we are facing an issue with enabling cert based authentication between client and pgbouncer 1.17.0.
Pgbouncer 1.17.0 and postgresql 14 are on the same host in different containers. There is TLS enabled between client and pgbouncer. The issue is that we want client to connect to pgbouncer with client key and certificate, the certificate will have a Common Name (lets say "abc") which wont be same as the user "joe" which is trying to login to pgbouncer, so here we want a mapping of the user "joe" to "abc". If we try to login as joe , Immediately we get error because pgbouncer will check the user ("joe") and Common Name ("abc") in cert and they doesn't match. What is the right way of solving this issue? otherwise how can different users login to pgBouncer?
On postgreSQL, this mapping can be done using pg_ident.conf but that support is not available in pgBouncer. What is the most secured way of achieving this authentication?
Related
I have 2 aws accounts having their own RDS instances(not publicly accessible) with db engine as postgresql 12.5. I downloaded RDS certificate from "https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem".
I am using JDBC(postgresql driver) with properties ssl=true and sslrootcert="path to above certificate" to establish secure connections.
My questions:
This certificate is same for both aws accounts which have different names, so how does it work , Does ssl hand shake verifies that client(jdbc connection) is talking to rds.amazonaws.com or the actual RDS instance which has separate name ?
RDS certificates are replaced every 5 years, i.e. applications also have to update the certificate every 5 years or sooner than that once new certificate is available from RDS, is this correct ?
Q1.
Yes, its same for all accounts. You can download it from docs here. Its about the instances as explained in the docs:
Using a server certificate provides an extra layer of security by validating that the connection is being made to an Amazon RDS DB instance.
Q2.
You can update before actual expiration few months before. Last year it happened as explained here:
The server's certificates are each different. Each server sends its own cert when you ask to establish a SSL connection to it. The thing you download is the cert for the authority which signs each of the server certs. You (Or your JDBC) use it to verify that the per-server certs are genuine.
I am trying to connect Cloud SQL Postgres using JDBC Using SSL without Certificate Validation.
The option I passed to the JDBC connection is "?ssl=true&sslfactory=org.postgresql.ssl.NonValidatingFactory"
The connection fails with the below error:
[Permission denied] PSQLException: FATAL: connection requires a valid
client certificate
It seems the connect string options "sslfactory=org.postgresql.ssl.NonValidatingFactory" is not considered.
Can you please advise how to connect SSL Cloud SQL PostgreSQL without validating SSL certificate?
The server is demanding a client certificate to prove the identity of the client. This is an unusual setting, but if that is how the server is configured (via pg_hba.conf) you can't make it change its mind from the client side, other than perhaps switching to a connection method that matches a different pg_hba.conf line. But of course you can't do that unless another suitable pg_hba.conf entry exists, which is not under the client's control.
Talk to whoever is in charge of the server about either changing the configuration, or granting you a client cert.
There is no such thing as a non-validating client cert. It would be pointless: if you don't want to validate the client cert you just wouldn't demand one. If you just want encryption without validation, then the usual server cert (without validation) is entirely sufficient to do that.
Can we configure both Basic authentication and Certificate authentication for PostgreSQL simultaneously for the same IP address of client.
I think no , because they are 2 different authentication mechanisms and cannot co-exist at same time... because if we configure for certificate authentication , then it cannot use username password for authentication , but have to use only certificates for authentication.
Please help.
Yes, that is correct - you can use only one authentication method for a given connection.
Yes, you can specify clientcert in conjunction with any of the authentication methods. so md5 clientcert=verify-full would require both a cert and a password.
verify-full was only introduced in v12. Prior to that, you could only make it check that the cert was validly signed, not that the CN on the cert matched the username being claimed.
I tried myself.
In pg_hba.conf file, we can set MD5 authentication for 1 set of IP address and cert for another IP address range.
So 1 Postgres server can address 2 different authentication for 2 different IP address
Here is my scenario - I have a webapp and mongodb running on same host. And I have not enabled authorization in mongod.conf. So, my webapp, connects to mongodb with out any authentication. Now I want to provide access to mongodb for certain group of people who will connect from outside. Since, connections will be made from outside, I need to enable authentication. But, if I enable authentication webapp will not be able to connect to mongodb(which assumes mongodb is running on localhost and it does not require authentication). I do not want to change webapp to connect to mongodb with authentication. So, I want to disable authentication only for connections from localhost. Is it possible?
No, it's not possible from Mongo 3.0 version
The only case where localhost authentication bypass occurs is when there are no configured users, with enableLocalhostAuthBypass parameter (Enabled by default).
Your scenario can only be solved by creating multiple roles / users with different privileges
I am trying to configure SSL communication for PostgreSQL.
I have a self-signed cerificate and I am following these instructions as specified in URL "http://www.postgresql.org/docs/9.2/static/ssl-tcp.html".
When I configure SSL with a self signed certificate, as per the documentation the server will prompt for a (private key's password) password when it start-up.
My PostgreSQL is installed as a windows service.So, I want my service to start without any user intervention. Is there a way to configure private key password so that my database service starts up normally.
This would be a bad idea even if it were possible. You get very little additional security by putting both the key and the passphrase where the server process can see it. This adds a false sense of security and a greater chance of bad things happening.
If your tool won't give you a passphraseless key, use a different tool.