Generally, group access is enabled to allow an unprivileged user to backup the database, and in that case the backup software will not be able to read the certificate files and will likely error. If the data directory allows group read access then certificate files may need to be located outside of the data directory in order to conform to the security requirements outlined above. The user under which the PostgreSQL server runs should then be made a member of the group that has access to those certificate and key files. That setup is intended for installations where certificate and key files are managed by the operating system. Alternatively, the file can be owned by root and have group read access (that is, 0640 permissions). On Unix systems, the permissions on server.key must disallow any access to world or group achieve this by the command chmod 0600 server.key. By default, these files are expected to be named server.crt and server.key, respectively, in the server's data directory, but other names and locations can be specified using the configuration parameters ssl_cert_file and ssl_key_file. To start in SSL mode, files containing the server certificate and private key must exist.
#CONFIGURE POSTGRESQL TO ALLOW REMOTE CONNECTION HOW TO#
By default, this is at the client's option see Section 21.1 about how to set up the server to require use of SSL for some or all connections.
The server will listen for both normal and SSL connections on the same TCP port, and will negotiate with any connecting client on whether to use SSL. With SSL support compiled in, the PostgreSQL server can be started with support for encrypted connections using TLS protocols enabled by setting the parameter ssl to on in nf.
0 kommentar(er)
