Menu
▾
▴
postgres-xc-general — General info and messages
You can subscribe to this list here.
| 2010 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(2) |
Jun
|
Jul
|
Aug
(6) |
Sep
|
Oct
(19) |
Nov
(1) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2011 |
Jan
(12) |
Feb
(1) |
Mar
(4) |
Apr
(4) |
May
(32) |
Jun
(12) |
Jul
(11) |
Aug
(1) |
Sep
(6) |
Oct
(3) |
Nov
|
Dec
(10) |
| 2012 |
Jan
(11) |
Feb
(1) |
Mar
(3) |
Apr
(25) |
May
(53) |
Jun
(38) |
Jul
(103) |
Aug
(54) |
Sep
(31) |
Oct
(66) |
Nov
(77) |
Dec
(20) |
| 2013 |
Jan
(91) |
Feb
(86) |
Mar
(103) |
Apr
(107) |
May
(25) |
Jun
(37) |
Jul
(17) |
Aug
(59) |
Sep
(38) |
Oct
(78) |
Nov
(29) |
Dec
(15) |
| 2014 |
Jan
(23) |
Feb
(82) |
Mar
(118) |
Apr
(101) |
May
(103) |
Jun
(45) |
Jul
(6) |
Aug
(10) |
Sep
|
Oct
(32) |
Nov
|
Dec
(9) |
| 2015 |
Jan
(3) |
Feb
(5) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
(9) |
Aug
(4) |
Sep
(3) |
Oct
|
Nov
|
Dec
|
| 2016 |
Jan
(3) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2017 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(3) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(4) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| S | M | T | W | T | F | S |
|---|---|---|---|---|---|---|
|
|
|
|
|
|
1
(6) |
2
|
|
3
|
4
|
5
|
6
|
7
(5) |
8
(1) |
9
|
|
10
|
11
(2) |
12
|
13
(7) |
14
|
15
(6) |
16
(1) |
|
17
|
18
(9) |
19
(10) |
20
(3) |
21
(6) |
22
(6) |
23
|
|
24
|
25
(20) |
26
(1) |
27
(1) |
28
(2) |
|
|
|
From: Maz M. <mmo...@pe...> - 2013-02-28 15:20:51
|
Hi Koichi, Thanks for replying to my email. http://www.postgresql.org/docs/9.2/static/ssl-tcp.html is a good introductory document. But I already got the SSL working on postgres-xc and verified it from psql. The best document to set it up was http://gurjeet-tech.blogspot.in/2012/04/generating-self-signed-ssl-certificates.html My problem now is connecting postgres from a java application server (tomcat). I've already read and followed the instructions in http://jdbc.postgresql.org/documentation/91/ssl-client.html . Frankly there are on 2 steps.... 1) openssl x509 -in pg_server.crt -out pg_server.crt.der -outform der 2) keytool -keystore $JAVA_HOME/lib/security/cacerts -alias postgresql -import -file pg_server.crt.der I also augmented the JDBC url with the right parameters. ssl=true and sslfactory=org.postgresql.ssl.NonValidatingFactory I've added the JVM parameters.... java -Djavax.net.ssl.trustStore=mystore -Djavax.net.ssl.trustStorePassword=password something I want to mention is that postgres-xc is running as user "postgres-xc". My tomcat is running as user "adminuser" anything I'm missing on the java side? It looks like no one has done this before. :( -maz -----Original Message----- From: Koichi Suzuki [mailto:koi...@gm...] Sent: Thursday, February 28, 2013 2:58 AM To: Maz Mohammadi Cc: Jim Mlodgenski; pos...@li... Subject: Re: [Postgres-xc-general] can't access server through SSL How's http://www.postgresql.org/docs/9.2/static/ssl-tcp.html ? https://kb.berkeley.edu/page.php?id=23113 may include some more info. ---------- Koichi Suzuki 2013/2/27 Maz Mohammadi <mmo...@pe...>: > BTW, I also added the mapping option in pg_hba.conf and created a > mapping in pg_ident.conf which maps the OS user that runs tomcat to my > postgres-xc user. Still I'm getting the same error :( > > I've also turned on the debugging of ssl on jvm and getting a lot of message on console? Can anyone suggest on what I should look for? > > -maz > > -----Original Message----- > From: Maz Mohammadi > Sent: Tuesday, February 26, 2013 9:18 AM > To: 'Jim Mlodgenski' > Cc: Nikhil Sontakke; pos...@li... > Subject: RE: [Postgres-xc-general] can't access server through SSL > > Well, > > First let me say, this document http://gurjeet-tech.blogspot.in/2012/04/generating-self-signed-ssl-certificates.html was very helpful in enabling SSL on my server + accessing it through psql using a certificate. It clearly specifies how each file (server.* and client.*) is created and how it is used. > > As for the 2nd part my problem of reaching it from tomcat server, I'm still getting the same error. > "Connection attempt failed: FATAL: connection requires a valid client certificate" > > http://jdbc.postgresql.org/documentation/91/ssl-client.html#nonvalidating does not contain a very complex set of steps. > > 1) openssl x509 -in pg_server.crt -out pg_server.crt.der -outform der > 2) keytool -keystore $JAVA_HOME/lib/security/cacerts -alias postgresql > -import -file pg_server.crt.der > > pg_server.crt is the same as server.crt file that I got from the blog posting's instructions. > > And this is my url. > "jdbc:postgresql://localhost:5432:testdb?ssl=true&sslfactory=org.postgresql.ssl.NonValidatingFactory" > > Do I need to sign the certificate? > > -----Original Message----- > From: Jim Mlodgenski [mailto:ji...@gm...] > Sent: Monday, February 25, 2013 2:18 PM > To: Maz Mohammadi > Cc: Nikhil Sontakke; pos...@li... > Subject: Re: [Postgres-xc-general] can't access server through SSL > > On Mon, Feb 25, 2013 at 1:42 PM, Maz Mohammadi <mmo...@pe...> wrote: >> Tada.... >> >> postgres-xc@adminuser-VirtualBox:~/.postgresql$ psql -h localhost -p >> 5432 testdb psql (PGXC 1.0.0, based on PG 9.1.4) SSL connection >> (cipher: DHE-RSA-AES256-SHA, bits: 256) Type "help" for help. >> >> testdb=# >> >> now I gotta get it working from tomcat ;) > > Take a look at > http://jdbc.postgresql.org/documentation/91/ssl-client.html#nonvalidat > ing > > You'll probably want to have JDBC not validate the cert against the CA > until you can at least connect from Tomcat. To do that, you'll need to > append the following to you connection string > sslfactory=org.postgresql.ssl.NonValidatingFactory > >> >> -maz >> >> -----Original Message----- >> From: Jim Mlodgenski [mailto:ji...@gm...] >> Sent: Monday, February 25, 2013 11:31 AM >> To: Maz Mohammadi >> Cc: Nikhil Sontakke; pos...@li... >> Subject: Re: [Postgres-xc-general] can't access server through SSL >> >> On Mon, Feb 25, 2013 at 11:12 AM, Maz Mohammadi <mmo...@pe...> wrote: >>> Something tells me, I might not be doing things right :( >> >> It does appear things are a little twisted up. >> >>> >>> postgres-xc@adminuser-VirtualBox:~/coord$ echo $PGSSLKEY >>> /var/lib/postgres-xc/.postgresql/client.key >>> postgres-xc@adminuser-VirtualBox:~/coord$ echo $PGSSLCERT >>> /var/lib/postgres-xc/coord/server.crt >>> postgres-xc@adminuser-VirtualBox:~/coord$ openssl verify -CAfile >>> ../coord/root.crt client.crt >>> client.crt: OK >>> postgres-xc@adminuser-VirtualBox:~/coord$ psql -U postgres-xc -h >>> localhost -p 5432 >>> psql: could not load private key file >>> "/var/lib/postgres-xc/.postgresql/client.key": key values mismatch >>> postgres-xc@adminuser-VirtualBox:~/coord$ >>> >> >> Start first with just making sure you can connect via SSL on the server before adding in the certificate authentication. Try changing your pg_hba to: >> hostssl all postgres-xc 127.0.0.1/32 trust >> >> And see if you can connect via psql. There will be a message displayed when connected that it is an ssl connection. >> >> Once you get past that, you can revert back to the original pg_hba and focus on the cert auth. Getting the client certificate correct is a little tricky. I believe you need to sign it using the server certificate, but I need to look that up to be sure. I think you also need to make sure you have the proper mapping in the pg_ident file even though the names might be the same. >> >>> when I generated the key for the client, I used 'postgres-xc' for Common Name, and when I generated it for the server, I used 'localhost' >>> >>> Do you think I'm digging myself into a whole? Should I start from scratch and install postgres? >> >> You'll have the same issue using PostgreSQL. Its not a XC vs PG issue, just a severe lack of documentation on how to do it properly. >> >>> >>> -maz >>> >>> -----Original Message----- >>> From: Nikhil Sontakke [mailto:ni...@st...] >>> Sent: Monday, February 25, 2013 10:21 AM >>> To: Maz Mohammadi >>> Cc: Michael Paquier; pos...@li... >>> Subject: Re: [Postgres-xc-general] can't access server through SSL >>> >>> Try using >>> >>> PGSSLKEY=/path/to/agent.key in psql. >>> >>> Regards, >>> Nikhils >>> >>> On Mon, Feb 25, 2013 at 7:51 PM, Maz Mohammadi <mmo...@pe...> wrote: >>>> Well, it seems that this is the way to connect it from the >>>> standard psql client. But I'm getting there ;( >>>> >>>> >>>> >>>> -------------- >>>> >>>> postgres-xc@adminuser-VirtualBox:~/coord$ whoami >>>> >>>> postgres-xc >>>> >>>> postgres-xc@adminuser-VirtualBox:~/coord$ echo $PSGSSLMODE >>>> >>>> require >>>> >>>> postgres-xc@adminuser-VirtualBox:~/coord$ echo $PGSSLCERT >>>> >>>> /var/lib/postgres-xc/datanode1/server.crt >>>> >>>> postgres-xc@adminuser-VirtualBox:~/coord$ ls -l server.* >>>> >>>> -rw-rw-r-- 1 postgres-xc postgres-xc 4608 Feb 25 09:00 server.crt >>>> >>>> -rw------- 1 postgres-xc postgres-xc 1679 Feb 25 09:00 server.key >>>> >>>> -rw-rw-r-- 1 postgres-xc postgres-xc 3587 Feb 25 09:00 server.req >>>> >>>> postgres-xc@adminuser-VirtualBox:~/coord$ psql -U postgres-xc -h >>>> localhost -p 5432 >>>> >>>> psql: certificate present, but not private key file >>>> "/var/lib/postgres-xc/.postgresql/postgresql.key" >>>> >>>> postgres-xc@adminuser-VirtualBox:~/coord$ pwd >>>> >>>> /var/lib/postgres-xc/coord >>>> >>>> postgres-xc@adminuser-VirtualBox:~/coord$ >>>> >>>> -------------- >>>> >>>> >>>> >>>> Does the user 'postgres-xc' need to generate a private key file? >>>> >>>> >>>> >>>> postgresql.key does not exist. I take it that it IS NOT the same >>>> as server.key which is under /var/lib/postgres-xc/coord. Am I correct? >>>> >>>> >>>> >>>> >>>> >>>> From: Michael Paquier [mailto:mic...@gm...] >>>> Sent: Monday, February 25, 2013 2:17 AM >>>> To: Nikhil Sontakke >>>> Cc: Maz Mohammadi; pos...@li... >>>> >>>> >>>> Subject: Re: [Postgres-xc-general] can't access server through SSL >>>> >>>> >>>> >>>> >>>> >>>> On Mon, Feb 25, 2013 at 4:10 PM, Nikhil Sontakke >>>> <ni...@st...> >>>> wrote: >>>> >>>> Hi Maz, >>>> >>>> >>>>> Is there a way to connect to the server using the psql by using a >>>>> certificate? >>>>> >>>> >>>> Does the below work for you? >>>> >>>> PSGSSLMODE=require PGSSLCERT=/path/to/agent.crt psql -d postgres -h >>>> localhost -p 5432 >>>> >>>> Change PSGSSLMODE by PGSSLMODE. My 2c. >>>> >>>> -- >>>> Michael >>> >>> >>> >>> -- >>> StormDB - http://www.stormdb.com >>> The Database Cloud >>> Postgres-XC Support and Service >>> >>> -------------------------------------------------------------------- >>> - >>> - >>> -------- Everyone hates slow websites. So do we. >>> Make your web apps faster with AppDynamics Download AppDynamics Lite >>> for free today: >>> http://p.sf.net/sfu/appdyn_d2d_feb >>> _______________________________________________ >>> Postgres-xc-general mailing list >>> Pos...@li... >>> https://lists.sourceforge.net/lists/listinfo/postgres-xc-general > > ---------------------------------------------------------------------- > -------- Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics Download AppDynamics Lite > for free today: > http://p.sf.net/sfu/appdyn_d2d_feb > _______________________________________________ > Postgres-xc-general mailing list > Pos...@li... > https://lists.sourceforge.net/lists/listinfo/postgres-xc-general |
|
From: Koichi S. <koi...@gm...> - 2013-02-28 07:59:40
|
How's http://www.postgresql.org/docs/9.2/static/ssl-tcp.html ? https://kb.berkeley.edu/page.php?id=23113 may include some more info. ---------- Koichi Suzuki 2013/2/27 Maz Mohammadi <mmo...@pe...>: > BTW, I also added the mapping option in pg_hba.conf and created a mapping in pg_ident.conf which maps the OS user that runs tomcat to my postgres-xc user. Still I'm getting the same error :( > > I've also turned on the debugging of ssl on jvm and getting a lot of message on console? Can anyone suggest on what I should look for? > > -maz > > -----Original Message----- > From: Maz Mohammadi > Sent: Tuesday, February 26, 2013 9:18 AM > To: 'Jim Mlodgenski' > Cc: Nikhil Sontakke; pos...@li... > Subject: RE: [Postgres-xc-general] can't access server through SSL > > Well, > > First let me say, this document http://gurjeet-tech.blogspot.in/2012/04/generating-self-signed-ssl-certificates.html was very helpful in enabling SSL on my server + accessing it through psql using a certificate. It clearly specifies how each file (server.* and client.*) is created and how it is used. > > As for the 2nd part my problem of reaching it from tomcat server, I'm still getting the same error. > "Connection attempt failed: FATAL: connection requires a valid client certificate" > > http://jdbc.postgresql.org/documentation/91/ssl-client.html#nonvalidating does not contain a very complex set of steps. > > 1) openssl x509 -in pg_server.crt -out pg_server.crt.der -outform der > 2) keytool -keystore $JAVA_HOME/lib/security/cacerts -alias postgresql -import -file pg_server.crt.der > > pg_server.crt is the same as server.crt file that I got from the blog posting's instructions. > > And this is my url. > "jdbc:postgresql://localhost:5432:testdb?ssl=true&sslfactory=org.postgresql.ssl.NonValidatingFactory" > > Do I need to sign the certificate? > > -----Original Message----- > From: Jim Mlodgenski [mailto:ji...@gm...] > Sent: Monday, February 25, 2013 2:18 PM > To: Maz Mohammadi > Cc: Nikhil Sontakke; pos...@li... > Subject: Re: [Postgres-xc-general] can't access server through SSL > > On Mon, Feb 25, 2013 at 1:42 PM, Maz Mohammadi <mmo...@pe...> wrote: >> Tada.... >> >> postgres-xc@adminuser-VirtualBox:~/.postgresql$ psql -h localhost -p >> 5432 testdb psql (PGXC 1.0.0, based on PG 9.1.4) SSL connection >> (cipher: DHE-RSA-AES256-SHA, bits: 256) Type "help" for help. >> >> testdb=# >> >> now I gotta get it working from tomcat ;) > > Take a look at > http://jdbc.postgresql.org/documentation/91/ssl-client.html#nonvalidating > > You'll probably want to have JDBC not validate the cert against the CA until you can at least connect from Tomcat. To do that, you'll need to append the following to you connection string sslfactory=org.postgresql.ssl.NonValidatingFactory > >> >> -maz >> >> -----Original Message----- >> From: Jim Mlodgenski [mailto:ji...@gm...] >> Sent: Monday, February 25, 2013 11:31 AM >> To: Maz Mohammadi >> Cc: Nikhil Sontakke; pos...@li... >> Subject: Re: [Postgres-xc-general] can't access server through SSL >> >> On Mon, Feb 25, 2013 at 11:12 AM, Maz Mohammadi <mmo...@pe...> wrote: >>> Something tells me, I might not be doing things right :( >> >> It does appear things are a little twisted up. >> >>> >>> postgres-xc@adminuser-VirtualBox:~/coord$ echo $PGSSLKEY >>> /var/lib/postgres-xc/.postgresql/client.key >>> postgres-xc@adminuser-VirtualBox:~/coord$ echo $PGSSLCERT >>> /var/lib/postgres-xc/coord/server.crt >>> postgres-xc@adminuser-VirtualBox:~/coord$ openssl verify -CAfile >>> ../coord/root.crt client.crt >>> client.crt: OK >>> postgres-xc@adminuser-VirtualBox:~/coord$ psql -U postgres-xc -h >>> localhost -p 5432 >>> psql: could not load private key file >>> "/var/lib/postgres-xc/.postgresql/client.key": key values mismatch >>> postgres-xc@adminuser-VirtualBox:~/coord$ >>> >> >> Start first with just making sure you can connect via SSL on the server before adding in the certificate authentication. Try changing your pg_hba to: >> hostssl all postgres-xc 127.0.0.1/32 trust >> >> And see if you can connect via psql. There will be a message displayed when connected that it is an ssl connection. >> >> Once you get past that, you can revert back to the original pg_hba and focus on the cert auth. Getting the client certificate correct is a little tricky. I believe you need to sign it using the server certificate, but I need to look that up to be sure. I think you also need to make sure you have the proper mapping in the pg_ident file even though the names might be the same. >> >>> when I generated the key for the client, I used 'postgres-xc' for Common Name, and when I generated it for the server, I used 'localhost' >>> >>> Do you think I'm digging myself into a whole? Should I start from scratch and install postgres? >> >> You'll have the same issue using PostgreSQL. Its not a XC vs PG issue, just a severe lack of documentation on how to do it properly. >> >>> >>> -maz >>> >>> -----Original Message----- >>> From: Nikhil Sontakke [mailto:ni...@st...] >>> Sent: Monday, February 25, 2013 10:21 AM >>> To: Maz Mohammadi >>> Cc: Michael Paquier; pos...@li... >>> Subject: Re: [Postgres-xc-general] can't access server through SSL >>> >>> Try using >>> >>> PGSSLKEY=/path/to/agent.key in psql. >>> >>> Regards, >>> Nikhils >>> >>> On Mon, Feb 25, 2013 at 7:51 PM, Maz Mohammadi <mmo...@pe...> wrote: >>>> Well, it seems that this is the way to connect it from the standard >>>> psql client. But I'm getting there ;( >>>> >>>> >>>> >>>> -------------- >>>> >>>> postgres-xc@adminuser-VirtualBox:~/coord$ whoami >>>> >>>> postgres-xc >>>> >>>> postgres-xc@adminuser-VirtualBox:~/coord$ echo $PSGSSLMODE >>>> >>>> require >>>> >>>> postgres-xc@adminuser-VirtualBox:~/coord$ echo $PGSSLCERT >>>> >>>> /var/lib/postgres-xc/datanode1/server.crt >>>> >>>> postgres-xc@adminuser-VirtualBox:~/coord$ ls -l server.* >>>> >>>> -rw-rw-r-- 1 postgres-xc postgres-xc 4608 Feb 25 09:00 server.crt >>>> >>>> -rw------- 1 postgres-xc postgres-xc 1679 Feb 25 09:00 server.key >>>> >>>> -rw-rw-r-- 1 postgres-xc postgres-xc 3587 Feb 25 09:00 server.req >>>> >>>> postgres-xc@adminuser-VirtualBox:~/coord$ psql -U postgres-xc -h >>>> localhost -p 5432 >>>> >>>> psql: certificate present, but not private key file >>>> "/var/lib/postgres-xc/.postgresql/postgresql.key" >>>> >>>> postgres-xc@adminuser-VirtualBox:~/coord$ pwd >>>> >>>> /var/lib/postgres-xc/coord >>>> >>>> postgres-xc@adminuser-VirtualBox:~/coord$ >>>> >>>> -------------- >>>> >>>> >>>> >>>> Does the user 'postgres-xc' need to generate a private key file? >>>> >>>> >>>> >>>> postgresql.key does not exist. I take it that it IS NOT the same as >>>> server.key which is under /var/lib/postgres-xc/coord. Am I correct? >>>> >>>> >>>> >>>> >>>> >>>> From: Michael Paquier [mailto:mic...@gm...] >>>> Sent: Monday, February 25, 2013 2:17 AM >>>> To: Nikhil Sontakke >>>> Cc: Maz Mohammadi; pos...@li... >>>> >>>> >>>> Subject: Re: [Postgres-xc-general] can't access server through SSL >>>> >>>> >>>> >>>> >>>> >>>> On Mon, Feb 25, 2013 at 4:10 PM, Nikhil Sontakke >>>> <ni...@st...> >>>> wrote: >>>> >>>> Hi Maz, >>>> >>>> >>>>> Is there a way to connect to the server using the psql by using a >>>>> certificate? >>>>> >>>> >>>> Does the below work for you? >>>> >>>> PSGSSLMODE=require PGSSLCERT=/path/to/agent.crt psql -d postgres -h >>>> localhost -p 5432 >>>> >>>> Change PSGSSLMODE by PGSSLMODE. My 2c. >>>> >>>> -- >>>> Michael >>> >>> >>> >>> -- >>> StormDB - http://www.stormdb.com >>> The Database Cloud >>> Postgres-XC Support and Service >>> >>> --------------------------------------------------------------------- >>> - >>> -------- Everyone hates slow websites. So do we. >>> Make your web apps faster with AppDynamics Download AppDynamics Lite >>> for free today: >>> http://p.sf.net/sfu/appdyn_d2d_feb >>> _______________________________________________ >>> Postgres-xc-general mailing list >>> Pos...@li... >>> https://lists.sourceforge.net/lists/listinfo/postgres-xc-general > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_feb > _______________________________________________ > Postgres-xc-general mailing list > Pos...@li... > https://lists.sourceforge.net/lists/listinfo/postgres-xc-general |
|
From: Maz M. <mmo...@pe...> - 2013-02-27 02:25:09
|
BTW, I also added the mapping option in pg_hba.conf and created a mapping in pg_ident.conf which maps the OS user that runs tomcat to my postgres-xc user. Still I'm getting the same error :( I've also turned on the debugging of ssl on jvm and getting a lot of message on console? Can anyone suggest on what I should look for? -maz -----Original Message----- From: Maz Mohammadi Sent: Tuesday, February 26, 2013 9:18 AM To: 'Jim Mlodgenski' Cc: Nikhil Sontakke; pos...@li... Subject: RE: [Postgres-xc-general] can't access server through SSL Well, First let me say, this document http://gurjeet-tech.blogspot.in/2012/04/generating-self-signed-ssl-certificates.html was very helpful in enabling SSL on my server + accessing it through psql using a certificate. It clearly specifies how each file (server.* and client.*) is created and how it is used. As for the 2nd part my problem of reaching it from tomcat server, I'm still getting the same error. "Connection attempt failed: FATAL: connection requires a valid client certificate" http://jdbc.postgresql.org/documentation/91/ssl-client.html#nonvalidating does not contain a very complex set of steps. 1) openssl x509 -in pg_server.crt -out pg_server.crt.der -outform der 2) keytool -keystore $JAVA_HOME/lib/security/cacerts -alias postgresql -import -file pg_server.crt.der pg_server.crt is the same as server.crt file that I got from the blog posting's instructions. And this is my url. "jdbc:postgresql://localhost:5432:testdb?ssl=true&sslfactory=org.postgresql.ssl.NonValidatingFactory" Do I need to sign the certificate? -----Original Message----- From: Jim Mlodgenski [mailto:ji...@gm...] Sent: Monday, February 25, 2013 2:18 PM To: Maz Mohammadi Cc: Nikhil Sontakke; pos...@li... Subject: Re: [Postgres-xc-general] can't access server through SSL On Mon, Feb 25, 2013 at 1:42 PM, Maz Mohammadi <mmo...@pe...> wrote: > Tada.... > > postgres-xc@adminuser-VirtualBox:~/.postgresql$ psql -h localhost -p > 5432 testdb psql (PGXC 1.0.0, based on PG 9.1.4) SSL connection > (cipher: DHE-RSA-AES256-SHA, bits: 256) Type "help" for help. > > testdb=# > > now I gotta get it working from tomcat ;) Take a look at http://jdbc.postgresql.org/documentation/91/ssl-client.html#nonvalidating You'll probably want to have JDBC not validate the cert against the CA until you can at least connect from Tomcat. To do that, you'll need to append the following to you connection string sslfactory=org.postgresql.ssl.NonValidatingFactory > > -maz > > -----Original Message----- > From: Jim Mlodgenski [mailto:ji...@gm...] > Sent: Monday, February 25, 2013 11:31 AM > To: Maz Mohammadi > Cc: Nikhil Sontakke; pos...@li... > Subject: Re: [Postgres-xc-general] can't access server through SSL > > On Mon, Feb 25, 2013 at 11:12 AM, Maz Mohammadi <mmo...@pe...> wrote: >> Something tells me, I might not be doing things right :( > > It does appear things are a little twisted up. > >> >> postgres-xc@adminuser-VirtualBox:~/coord$ echo $PGSSLKEY >> /var/lib/postgres-xc/.postgresql/client.key >> postgres-xc@adminuser-VirtualBox:~/coord$ echo $PGSSLCERT >> /var/lib/postgres-xc/coord/server.crt >> postgres-xc@adminuser-VirtualBox:~/coord$ openssl verify -CAfile >> ../coord/root.crt client.crt >> client.crt: OK >> postgres-xc@adminuser-VirtualBox:~/coord$ psql -U postgres-xc -h >> localhost -p 5432 >> psql: could not load private key file >> "/var/lib/postgres-xc/.postgresql/client.key": key values mismatch >> postgres-xc@adminuser-VirtualBox:~/coord$ >> > > Start first with just making sure you can connect via SSL on the server before adding in the certificate authentication. Try changing your pg_hba to: > hostssl all postgres-xc 127.0.0.1/32 trust > > And see if you can connect via psql. There will be a message displayed when connected that it is an ssl connection. > > Once you get past that, you can revert back to the original pg_hba and focus on the cert auth. Getting the client certificate correct is a little tricky. I believe you need to sign it using the server certificate, but I need to look that up to be sure. I think you also need to make sure you have the proper mapping in the pg_ident file even though the names might be the same. > >> when I generated the key for the client, I used 'postgres-xc' for Common Name, and when I generated it for the server, I used 'localhost' >> >> Do you think I'm digging myself into a whole? Should I start from scratch and install postgres? > > You'll have the same issue using PostgreSQL. Its not a XC vs PG issue, just a severe lack of documentation on how to do it properly. > >> >> -maz >> >> -----Original Message----- >> From: Nikhil Sontakke [mailto:ni...@st...] >> Sent: Monday, February 25, 2013 10:21 AM >> To: Maz Mohammadi >> Cc: Michael Paquier; pos...@li... >> Subject: Re: [Postgres-xc-general] can't access server through SSL >> >> Try using >> >> PGSSLKEY=/path/to/agent.key in psql. >> >> Regards, >> Nikhils >> >> On Mon, Feb 25, 2013 at 7:51 PM, Maz Mohammadi <mmo...@pe...> wrote: >>> Well, it seems that this is the way to connect it from the standard >>> psql client. But I'm getting there ;( >>> >>> >>> >>> -------------- >>> >>> postgres-xc@adminuser-VirtualBox:~/coord$ whoami >>> >>> postgres-xc >>> >>> postgres-xc@adminuser-VirtualBox:~/coord$ echo $PSGSSLMODE >>> >>> require >>> >>> postgres-xc@adminuser-VirtualBox:~/coord$ echo $PGSSLCERT >>> >>> /var/lib/postgres-xc/datanode1/server.crt >>> >>> postgres-xc@adminuser-VirtualBox:~/coord$ ls -l server.* >>> >>> -rw-rw-r-- 1 postgres-xc postgres-xc 4608 Feb 25 09:00 server.crt >>> >>> -rw------- 1 postgres-xc postgres-xc 1679 Feb 25 09:00 server.key >>> >>> -rw-rw-r-- 1 postgres-xc postgres-xc 3587 Feb 25 09:00 server.req >>> >>> postgres-xc@adminuser-VirtualBox:~/coord$ psql -U postgres-xc -h >>> localhost -p 5432 >>> >>> psql: certificate present, but not private key file >>> "/var/lib/postgres-xc/.postgresql/postgresql.key" >>> >>> postgres-xc@adminuser-VirtualBox:~/coord$ pwd >>> >>> /var/lib/postgres-xc/coord >>> >>> postgres-xc@adminuser-VirtualBox:~/coord$ >>> >>> -------------- >>> >>> >>> >>> Does the user 'postgres-xc' need to generate a private key file? >>> >>> >>> >>> postgresql.key does not exist. I take it that it IS NOT the same as >>> server.key which is under /var/lib/postgres-xc/coord. Am I correct? >>> >>> >>> >>> >>> >>> From: Michael Paquier [mailto:mic...@gm...] >>> Sent: Monday, February 25, 2013 2:17 AM >>> To: Nikhil Sontakke >>> Cc: Maz Mohammadi; pos...@li... >>> >>> >>> Subject: Re: [Postgres-xc-general] can't access server through SSL >>> >>> >>> >>> >>> >>> On Mon, Feb 25, 2013 at 4:10 PM, Nikhil Sontakke >>> <ni...@st...> >>> wrote: >>> >>> Hi Maz, >>> >>> >>>> Is there a way to connect to the server using the psql by using a >>>> certificate? >>>> >>> >>> Does the below work for you? >>> >>> PSGSSLMODE=require PGSSLCERT=/path/to/agent.crt psql -d postgres -h >>> localhost -p 5432 >>> >>> Change PSGSSLMODE by PGSSLMODE. My 2c. >>> >>> -- >>> Michael >> >> >> >> -- >> StormDB - http://www.stormdb.com >> The Database Cloud >> Postgres-XC Support and Service >> >> --------------------------------------------------------------------- >> - >> -------- Everyone hates slow websites. So do we. >> Make your web apps faster with AppDynamics Download AppDynamics Lite >> for free today: >> http://p.sf.net/sfu/appdyn_d2d_feb >> _______________________________________________ >> Postgres-xc-general mailing list >> Pos...@li... >> https://lists.sourceforge.net/lists/listinfo/postgres-xc-general |
|
From: Maz M. <mmo...@pe...> - 2013-02-26 14:18:51
|
Well, First let me say, this document http://gurjeet-tech.blogspot.in/2012/04/generating-self-signed-ssl-certificates.html was very helpful in enabling SSL on my server + accessing it through psql using a certificate. It clearly specifies how each file (server.* and client.*) is created and how it is used. As for the 2nd part my problem of reaching it from tomcat server, I'm still getting the same error. "Connection attempt failed: FATAL: connection requires a valid client certificate" http://jdbc.postgresql.org/documentation/91/ssl-client.html#nonvalidating does not contain a very complex set of steps. 1) openssl x509 -in pg_server.crt -out pg_server.crt.der -outform der 2) keytool -keystore $JAVA_HOME/lib/security/cacerts -alias postgresql -import -file pg_server.crt.der pg_server.crt is the same as server.crt file that I got from the blog posting's instructions. And this is my url. "jdbc:postgresql://localhost:5432:testdb?ssl=true&sslfactory=org.postgresql.ssl.NonValidatingFactory" Do I need to sign the certificate? -----Original Message----- From: Jim Mlodgenski [mailto:ji...@gm...] Sent: Monday, February 25, 2013 2:18 PM To: Maz Mohammadi Cc: Nikhil Sontakke; pos...@li... Subject: Re: [Postgres-xc-general] can't access server through SSL On Mon, Feb 25, 2013 at 1:42 PM, Maz Mohammadi <mmo...@pe...> wrote: > Tada.... > > postgres-xc@adminuser-VirtualBox:~/.postgresql$ psql -h localhost -p > 5432 testdb psql (PGXC 1.0.0, based on PG 9.1.4) SSL connection > (cipher: DHE-RSA-AES256-SHA, bits: 256) Type "help" for help. > > testdb=# > > now I gotta get it working from tomcat ;) Take a look at http://jdbc.postgresql.org/documentation/91/ssl-client.html#nonvalidating You'll probably want to have JDBC not validate the cert against the CA until you can at least connect from Tomcat. To do that, you'll need to append the following to you connection string sslfactory=org.postgresql.ssl.NonValidatingFactory > > -maz > > -----Original Message----- > From: Jim Mlodgenski [mailto:ji...@gm...] > Sent: Monday, February 25, 2013 11:31 AM > To: Maz Mohammadi > Cc: Nikhil Sontakke; pos...@li... > Subject: Re: [Postgres-xc-general] can't access server through SSL > > On Mon, Feb 25, 2013 at 11:12 AM, Maz Mohammadi <mmo...@pe...> wrote: >> Something tells me, I might not be doing things right :( > > It does appear things are a little twisted up. > >> >> postgres-xc@adminuser-VirtualBox:~/coord$ echo $PGSSLKEY >> /var/lib/postgres-xc/.postgresql/client.key >> postgres-xc@adminuser-VirtualBox:~/coord$ echo $PGSSLCERT >> /var/lib/postgres-xc/coord/server.crt >> postgres-xc@adminuser-VirtualBox:~/coord$ openssl verify -CAfile >> ../coord/root.crt client.crt >> client.crt: OK >> postgres-xc@adminuser-VirtualBox:~/coord$ psql -U postgres-xc -h >> localhost -p 5432 >> psql: could not load private key file >> "/var/lib/postgres-xc/.postgresql/client.key": key values mismatch >> postgres-xc@adminuser-VirtualBox:~/coord$ >> > > Start first with just making sure you can connect via SSL on the server before adding in the certificate authentication. Try changing your pg_hba to: > hostssl all postgres-xc 127.0.0.1/32 trust > > And see if you can connect via psql. There will be a message displayed when connected that it is an ssl connection. > > Once you get past that, you can revert back to the original pg_hba and focus on the cert auth. Getting the client certificate correct is a little tricky. I believe you need to sign it using the server certificate, but I need to look that up to be sure. I think you also need to make sure you have the proper mapping in the pg_ident file even though the names might be the same. > >> when I generated the key for the client, I used 'postgres-xc' for Common Name, and when I generated it for the server, I used 'localhost' >> >> Do you think I'm digging myself into a whole? Should I start from scratch and install postgres? > > You'll have the same issue using PostgreSQL. Its not a XC vs PG issue, just a severe lack of documentation on how to do it properly. > >> >> -maz >> >> -----Original Message----- >> From: Nikhil Sontakke [mailto:ni...@st...] >> Sent: Monday, February 25, 2013 10:21 AM >> To: Maz Mohammadi >> Cc: Michael Paquier; pos...@li... >> Subject: Re: [Postgres-xc-general] can't access server through SSL >> >> Try using >> >> PGSSLKEY=/path/to/agent.key in psql. >> >> Regards, >> Nikhils >> >> On Mon, Feb 25, 2013 at 7:51 PM, Maz Mohammadi <mmo...@pe...> wrote: >>> Well, it seems that this is the way to connect it from the standard >>> psql client. But I'm getting there ;( >>> >>> >>> >>> -------------- >>> >>> postgres-xc@adminuser-VirtualBox:~/coord$ whoami >>> >>> postgres-xc >>> >>> postgres-xc@adminuser-VirtualBox:~/coord$ echo $PSGSSLMODE >>> >>> require >>> >>> postgres-xc@adminuser-VirtualBox:~/coord$ echo $PGSSLCERT >>> >>> /var/lib/postgres-xc/datanode1/server.crt >>> >>> postgres-xc@adminuser-VirtualBox:~/coord$ ls -l server.* >>> >>> -rw-rw-r-- 1 postgres-xc postgres-xc 4608 Feb 25 09:00 server.crt >>> >>> -rw------- 1 postgres-xc postgres-xc 1679 Feb 25 09:00 server.key >>> >>> -rw-rw-r-- 1 postgres-xc postgres-xc 3587 Feb 25 09:00 server.req >>> >>> postgres-xc@adminuser-VirtualBox:~/coord$ psql -U postgres-xc -h >>> localhost -p 5432 >>> >>> psql: certificate present, but not private key file >>> "/var/lib/postgres-xc/.postgresql/postgresql.key" >>> >>> postgres-xc@adminuser-VirtualBox:~/coord$ pwd >>> >>> /var/lib/postgres-xc/coord >>> >>> postgres-xc@adminuser-VirtualBox:~/coord$ >>> >>> -------------- >>> >>> >>> >>> Does the user 'postgres-xc' need to generate a private key file? >>> >>> >>> >>> postgresql.key does not exist. I take it that it IS NOT the same as >>> server.key which is under /var/lib/postgres-xc/coord. Am I correct? >>> >>> >>> >>> >>> >>> From: Michael Paquier [mailto:mic...@gm...] >>> Sent: Monday, February 25, 2013 2:17 AM >>> To: Nikhil Sontakke >>> Cc: Maz Mohammadi; pos...@li... >>> >>> >>> Subject: Re: [Postgres-xc-general] can't access server through SSL >>> >>> >>> >>> >>> >>> On Mon, Feb 25, 2013 at 4:10 PM, Nikhil Sontakke >>> <ni...@st...> >>> wrote: >>> >>> Hi Maz, >>> >>> >>>> Is there a way to connect to the server using the psql by using a >>>> certificate? >>>> >>> >>> Does the below work for you? >>> >>> PSGSSLMODE=require PGSSLCERT=/path/to/agent.crt psql -d postgres -h >>> localhost -p 5432 >>> >>> Change PSGSSLMODE by PGSSLMODE. My 2c. >>> >>> -- >>> Michael >> >> >> >> -- >> StormDB - http://www.stormdb.com >> The Database Cloud >> Postgres-XC Support and Service >> >> --------------------------------------------------------------------- >> - >> -------- Everyone hates slow websites. So do we. >> Make your web apps faster with AppDynamics Download AppDynamics Lite >> for free today: >> http://p.sf.net/sfu/appdyn_d2d_feb >> _______________________________________________ >> Postgres-xc-general mailing list >> Pos...@li... >> https://lists.sourceforge.net/lists/listinfo/postgres-xc-general |
|
From: Jim M. <ji...@gm...> - 2013-02-25 19:18:53
|
On Mon, Feb 25, 2013 at 1:42 PM, Maz Mohammadi <mmo...@pe...> wrote: > Tada.... > > postgres-xc@adminuser-VirtualBox:~/.postgresql$ psql -h localhost -p 5432 testdb > psql (PGXC 1.0.0, based on PG 9.1.4) > SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256) > Type "help" for help. > > testdb=# > > now I gotta get it working from tomcat ;) Take a look at http://jdbc.postgresql.org/documentation/91/ssl-client.html#nonvalidating You'll probably want to have JDBC not validate the cert against the CA until you can at least connect from Tomcat. To do that, you'll need to append the following to you connection string sslfactory=org.postgresql.ssl.NonValidatingFactory > > -maz > > -----Original Message----- > From: Jim Mlodgenski [mailto:ji...@gm...] > Sent: Monday, February 25, 2013 11:31 AM > To: Maz Mohammadi > Cc: Nikhil Sontakke; pos...@li... > Subject: Re: [Postgres-xc-general] can't access server through SSL > > On Mon, Feb 25, 2013 at 11:12 AM, Maz Mohammadi <mmo...@pe...> wrote: >> Something tells me, I might not be doing things right :( > > It does appear things are a little twisted up. > >> >> postgres-xc@adminuser-VirtualBox:~/coord$ echo $PGSSLKEY >> /var/lib/postgres-xc/.postgresql/client.key >> postgres-xc@adminuser-VirtualBox:~/coord$ echo $PGSSLCERT >> /var/lib/postgres-xc/coord/server.crt >> postgres-xc@adminuser-VirtualBox:~/coord$ openssl verify -CAfile >> ../coord/root.crt client.crt >> client.crt: OK >> postgres-xc@adminuser-VirtualBox:~/coord$ psql -U postgres-xc -h >> localhost -p 5432 >> psql: could not load private key file >> "/var/lib/postgres-xc/.postgresql/client.key": key values mismatch >> postgres-xc@adminuser-VirtualBox:~/coord$ >> > > Start first with just making sure you can connect via SSL on the server before adding in the certificate authentication. Try changing your pg_hba to: > hostssl all postgres-xc 127.0.0.1/32 trust > > And see if you can connect via psql. There will be a message displayed when connected that it is an ssl connection. > > Once you get past that, you can revert back to the original pg_hba and focus on the cert auth. Getting the client certificate correct is a little tricky. I believe you need to sign it using the server certificate, but I need to look that up to be sure. I think you also need to make sure you have the proper mapping in the pg_ident file even though the names might be the same. > >> when I generated the key for the client, I used 'postgres-xc' for Common Name, and when I generated it for the server, I used 'localhost' >> >> Do you think I'm digging myself into a whole? Should I start from scratch and install postgres? > > You'll have the same issue using PostgreSQL. Its not a XC vs PG issue, just a severe lack of documentation on how to do it properly. > >> >> -maz >> >> -----Original Message----- >> From: Nikhil Sontakke [mailto:ni...@st...] >> Sent: Monday, February 25, 2013 10:21 AM >> To: Maz Mohammadi >> Cc: Michael Paquier; pos...@li... >> Subject: Re: [Postgres-xc-general] can't access server through SSL >> >> Try using >> >> PGSSLKEY=/path/to/agent.key in psql. >> >> Regards, >> Nikhils >> >> On Mon, Feb 25, 2013 at 7:51 PM, Maz Mohammadi <mmo...@pe...> wrote: >>> Well, it seems that this is the way to connect it from the standard >>> psql client. But I'm getting there ;( >>> >>> >>> >>> -------------- >>> >>> postgres-xc@adminuser-VirtualBox:~/coord$ whoami >>> >>> postgres-xc >>> >>> postgres-xc@adminuser-VirtualBox:~/coord$ echo $PSGSSLMODE >>> >>> require >>> >>> postgres-xc@adminuser-VirtualBox:~/coord$ echo $PGSSLCERT >>> >>> /var/lib/postgres-xc/datanode1/server.crt >>> >>> postgres-xc@adminuser-VirtualBox:~/coord$ ls -l server.* >>> >>> -rw-rw-r-- 1 postgres-xc postgres-xc 4608 Feb 25 09:00 server.crt >>> >>> -rw------- 1 postgres-xc postgres-xc 1679 Feb 25 09:00 server.key >>> >>> -rw-rw-r-- 1 postgres-xc postgres-xc 3587 Feb 25 09:00 server.req >>> >>> postgres-xc@adminuser-VirtualBox:~/coord$ psql -U postgres-xc -h >>> localhost -p 5432 >>> >>> psql: certificate present, but not private key file >>> "/var/lib/postgres-xc/.postgresql/postgresql.key" >>> >>> postgres-xc@adminuser-VirtualBox:~/coord$ pwd >>> >>> /var/lib/postgres-xc/coord >>> >>> postgres-xc@adminuser-VirtualBox:~/coord$ >>> >>> -------------- >>> >>> >>> >>> Does the user 'postgres-xc' need to generate a private key file? >>> >>> >>> >>> postgresql.key does not exist. I take it that it IS NOT the same as >>> server.key which is under /var/lib/postgres-xc/coord. Am I correct? >>> >>> >>> >>> >>> >>> From: Michael Paquier [mailto:mic...@gm...] >>> Sent: Monday, February 25, 2013 2:17 AM >>> To: Nikhil Sontakke >>> Cc: Maz Mohammadi; pos...@li... >>> >>> >>> Subject: Re: [Postgres-xc-general] can't access server through SSL >>> >>> >>> >>> >>> >>> On Mon, Feb 25, 2013 at 4:10 PM, Nikhil Sontakke >>> <ni...@st...> >>> wrote: >>> >>> Hi Maz, >>> >>> >>>> Is there a way to connect to the server using the psql by using a >>>> certificate? >>>> >>> >>> Does the below work for you? >>> >>> PSGSSLMODE=require PGSSLCERT=/path/to/agent.crt psql -d postgres -h >>> localhost -p 5432 >>> >>> Change PSGSSLMODE by PGSSLMODE. My 2c. >>> >>> -- >>> Michael >> >> >> >> -- >> StormDB - http://www.stormdb.com >> The Database Cloud >> Postgres-XC Support and Service >> >> ---------------------------------------------------------------------- >> -------- Everyone hates slow websites. So do we. >> Make your web apps faster with AppDynamics Download AppDynamics Lite >> for free today: >> http://p.sf.net/sfu/appdyn_d2d_feb >> _______________________________________________ >> Postgres-xc-general mailing list >> Pos...@li... >> https://lists.sourceforge.net/lists/listinfo/postgres-xc-general |
|
From: Maz M. <mmo...@pe...> - 2013-02-25 18:42:09
|
Tada.... postgres-xc@adminuser-VirtualBox:~/.postgresql$ psql -h localhost -p 5432 testdb psql (PGXC 1.0.0, based on PG 9.1.4) SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256) Type "help" for help. testdb=# now I gotta get it working from tomcat ;) -maz -----Original Message----- From: Jim Mlodgenski [mailto:ji...@gm...] Sent: Monday, February 25, 2013 11:31 AM To: Maz Mohammadi Cc: Nikhil Sontakke; pos...@li... Subject: Re: [Postgres-xc-general] can't access server through SSL On Mon, Feb 25, 2013 at 11:12 AM, Maz Mohammadi <mmo...@pe...> wrote: > Something tells me, I might not be doing things right :( It does appear things are a little twisted up. > > postgres-xc@adminuser-VirtualBox:~/coord$ echo $PGSSLKEY > /var/lib/postgres-xc/.postgresql/client.key > postgres-xc@adminuser-VirtualBox:~/coord$ echo $PGSSLCERT > /var/lib/postgres-xc/coord/server.crt > postgres-xc@adminuser-VirtualBox:~/coord$ openssl verify -CAfile > ../coord/root.crt client.crt > client.crt: OK > postgres-xc@adminuser-VirtualBox:~/coord$ psql -U postgres-xc -h > localhost -p 5432 > psql: could not load private key file > "/var/lib/postgres-xc/.postgresql/client.key": key values mismatch > postgres-xc@adminuser-VirtualBox:~/coord$ > Start first with just making sure you can connect via SSL on the server before adding in the certificate authentication. Try changing your pg_hba to: hostssl all postgres-xc 127.0.0.1/32 trust And see if you can connect via psql. There will be a message displayed when connected that it is an ssl connection. Once you get past that, you can revert back to the original pg_hba and focus on the cert auth. Getting the client certificate correct is a little tricky. I believe you need to sign it using the server certificate, but I need to look that up to be sure. I think you also need to make sure you have the proper mapping in the pg_ident file even though the names might be the same. > when I generated the key for the client, I used 'postgres-xc' for Common Name, and when I generated it for the server, I used 'localhost' > > Do you think I'm digging myself into a whole? Should I start from scratch and install postgres? You'll have the same issue using PostgreSQL. Its not a XC vs PG issue, just a severe lack of documentation on how to do it properly. > > -maz > > -----Original Message----- > From: Nikhil Sontakke [mailto:ni...@st...] > Sent: Monday, February 25, 2013 10:21 AM > To: Maz Mohammadi > Cc: Michael Paquier; pos...@li... > Subject: Re: [Postgres-xc-general] can't access server through SSL > > Try using > > PGSSLKEY=/path/to/agent.key in psql. > > Regards, > Nikhils > > On Mon, Feb 25, 2013 at 7:51 PM, Maz Mohammadi <mmo...@pe...> wrote: >> Well, it seems that this is the way to connect it from the standard >> psql client. But I'm getting there ;( >> >> >> >> -------------- >> >> postgres-xc@adminuser-VirtualBox:~/coord$ whoami >> >> postgres-xc >> >> postgres-xc@adminuser-VirtualBox:~/coord$ echo $PSGSSLMODE >> >> require >> >> postgres-xc@adminuser-VirtualBox:~/coord$ echo $PGSSLCERT >> >> /var/lib/postgres-xc/datanode1/server.crt >> >> postgres-xc@adminuser-VirtualBox:~/coord$ ls -l server.* >> >> -rw-rw-r-- 1 postgres-xc postgres-xc 4608 Feb 25 09:00 server.crt >> >> -rw------- 1 postgres-xc postgres-xc 1679 Feb 25 09:00 server.key >> >> -rw-rw-r-- 1 postgres-xc postgres-xc 3587 Feb 25 09:00 server.req >> >> postgres-xc@adminuser-VirtualBox:~/coord$ psql -U postgres-xc -h >> localhost -p 5432 >> >> psql: certificate present, but not private key file >> "/var/lib/postgres-xc/.postgresql/postgresql.key" >> >> postgres-xc@adminuser-VirtualBox:~/coord$ pwd >> >> /var/lib/postgres-xc/coord >> >> postgres-xc@adminuser-VirtualBox:~/coord$ >> >> -------------- >> >> >> >> Does the user 'postgres-xc' need to generate a private key file? >> >> >> >> postgresql.key does not exist. I take it that it IS NOT the same as >> server.key which is under /var/lib/postgres-xc/coord. Am I correct? >> >> >> >> >> >> From: Michael Paquier [mailto:mic...@gm...] >> Sent: Monday, February 25, 2013 2:17 AM >> To: Nikhil Sontakke >> Cc: Maz Mohammadi; pos...@li... >> >> >> Subject: Re: [Postgres-xc-general] can't access server through SSL >> >> >> >> >> >> On Mon, Feb 25, 2013 at 4:10 PM, Nikhil Sontakke >> <ni...@st...> >> wrote: >> >> Hi Maz, >> >> >>> Is there a way to connect to the server using the psql by using a >>> certificate? >>> >> >> Does the below work for you? >> >> PSGSSLMODE=require PGSSLCERT=/path/to/agent.crt psql -d postgres -h >> localhost -p 5432 >> >> Change PSGSSLMODE by PGSSLMODE. My 2c. >> >> -- >> Michael > > > > -- > StormDB - http://www.stormdb.com > The Database Cloud > Postgres-XC Support and Service > > ---------------------------------------------------------------------- > -------- Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics Download AppDynamics Lite > for free today: > http://p.sf.net/sfu/appdyn_d2d_feb > _______________________________________________ > Postgres-xc-general mailing list > Pos...@li... > https://lists.sourceforge.net/lists/listinfo/postgres-xc-general |
|
From: Maz M. <mmo...@pe...> - 2013-02-25 18:25:21
|
I feel like a lost pioneer :) I added the "trust" to pg_hba.conf. The only environment variable that I have now is PGSSLMODE=true. ---------------- postgres-xc@adminuser-VirtualBox:~$ psql -p 5432 psql (PGXC 1.0.0, based on PG 9.1.4) Type "help" for help. postgres=# \q postgres-xc@adminuser-VirtualBox:~$ postgres-xc@adminuser-VirtualBox:~$ psql -p 5432 -h localhost psql: SSL error: certificate verify failed ---------------- Is this the message that I'm supposed to see? -maz -----Original Message----- From: Jim Mlodgenski [mailto:ji...@gm...] Sent: Monday, February 25, 2013 11:31 AM To: Maz Mohammadi Cc: Nikhil Sontakke; pos...@li... Subject: Re: [Postgres-xc-general] can't access server through SSL On Mon, Feb 25, 2013 at 11:12 AM, Maz Mohammadi <mmo...@pe...> wrote: > Something tells me, I might not be doing things right :( It does appear things are a little twisted up. > > postgres-xc@adminuser-VirtualBox:~/coord$ echo $PGSSLKEY > /var/lib/postgres-xc/.postgresql/client.key > postgres-xc@adminuser-VirtualBox:~/coord$ echo $PGSSLCERT > /var/lib/postgres-xc/coord/server.crt > postgres-xc@adminuser-VirtualBox:~/coord$ openssl verify -CAfile > ../coord/root.crt client.crt > client.crt: OK > postgres-xc@adminuser-VirtualBox:~/coord$ psql -U postgres-xc -h > localhost -p 5432 > psql: could not load private key file > "/var/lib/postgres-xc/.postgresql/client.key": key values mismatch > postgres-xc@adminuser-VirtualBox:~/coord$ > Start first with just making sure you can connect via SSL on the server before adding in the certificate authentication. Try changing your pg_hba to: hostssl all postgres-xc 127.0.0.1/32 trust And see if you can connect via psql. There will be a message displayed when connected that it is an ssl connection. Once you get past that, you can revert back to the original pg_hba and focus on the cert auth. Getting the client certificate correct is a little tricky. I believe you need to sign it using the server certificate, but I need to look that up to be sure. I think you also need to make sure you have the proper mapping in the pg_ident file even though the names might be the same. > when I generated the key for the client, I used 'postgres-xc' for Common Name, and when I generated it for the server, I used 'localhost' > > Do you think I'm digging myself into a whole? Should I start from scratch and install postgres? You'll have the same issue using PostgreSQL. Its not a XC vs PG issue, just a severe lack of documentation on how to do it properly. > > -maz > > -----Original Message----- > From: Nikhil Sontakke [mailto:ni...@st...] > Sent: Monday, February 25, 2013 10:21 AM > To: Maz Mohammadi > Cc: Michael Paquier; pos...@li... > Subject: Re: [Postgres-xc-general] can't access server through SSL > > Try using > > PGSSLKEY=/path/to/agent.key in psql. > > Regards, > Nikhils > > On Mon, Feb 25, 2013 at 7:51 PM, Maz Mohammadi <mmo...@pe...> wrote: >> Well, it seems that this is the way to connect it from the standard >> psql client. But I'm getting there ;( >> >> >> >> -------------- >> >> postgres-xc@adminuser-VirtualBox:~/coord$ whoami >> >> postgres-xc >> >> postgres-xc@adminuser-VirtualBox:~/coord$ echo $PSGSSLMODE >> >> require >> >> postgres-xc@adminuser-VirtualBox:~/coord$ echo $PGSSLCERT >> >> /var/lib/postgres-xc/datanode1/server.crt >> >> postgres-xc@adminuser-VirtualBox:~/coord$ ls -l server.* >> >> -rw-rw-r-- 1 postgres-xc postgres-xc 4608 Feb 25 09:00 server.crt >> >> -rw------- 1 postgres-xc postgres-xc 1679 Feb 25 09:00 server.key >> >> -rw-rw-r-- 1 postgres-xc postgres-xc 3587 Feb 25 09:00 server.req >> >> postgres-xc@adminuser-VirtualBox:~/coord$ psql -U postgres-xc -h >> localhost -p 5432 >> >> psql: certificate present, but not private key file >> "/var/lib/postgres-xc/.postgresql/postgresql.key" >> >> postgres-xc@adminuser-VirtualBox:~/coord$ pwd >> >> /var/lib/postgres-xc/coord >> >> postgres-xc@adminuser-VirtualBox:~/coord$ >> >> -------------- >> >> >> >> Does the user 'postgres-xc' need to generate a private key file? >> >> >> >> postgresql.key does not exist. I take it that it IS NOT the same as >> server.key which is under /var/lib/postgres-xc/coord. Am I correct? >> >> >> >> >> >> From: Michael Paquier [mailto:mic...@gm...] >> Sent: Monday, February 25, 2013 2:17 AM >> To: Nikhil Sontakke >> Cc: Maz Mohammadi; pos...@li... >> >> >> Subject: Re: [Postgres-xc-general] can't access server through SSL >> >> >> >> >> >> On Mon, Feb 25, 2013 at 4:10 PM, Nikhil Sontakke >> <ni...@st...> >> wrote: >> >> Hi Maz, >> >> >>> Is there a way to connect to the server using the psql by using a >>> certificate? >>> >> >> Does the below work for you? >> >> PSGSSLMODE=require PGSSLCERT=/path/to/agent.crt psql -d postgres -h >> localhost -p 5432 >> >> Change PSGSSLMODE by PGSSLMODE. My 2c. >> >> -- >> Michael > > > > -- > StormDB - http://www.stormdb.com > The Database Cloud > Postgres-XC Support and Service > > ---------------------------------------------------------------------- > -------- Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics Download AppDynamics Lite > for free today: > http://p.sf.net/sfu/appdyn_d2d_feb > _______________________________________________ > Postgres-xc-general mailing list > Pos...@li... > https://lists.sourceforge.net/lists/listinfo/postgres-xc-general |
|
From: Jim M. <ji...@gm...> - 2013-02-25 16:31:33
|
On Mon, Feb 25, 2013 at 11:12 AM, Maz Mohammadi <mmo...@pe...> wrote: > Something tells me, I might not be doing things right :( It does appear things are a little twisted up. > > postgres-xc@adminuser-VirtualBox:~/coord$ echo $PGSSLKEY > /var/lib/postgres-xc/.postgresql/client.key > postgres-xc@adminuser-VirtualBox:~/coord$ echo $PGSSLCERT > /var/lib/postgres-xc/coord/server.crt > postgres-xc@adminuser-VirtualBox:~/coord$ openssl verify -CAfile ../coord/root.crt client.crt > client.crt: OK > postgres-xc@adminuser-VirtualBox:~/coord$ psql -U postgres-xc -h localhost -p 5432 > psql: could not load private key file "/var/lib/postgres-xc/.postgresql/client.key": key values mismatch > postgres-xc@adminuser-VirtualBox:~/coord$ > Start first with just making sure you can connect via SSL on the server before adding in the certificate authentication. Try changing your pg_hba to: hostssl all postgres-xc 127.0.0.1/32 trust And see if you can connect via psql. There will be a message displayed when connected that it is an ssl connection. Once you get past that, you can revert back to the original pg_hba and focus on the cert auth. Getting the client certificate correct is a little tricky. I believe you need to sign it using the server certificate, but I need to look that up to be sure. I think you also need to make sure you have the proper mapping in the pg_ident file even though the names might be the same. > when I generated the key for the client, I used 'postgres-xc' for Common Name, and when I generated it for the server, I used 'localhost' > > Do you think I'm digging myself into a whole? Should I start from scratch and install postgres? You'll have the same issue using PostgreSQL. Its not a XC vs PG issue, just a severe lack of documentation on how to do it properly. > > -maz > > -----Original Message----- > From: Nikhil Sontakke [mailto:ni...@st...] > Sent: Monday, February 25, 2013 10:21 AM > To: Maz Mohammadi > Cc: Michael Paquier; pos...@li... > Subject: Re: [Postgres-xc-general] can't access server through SSL > > Try using > > PGSSLKEY=/path/to/agent.key in psql. > > Regards, > Nikhils > > On Mon, Feb 25, 2013 at 7:51 PM, Maz Mohammadi <mmo...@pe...> wrote: >> Well, it seems that this is the way to connect it from the standard >> psql client. But I'm getting there ;( >> >> >> >> -------------- >> >> postgres-xc@adminuser-VirtualBox:~/coord$ whoami >> >> postgres-xc >> >> postgres-xc@adminuser-VirtualBox:~/coord$ echo $PSGSSLMODE >> >> require >> >> postgres-xc@adminuser-VirtualBox:~/coord$ echo $PGSSLCERT >> >> /var/lib/postgres-xc/datanode1/server.crt >> >> postgres-xc@adminuser-VirtualBox:~/coord$ ls -l server.* >> >> -rw-rw-r-- 1 postgres-xc postgres-xc 4608 Feb 25 09:00 server.crt >> >> -rw------- 1 postgres-xc postgres-xc 1679 Feb 25 09:00 server.key >> >> -rw-rw-r-- 1 postgres-xc postgres-xc 3587 Feb 25 09:00 server.req >> >> postgres-xc@adminuser-VirtualBox:~/coord$ psql -U postgres-xc -h >> localhost -p 5432 >> >> psql: certificate present, but not private key file >> "/var/lib/postgres-xc/.postgresql/postgresql.key" >> >> postgres-xc@adminuser-VirtualBox:~/coord$ pwd >> >> /var/lib/postgres-xc/coord >> >> postgres-xc@adminuser-VirtualBox:~/coord$ >> >> -------------- >> >> >> >> Does the user 'postgres-xc' need to generate a private key file? >> >> >> >> postgresql.key does not exist. I take it that it IS NOT the same as >> server.key which is under /var/lib/postgres-xc/coord. Am I correct? >> >> >> >> >> >> From: Michael Paquier [mailto:mic...@gm...] >> Sent: Monday, February 25, 2013 2:17 AM >> To: Nikhil Sontakke >> Cc: Maz Mohammadi; pos...@li... >> >> >> Subject: Re: [Postgres-xc-general] can't access server through SSL >> >> >> >> >> >> On Mon, Feb 25, 2013 at 4:10 PM, Nikhil Sontakke <ni...@st...> >> wrote: >> >> Hi Maz, >> >> >>> Is there a way to connect to the server using the psql by using a >>> certificate? >>> >> >> Does the below work for you? >> >> PSGSSLMODE=require PGSSLCERT=/path/to/agent.crt psql -d postgres -h >> localhost -p 5432 >> >> Change PSGSSLMODE by PGSSLMODE. My 2c. >> >> -- >> Michael > > > > -- > StormDB - http://www.stormdb.com > The Database Cloud > Postgres-XC Support and Service > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_feb > _______________________________________________ > Postgres-xc-general mailing list > Pos...@li... > https://lists.sourceforge.net/lists/listinfo/postgres-xc-general |
|
From: Nikhil S. <ni...@st...> - 2013-02-25 16:27:10
|
On Mon, Feb 25, 2013 at 9:42 PM, Maz Mohammadi <mmo...@pe...> wrote: > Something tells me, I might not be doing things right :( > > postgres-xc@adminuser-VirtualBox:~/coord$ echo $PGSSLKEY > /var/lib/postgres-xc/.postgresql/client.key > postgres-xc@adminuser-VirtualBox:~/coord$ echo $PGSSLCERT > /var/lib/postgres-xc/coord/server.crt > postgres-xc@adminuser-VirtualBox:~/coord$ openssl verify -CAfile ../coord/root.crt client.crt > client.crt: OK > postgres-xc@adminuser-VirtualBox:~/coord$ psql -U postgres-xc -h localhost -p 5432 > psql: could not load private key file "/var/lib/postgres-xc/.postgresql/client.key": key values mismatch Looks like you are not generating keys properly. Please take a look at the below link to self-generate certs and keys http://gurjeet-tech.blogspot.in/2012/04/generating-self-signed-ssl-certificates.html Regards, Nikhils > postgres-xc@adminuser-VirtualBox:~/coord$ > > when I generated the key for the client, I used 'postgres-xc' for Common Name, and when I generated it for the server, I used 'localhost' > > Do you think I'm digging myself into a whole? Should I start from scratch and install postgres? > > -maz > > -----Original Message----- > From: Nikhil Sontakke [mailto:ni...@st...] > Sent: Monday, February 25, 2013 10:21 AM > To: Maz Mohammadi > Cc: Michael Paquier; pos...@li... > Subject: Re: [Postgres-xc-general] can't access server through SSL > > Try using > > PGSSLKEY=/path/to/agent.key in psql. > > Regards, > Nikhils > > On Mon, Feb 25, 2013 at 7:51 PM, Maz Mohammadi <mmo...@pe...> wrote: >> Well, it seems that this is the way to connect it from the standard >> psql client. But I'm getting there ;( >> >> >> >> -------------- >> >> postgres-xc@adminuser-VirtualBox:~/coord$ whoami >> >> postgres-xc >> >> postgres-xc@adminuser-VirtualBox:~/coord$ echo $PSGSSLMODE >> >> require >> >> postgres-xc@adminuser-VirtualBox:~/coord$ echo $PGSSLCERT >> >> /var/lib/postgres-xc/datanode1/server.crt >> >> postgres-xc@adminuser-VirtualBox:~/coord$ ls -l server.* >> >> -rw-rw-r-- 1 postgres-xc postgres-xc 4608 Feb 25 09:00 server.crt >> >> -rw------- 1 postgres-xc postgres-xc 1679 Feb 25 09:00 server.key >> >> -rw-rw-r-- 1 postgres-xc postgres-xc 3587 Feb 25 09:00 server.req >> >> postgres-xc@adminuser-VirtualBox:~/coord$ psql -U postgres-xc -h >> localhost -p 5432 >> >> psql: certificate present, but not private key file >> "/var/lib/postgres-xc/.postgresql/postgresql.key" >> >> postgres-xc@adminuser-VirtualBox:~/coord$ pwd >> >> /var/lib/postgres-xc/coord >> >> postgres-xc@adminuser-VirtualBox:~/coord$ >> >> -------------- >> >> >> >> Does the user 'postgres-xc' need to generate a private key file? >> >> >> >> postgresql.key does not exist. I take it that it IS NOT the same as >> server.key which is under /var/lib/postgres-xc/coord. Am I correct? >> >> >> >> >> >> From: Michael Paquier [mailto:mic...@gm...] >> Sent: Monday, February 25, 2013 2:17 AM >> To: Nikhil Sontakke >> Cc: Maz Mohammadi; pos...@li... >> >> >> Subject: Re: [Postgres-xc-general] can't access server through SSL >> >> >> >> >> >> On Mon, Feb 25, 2013 at 4:10 PM, Nikhil Sontakke <ni...@st...> >> wrote: >> >> Hi Maz, >> >> >>> Is there a way to connect to the server using the psql by using a >>> certificate? >>> >> >> Does the below work for you? >> >> PSGSSLMODE=require PGSSLCERT=/path/to/agent.crt psql -d postgres -h >> localhost -p 5432 >> >> Change PSGSSLMODE by PGSSLMODE. My 2c. >> >> -- >> Michael > > > > -- > StormDB - http://www.stormdb.com > The Database Cloud > Postgres-XC Support and Service -- StormDB - http://www.stormdb.com The Database Cloud Postgres-XC Support and Service |
|
From: Maz M. <mmo...@pe...> - 2013-02-25 16:12:39
|
Something tells me, I might not be doing things right :( postgres-xc@adminuser-VirtualBox:~/coord$ echo $PGSSLKEY /var/lib/postgres-xc/.postgresql/client.key postgres-xc@adminuser-VirtualBox:~/coord$ echo $PGSSLCERT /var/lib/postgres-xc/coord/server.crt postgres-xc@adminuser-VirtualBox:~/coord$ openssl verify -CAfile ../coord/root.crt client.crt client.crt: OK postgres-xc@adminuser-VirtualBox:~/coord$ psql -U postgres-xc -h localhost -p 5432 psql: could not load private key file "/var/lib/postgres-xc/.postgresql/client.key": key values mismatch postgres-xc@adminuser-VirtualBox:~/coord$ when I generated the key for the client, I used 'postgres-xc' for Common Name, and when I generated it for the server, I used 'localhost' Do you think I'm digging myself into a whole? Should I start from scratch and install postgres? -maz -----Original Message----- From: Nikhil Sontakke [mailto:ni...@st...] Sent: Monday, February 25, 2013 10:21 AM To: Maz Mohammadi Cc: Michael Paquier; pos...@li... Subject: Re: [Postgres-xc-general] can't access server through SSL Try using PGSSLKEY=/path/to/agent.key in psql. Regards, Nikhils On Mon, Feb 25, 2013 at 7:51 PM, Maz Mohammadi <mmo...@pe...> wrote: > Well, it seems that this is the way to connect it from the standard > psql client. But I'm getting there ;( > > > > -------------- > > postgres-xc@adminuser-VirtualBox:~/coord$ whoami > > postgres-xc > > postgres-xc@adminuser-VirtualBox:~/coord$ echo $PSGSSLMODE > > require > > postgres-xc@adminuser-VirtualBox:~/coord$ echo $PGSSLCERT > > /var/lib/postgres-xc/datanode1/server.crt > > postgres-xc@adminuser-VirtualBox:~/coord$ ls -l server.* > > -rw-rw-r-- 1 postgres-xc postgres-xc 4608 Feb 25 09:00 server.crt > > -rw------- 1 postgres-xc postgres-xc 1679 Feb 25 09:00 server.key > > -rw-rw-r-- 1 postgres-xc postgres-xc 3587 Feb 25 09:00 server.req > > postgres-xc@adminuser-VirtualBox:~/coord$ psql -U postgres-xc -h > localhost -p 5432 > > psql: certificate present, but not private key file > "/var/lib/postgres-xc/.postgresql/postgresql.key" > > postgres-xc@adminuser-VirtualBox:~/coord$ pwd > > /var/lib/postgres-xc/coord > > postgres-xc@adminuser-VirtualBox:~/coord$ > > -------------- > > > > Does the user 'postgres-xc' need to generate a private key file? > > > > postgresql.key does not exist. I take it that it IS NOT the same as > server.key which is under /var/lib/postgres-xc/coord. Am I correct? > > > > > > From: Michael Paquier [mailto:mic...@gm...] > Sent: Monday, February 25, 2013 2:17 AM > To: Nikhil Sontakke > Cc: Maz Mohammadi; pos...@li... > > > Subject: Re: [Postgres-xc-general] can't access server through SSL > > > > > > On Mon, Feb 25, 2013 at 4:10 PM, Nikhil Sontakke <ni...@st...> > wrote: > > Hi Maz, > > >> Is there a way to connect to the server using the psql by using a >> certificate? >> > > Does the below work for you? > > PSGSSLMODE=require PGSSLCERT=/path/to/agent.crt psql -d postgres -h > localhost -p 5432 > > Change PSGSSLMODE by PGSSLMODE. My 2c. > > -- > Michael -- StormDB - http://www.stormdb.com The Database Cloud Postgres-XC Support and Service |
|
From: Nikhil S. <ni...@st...> - 2013-02-25 15:21:26
|
Try using PGSSLKEY=/path/to/agent.key in psql. Regards, Nikhils On Mon, Feb 25, 2013 at 7:51 PM, Maz Mohammadi <mmo...@pe...> wrote: > Well, it seems that this is the way to connect it from the standard psql > client. But I’m getting there ;( > > > > -------------- > > postgres-xc@adminuser-VirtualBox:~/coord$ whoami > > postgres-xc > > postgres-xc@adminuser-VirtualBox:~/coord$ echo $PSGSSLMODE > > require > > postgres-xc@adminuser-VirtualBox:~/coord$ echo $PGSSLCERT > > /var/lib/postgres-xc/datanode1/server.crt > > postgres-xc@adminuser-VirtualBox:~/coord$ ls -l server.* > > -rw-rw-r-- 1 postgres-xc postgres-xc 4608 Feb 25 09:00 server.crt > > -rw------- 1 postgres-xc postgres-xc 1679 Feb 25 09:00 server.key > > -rw-rw-r-- 1 postgres-xc postgres-xc 3587 Feb 25 09:00 server.req > > postgres-xc@adminuser-VirtualBox:~/coord$ psql -U postgres-xc -h localhost > -p 5432 > > psql: certificate present, but not private key file > "/var/lib/postgres-xc/.postgresql/postgresql.key" > > postgres-xc@adminuser-VirtualBox:~/coord$ pwd > > /var/lib/postgres-xc/coord > > postgres-xc@adminuser-VirtualBox:~/coord$ > > -------------- > > > > Does the user ‘postgres-xc’ need to generate a private key file? > > > > postgresql.key does not exist. I take it that it IS NOT the same as > server.key which is under /var/lib/postgres-xc/coord. Am I correct? > > > > > > From: Michael Paquier [mailto:mic...@gm...] > Sent: Monday, February 25, 2013 2:17 AM > To: Nikhil Sontakke > Cc: Maz Mohammadi; pos...@li... > > > Subject: Re: [Postgres-xc-general] can't access server through SSL > > > > > > On Mon, Feb 25, 2013 at 4:10 PM, Nikhil Sontakke <ni...@st...> > wrote: > > Hi Maz, > > >> Is there a way to connect to the server using the psql by using a >> certificate? >> > > Does the below work for you? > > PSGSSLMODE=require PGSSLCERT=/path/to/agent.crt psql -d postgres -h > localhost -p 5432 > > Change PSGSSLMODE by PGSSLMODE. My 2c. > > -- > Michael -- StormDB - http://www.stormdb.com The Database Cloud Postgres-XC Support and Service |
|
From: Jim M. <ji...@gm...> - 2013-02-25 14:29:27
|
On Mon, Feb 25, 2013 at 9:21 AM, Maz Mohammadi <mmo...@pe...> wrote: > Well, it seems that this is the way to connect it from the standard psql > client. But I’m getting there ;( > > > > -------------- > > postgres-xc@adminuser-VirtualBox:~/coord$ whoami > > postgres-xc > > postgres-xc@adminuser-VirtualBox:~/coord$ echo $PSGSSLMODE > > require > > postgres-xc@adminuser-VirtualBox:~/coord$ echo $PGSSLCERT > > /var/lib/postgres-xc/datanode1/server.crt > > postgres-xc@adminuser-VirtualBox:~/coord$ ls -l server.* > > -rw-rw-r-- 1 postgres-xc postgres-xc 4608 Feb 25 09:00 server.crt > > -rw------- 1 postgres-xc postgres-xc 1679 Feb 25 09:00 server.key > > -rw-rw-r-- 1 postgres-xc postgres-xc 3587 Feb 25 09:00 server.req > > postgres-xc@adminuser-VirtualBox:~/coord$ psql -U postgres-xc -h localhost > -p 5432 > > psql: certificate present, but not private key file > "/var/lib/postgres-xc/.postgresql/postgresql.key" > > postgres-xc@adminuser-VirtualBox:~/coord$ pwd > > /var/lib/postgres-xc/coord > > postgres-xc@adminuser-VirtualBox:~/coord$ > > -------------- > > > > Does the user ‘postgres-xc’ need to generate a private key file? Yes, for certificate authentication, you'll need to generate a key file and generate a cert that in postgres-xc home directory. When you generate the cert, you'll need to use the name of the postgreql user as the common name. The process is the same as logging into a website with a cert. > > > > postgresql.key does not exist. I take it that it IS NOT the same as > server.key which is under /var/lib/postgres-xc/coord. Am I correct? > > > > > > From: Michael Paquier [mailto:mic...@gm...] > Sent: Monday, February 25, 2013 2:17 AM > To: Nikhil Sontakke > Cc: Maz Mohammadi; pos...@li... > > > Subject: Re: [Postgres-xc-general] can't access server through SSL > > > > > > On Mon, Feb 25, 2013 at 4:10 PM, Nikhil Sontakke <ni...@st...> > wrote: > > Hi Maz, > > >> Is there a way to connect to the server using the psql by using a >> certificate? >> > > Does the below work for you? > > PSGSSLMODE=require PGSSLCERT=/path/to/agent.crt psql -d postgres -h > localhost -p 5432 > > Change PSGSSLMODE by PGSSLMODE. My 2c. > > -- > Michael > > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_feb > _______________________________________________ > Postgres-xc-general mailing list > Pos...@li... > https://lists.sourceforge.net/lists/listinfo/postgres-xc-general > |
|
From: Maz M. <mmo...@pe...> - 2013-02-25 14:21:22
|
Well, it seems that this is the way to connect it from the standard psql client. But I'm getting there ;( -------------- postgres-xc@adminuser-VirtualBox:~/coord$ whoami postgres-xc postgres-xc@adminuser-VirtualBox:~/coord$ echo $PSGSSLMODE require postgres-xc@adminuser-VirtualBox:~/coord$ echo $PGSSLCERT /var/lib/postgres-xc/datanode1/server.crt postgres-xc@adminuser-VirtualBox:~/coord$ ls -l server.* -rw-rw-r-- 1 postgres-xc postgres-xc 4608 Feb 25 09:00 server.crt -rw------- 1 postgres-xc postgres-xc 1679 Feb 25 09:00 server.key -rw-rw-r-- 1 postgres-xc postgres-xc 3587 Feb 25 09:00 server.req postgres-xc@adminuser-VirtualBox:~/coord$ psql -U postgres-xc -h localhost -p 5432 psql: certificate present, but not private key file "/var/lib/postgres-xc/.postgresql/postgresql.key" postgres-xc@adminuser-VirtualBox:~/coord$ pwd /var/lib/postgres-xc/coord postgres-xc@adminuser-VirtualBox:~/coord$ -------------- Does the user 'postgres-xc' need to generate a private key file? postgresql.key does not exist. I take it that it IS NOT the same as server.key which is under /var/lib/postgres-xc/coord. Am I correct? From: Michael Paquier [mailto:mic...@gm...] Sent: Monday, February 25, 2013 2:17 AM To: Nikhil Sontakke Cc: Maz Mohammadi; pos...@li... Subject: Re: [Postgres-xc-general] can't access server through SSL On Mon, Feb 25, 2013 at 4:10 PM, Nikhil Sontakke <ni...@st...<mailto:ni...@st...>> wrote: Hi Maz, > Is there a way to connect to the server using the psql by using a certificate? > Does the below work for you? PSGSSLMODE=require PGSSLCERT=/path/to/agent.crt psql -d postgres -h localhost -p 5432 Change PSGSSLMODE by PGSSLMODE. My 2c. -- Michael |
|
From: Maz M. <mmo...@pe...> - 2013-02-25 14:14:00
|
I downloaded the binaries, and it seems that it was built with openssl. I'm not getting any errors about missing libraries or .so files. -maz -----Original Message----- From: Koichi Suzuki [mailto:koi...@gm...] Sent: Monday, February 25, 2013 6:07 AM To: Maz Mohammadi Cc: Nikhil Sontakke; pos...@li... Subject: Re: [Postgres-xc-general] can't access server through SSL Did you specify "--with-openssl" when you ran ./configure? It is not turned on by default. Regards; ---------- Koichi Suzuki 2013/2/25 Michael Paquier <mic...@gm...>: > > > On Mon, Feb 25, 2013 at 4:10 PM, Nikhil Sontakke <ni...@st...> > wrote: >> >> Hi Maz, >> >> > Is there a way to connect to the server using the psql by using a >> > certificate? >> > >> Does the below work for you? >> >> PSGSSLMODE=require PGSSLCERT=/path/to/agent.crt psql -d postgres -h >> localhost -p 5432 > > Change PSGSSLMODE by PGSSLMODE. My 2c. > -- > Michael > > ---------------------------------------------------------------------- > -------- Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics Download AppDynamics Lite > for free today: > http://p.sf.net/sfu/appdyn_d2d_feb > _______________________________________________ > Postgres-xc-general mailing list > Pos...@li... > https://lists.sourceforge.net/lists/listinfo/postgres-xc-general > |
|
From: Koichi S. <koi...@gm...> - 2013-02-25 11:07:23
|
Did you specify "--with-openssl" when you ran ./configure? It is not turned on by default. Regards; ---------- Koichi Suzuki 2013/2/25 Michael Paquier <mic...@gm...>: > > > On Mon, Feb 25, 2013 at 4:10 PM, Nikhil Sontakke <ni...@st...> > wrote: >> >> Hi Maz, >> >> > Is there a way to connect to the server using the psql by using a >> > certificate? >> > >> Does the below work for you? >> >> PSGSSLMODE=require PGSSLCERT=/path/to/agent.crt psql -d postgres -h >> localhost -p 5432 > > Change PSGSSLMODE by PGSSLMODE. My 2c. > -- > Michael > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_feb > _______________________________________________ > Postgres-xc-general mailing list > Pos...@li... > https://lists.sourceforge.net/lists/listinfo/postgres-xc-general > |
|
From: Michael P. <mic...@gm...> - 2013-02-25 07:18:18
|
On Mon, Feb 25, 2013 at 4:10 PM, Nikhil Sontakke <ni...@st...>wrote: > Hi Maz, > > > Is there a way to connect to the server using the psql by using a > certificate? > > > Does the below work for you? > > PSGSSLMODE=require PGSSLCERT=/path/to/agent.crt psql -d postgres -h > localhost -p 5432 > Change PSGSSLMODE by PGSSLMODE. My 2c. -- Michael |
|
From: Nikhil S. <ni...@st...> - 2013-02-25 07:11:18
|
Hi Maz, > Is there a way to connect to the server using the psql by using a certificate? > Does the below work for you? PSGSSLMODE=require PGSSLCERT=/path/to/agent.crt psql -d postgres -h localhost -p 5432 Regards, Nikhils > So I hope this provides enough information and I'm in the right place. Any help is greatly appreciated. I've been twisting my head on this :( > > -maz > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_feb > _______________________________________________ > Postgres-xc-general mailing list > Pos...@li... > https://lists.sourceforge.net/lists/listinfo/postgres-xc-general -- StormDB - http://www.stormdb.com The Database Cloud Postgres-XC Support and Service |
|
From: Michael P. <mic...@gm...> - 2013-02-25 06:20:52
|
On Mon, Feb 25, 2013 at 3:08 PM, kushal <kus...@gm...> wrote: > I think it wont work for our requirements. Let me tell you the scenario. > > Suppose there is an existing PostgresSQL database instance DB1 with all > types of unique constraints and foreign keys. So there is a PostgresSQL > schema. Now it is required to just run the same schema file on XC > coordinator without adding explicit distribute logic or modifying > constraints. I think with current default distribution, it won't allow > since there is restriction on number and nature of constraints. > Indeed. Constraints need to be enforceable to remote nodes in order to be used. For example primary keys on distributed tables can only be used if the distribution key contains the primary key. > So as I see it, there can be two ways > 1. Change the default distribution to replication or add distribute by > replication somehow while creating tables. Yeah there have been discussions in the past to change the default to replication, however the conclusion was that we could not spot all the potential problems especially with default set as replication. You will need to hack the code a bit to achieve that. It is not that difficult though. > 2. Change the existing default distribution to allow multiple constraints > or somehow control it at higher level. Can I just force the schema > generation and then change the distribution to replication before inserting > any data? > No, you can't enforce the schema generation directly before inserting data as replication can only be defined with CREATE TABLE. > What should be the way to go? > Number 1 clearly, hack the code and have the default distribution set as REPLICATION if no DISTRIBUTE BY clause is specified in CREATE TABLE. -- Michael |
|
From: kushal <kus...@gm...> - 2013-02-25 06:09:38
|
I think it wont work for our requirements. Let me tell you the scenario. Suppose there is an existing PostgresSQL database instance DB1 with all types of unique constraints and foreign keys. So there is a PostgresSQL schema. Now it is required to just run the same schema file on XC coordinator without adding explicit distribute logic or modifying constraints. I think with current default distribution, it won't allow since there is restriction on number and nature of constraints. So as I see it, there can be two ways 1. Change the default distribution to replication or add distribute by replication somehow while creating tables. 2. Change the existing default distribution to allow multiple constraints or somehow control it at higher level. Can I just force the schema generation and then change the distribution to replication before inserting any data? What should be the way to go? --Kushal On 25 February 2013 11:02, Michael Paquier <mic...@gm...>wrote: > > > On Mon, Feb 25, 2013 at 2:12 PM, kushal <kus...@gm...> wrote: > >> Is there a way to change the default distribution to distribute by >> replication during table generation? >> > No, there is no such option. You need to specify DISTRIBUTE BY > REPLICATION. There were discussions in the XC MLs in the past about adding > a GUC that would control default distribution type though. One of the main > stopover of this feature is that you need to regenerate the DDL query on > Coordinator to take care of cases where nodes have a different default > distribution to be sure that things are consistent in the cluster. I hoped > that event triggers could implement DDL deparsing in PG core, but it looks > that this is not going in for 9.3, and some of the PG committers don't > really like of being able to deparse DDL as it would mean that each new DDL > command introduced would need to extend also the deparsing, adding > unwelcome maintenance. > > Can I control the number of replicas of any table across datanodes and >> also control on what set of datanodes, replica/s can be generated? >> > Yes. You can control where data of tables is replicated. > For example, let's imagine that you have a cluster with Datanodes dn1, > dn2, dn3 and dn4, you can create a table in such a way that its data is > only replicated on nodes dn2 and dn4 with that: > CREATE TABLE aa (a int) DISTRIBUTE BY REPLICATION TO NODE dn2,dn4; > > You can also specify a group of nodes: > CREATE NODE GROUP mygroup WITH (dn2,dn4); > CREATE TABLE aa (a int) DISTRIBUTE BY REPLICATION TO GROUP mygroup; > -- > Michael > |
|
From: Ashutosh B. <ash...@en...> - 2013-02-25 05:35:14
|
HI Maz, Quickly, I can say, that the same connection methods as Postgres will work with Postgres-XC. So, check if you can connect to a PostgreSQL server first and then try XC. In general XC configuration is more complicated than PostgreSQL, so it will help, if you try things on Postgres before using Postgres-XC. On Mon, Feb 25, 2013 at 10:42 AM, Maz Mohammadi <mmo...@pe...>wrote: > Hi everyone, > > I posted this question on postgres-general, but found out that this is a > better spot for it. So let me start again. > > I need to verify how I can connect to a postgres-xc(which I know is not > the same as postgres) server from a JDBC datasource on tomcat using > certificate authentication. I'm new to postgres, and I installed it > (perhaps by mistake postgres-xc) on my Ubuntu virtual box. As I've > understood it, there are many moving parts, and I figured out that I need > to keep the configuration files in sync. So under /var/lib/postgres-xc > there are these folders. > coord, > datanode1, and > datanode2 > > so far I had to start all of them + gtm (global transaction manager). > Then I can connect to the server via psql > postgres-xc@adminuser-VirtualBox:~/datanode2$ psql -h localhost > psql: FATAL: connection requires a valid client certificate > FATAL: no pg_hba.conf entry for host "127.0.0.1", user "postgres-xc", > database "postgres", SSL off > postgres-xc@adminuser-VirtualBox:~/datanode2$ > > I have the following lines in the pg_hba.conf file under > /var/lib/postgres-xc/coord > -------- > local all postgres-xc peer > hostssl all all 127.0.0.1/32 cert > -------- > And ssl=on has been set in postgresql.conf for all nodes (datanode1,2 and > coordinator). > > In all directories, I've placed server.key, server.crt and copied > server.crt into root.crt. > > The client application is a tomcat app server, where I'm trying to create > a JDBC data source. I'm using JDBC3 drivers. My jdbc url is > jdbc:postgresql://localhost:5432:testdb?ssl=true........5432 is the > coordinator's port. And when I try to test it, I get the following: > "Connection attempt failed: FATAL: connection requires a valid client > certificate" > I get the same result when I try port 15432, which is the listen port of > the one of the data nodes. > > As for the documentation on > http://www.postgresql.org/docs/9.2/interactive/ssl-tcp.html, I've already > been through it, and created the certificates and put them in java's > keystore file. > -Djavax.net.ssl.trustStore=/home/adminuser/pentaho/keycerts/mazstore > -Djavax.net.ssl.trustStorePassword=password > > Is there a way to connect to the server using the psql by using a > certificate? > > So I hope this provides enough information and I'm in the right place. > Any help is greatly appreciated. I've been twisting my head on this :( > > -maz > > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_feb > _______________________________________________ > Postgres-xc-general mailing list > Pos...@li... > https://lists.sourceforge.net/lists/listinfo/postgres-xc-general > -- Best Wishes, Ashutosh Bapat EntepriseDB Corporation The Enterprise Postgres Company |
|
From: Michael P. <mic...@gm...> - 2013-02-25 05:33:22
|
On Mon, Feb 25, 2013 at 2:12 PM, kushal <kus...@gm...> wrote: > Is there a way to change the default distribution to distribute by > replication during table generation? > No, there is no such option. You need to specify DISTRIBUTE BY REPLICATION. There were discussions in the XC MLs in the past about adding a GUC that would control default distribution type though. One of the main stopover of this feature is that you need to regenerate the DDL query on Coordinator to take care of cases where nodes have a different default distribution to be sure that things are consistent in the cluster. I hoped that event triggers could implement DDL deparsing in PG core, but it looks that this is not going in for 9.3, and some of the PG committers don't really like of being able to deparse DDL as it would mean that each new DDL command introduced would need to extend also the deparsing, adding unwelcome maintenance. Can I control the number of replicas of any table across datanodes and also > control on what set of datanodes, replica/s can be generated? > Yes. You can control where data of tables is replicated. For example, let's imagine that you have a cluster with Datanodes dn1, dn2, dn3 and dn4, you can create a table in such a way that its data is only replicated on nodes dn2 and dn4 with that: CREATE TABLE aa (a int) DISTRIBUTE BY REPLICATION TO NODE dn2,dn4; You can also specify a group of nodes: CREATE NODE GROUP mygroup WITH (dn2,dn4); CREATE TABLE aa (a int) DISTRIBUTE BY REPLICATION TO GROUP mygroup; -- Michael |
|
From: kushal <kus...@gm...> - 2013-02-25 05:13:29
|
Hi Is there a way to change the default distribution to distribute by replication during table generation? Can I control the number of replicas of any table across datanodes and also control on what set of datanodes, replica/s can be generated? Thanks Kushal |
|
From: Maz M. <mmo...@pe...> - 2013-02-25 05:13:24
|
Hi everyone, I posted this question on postgres-general, but found out that this is a better spot for it. So let me start again. I need to verify how I can connect to a postgres-xc(which I know is not the same as postgres) server from a JDBC datasource on tomcat using certificate authentication. I'm new to postgres, and I installed it (perhaps by mistake postgres-xc) on my Ubuntu virtual box. As I've understood it, there are many moving parts, and I figured out that I need to keep the configuration files in sync. So under /var/lib/postgres-xc there are these folders. coord, datanode1, and datanode2 so far I had to start all of them + gtm (global transaction manager). Then I can connect to the server via psql postgres-xc@adminuser-VirtualBox:~/datanode2$ psql -h localhost psql: FATAL: connection requires a valid client certificate FATAL: no pg_hba.conf entry for host "127.0.0.1", user "postgres-xc", database "postgres", SSL off postgres-xc@adminuser-VirtualBox:~/datanode2$ I have the following lines in the pg_hba.conf file under /var/lib/postgres-xc/coord -------- local all postgres-xc peer hostssl all all 127.0.0.1/32 cert -------- And ssl=on has been set in postgresql.conf for all nodes (datanode1,2 and coordinator). In all directories, I've placed server.key, server.crt and copied server.crt into root.crt. The client application is a tomcat app server, where I'm trying to create a JDBC data source. I'm using JDBC3 drivers. My jdbc url is jdbc:postgresql://localhost:5432:testdb?ssl=true........5432 is the coordinator's port. And when I try to test it, I get the following: "Connection attempt failed: FATAL: connection requires a valid client certificate" I get the same result when I try port 15432, which is the listen port of the one of the data nodes. As for the documentation on http://www.postgresql.org/docs/9.2/interactive/ssl-tcp.html, I've already been through it, and created the certificates and put them in java's keystore file. -Djavax.net.ssl.trustStore=/home/adminuser/pentaho/keycerts/mazstore -Djavax.net.ssl.trustStorePassword=password Is there a way to connect to the server using the psql by using a certificate? So I hope this provides enough information and I'm in the right place. Any help is greatly appreciated. I've been twisting my head on this :( -maz |
|
From: Maz M. <mmo...@pe...> - 2013-02-25 01:56:07
|
|
From: Koichi S. <koi...@gm...> - 2013-02-22 08:24:05
|
Thanks Michael for the advice. For more tips you should do, please look into a bash script pgxc_ctl available at https://github.com/koichi-szk/PGXC-Tools/tree/master/pgxc_ctl Regards; ---------- Koichi Suzuki 2013/2/22 Michael Paquier <mic...@gm...>: > > > On Fri, Feb 22, 2013 at 2:29 PM, kushal <kus...@gm...> wrote: >> >> Hi >> >> I am trying to create a setup with 2 coordinators and 2 datanodes on one >> server. I am able to get the gtm and nodes up and running. >> >> Ports: >> Data Node 1: 15442 >> Data Node 2: 15443 >> Coordinator 1: 15432 >> Coordinator 1: 15433 >> >> Next I did 'psql -p 15432 postgres' and created two datanodes >> CREATE NODE dn1 WITH (TYPE='datanode', PORT=15442); >> CREATE NODE dn2 WITH (TYPE='datanode', PORT=15443); >> >> After that I create one database: 'Create database mydb' >> >> Now I can see mydb database on datanodes 1 and 2 and coordinator 1. >> Also I can see the datanode 1 and 2 when I execute 'select * from >> pgxc_node' on coordinator 1. >> >> But mydb database does not exist and datanodes 1 and 2 are not present in >> pgxc_node table on coordinator 2. >> >> Is there anything I have missed? > > Yes, 2 things: > - You have 2 Coordinators, so you need also to register Coordinator 2 on > Coordinator 1 like that: > psql -p 15432 -c "CREATE NODE coord2 WITH (TYPE='coordinator', PORT=15433)" > And register Coordinator 1 on Coordinator 2 like that: > psql -p 15433 -c "CREATE NODE coord1 WITH (TYPE='coordinator', PORT=15432)" > - 2nd thing you forgot is to run this command on each Coordinator: > select pgxc_pool_reload(); > This updates the pooler cache located on each Coordinator with latest node > information. > >> I think this might be a very basic thing and I am sorry to bother you >> guys. I tried and failed to search through the xc mailing lists for older >> posts on similar topic. Is there a way to quickly filter the older posts for >> quick check? > > Everything's here: > http://sourceforge.net/search/?group_id=311227&type_of_search=mlists&source=navbar > -- > Michael > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_feb > _______________________________________________ > Postgres-xc-general mailing list > Pos...@li... > https://lists.sourceforge.net/lists/listinfo/postgres-xc-general > |
3 messages has been excluded from this view by a project administrator.
