -new -nodes -key /var/lib/postgresql/9.1/main/server.key -days 3650 -out /tmp/server.csr -subj '/C=SE/ST=Stockholm/L=Stockholm/O=Trustly/CN=postgres'

用CA私密金鑰簽署PostgreSQL伺服器憑證請求
 

sudo openssl req -x509 \-key /etc/ssl/private/trustly-ca.key \-in /tmp/server.csr \-out /var/lib/postgresql/9.1/main/server.crtsudo chown postgres:postgres /var/lib/postgresql/9.1/main/server.crt

建立根(root)認證=PostgreSQL伺服器憑證+CA認證
 

sudo -u postgres sh -c 'cat /var/lib/postgresql/9.1/main/server.crt /etc/ssl/certs/trustly-ca.pem > /var/lib/postgresql/9.1/main/root.crt'sudo cp /var/lib/postgresql/9.1/main/root.crt /usr/local/share/ca-certificates/trustly-postgresql.crtsudo update-ca-certificates

授權訪問
 

CREATE GROUP sslcertusers;ALTER GROUP sslcertusers ADD USER joel; # /etc/postgresql/9.1/main/pg_hba.conf:hostssl nameofdatabase +sslcertusers 192.168.1.0/24 cert clientcert=1

重啟PostgreSQL
 

sudo service postgresql restart

PostgreSQL用戶端設定
從PostgreSQL伺服器上複製根憑證
 

mkdir ~/.postgresqlcp /etc/ssl/certs/trustly-postgresql.pem ~/.postgresql/root.crt

產生PostgreSQL用戶端私密金鑰
 

openssl genrsa -des3 -out ~/.postgresql/postgresql.key 1024 # If this is a server, remove the passphrase:openssl rsa -in ~/.postgresql/postgresql.key -out ~/.postgresql/postgresql.key

產生PostgreSQL用戶端認證簽署請求並簽署
 

# Replace "joel" with username:openssl req -new -key ~/.postgresql/postgresql.key -out ~/.postgresql/postgresql.csr -subj '/C=SE/ST=Stockholm/L=Stockholm/O=Trustly/CN=joel'sudo openssl x509 -req -in ~/.postgresql/postgresql.csr -CA /etc/ssl/certs/trustly-ca.pem -CAkey /etc/ssl/private/trustly-ca.key -out ~/.postgresql/postgresql.crt -CAcreateserialsudo chown joel:joel -R ~/.postgresqlsudo chmod 400 -R ~/.postgresql/postgresql.key

相關文章

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.