I want to connect my quarkus app to a postgres instance with the reactive pg client.
The authentication is made through a verify-ca ssl mode.
With jdbc, I was able to connect to the db with this URI:
jdbc:postgresql://my.host:5432/myDb?targetServerType=master&ssl=true&sslmode=verify-ca&sslcert=/path/to/cert&sslkey=/path/to/key&sslpassword=&sslrootcert=/path/to/rootcert
With the reactive client, I got this error with the same URI (without the jdbc prefix of course):
java.lang.IllegalArgumentException: Trust options must be specified under verify-full or verify-ca sslmode
at io.vertx.pgclient.impl.PgConnectionFactory.initializeConfiguration(PgConnectionFactory.java:69)
I tried to define the quarkus.datasource.reactive.postgresql.ssl-mode option to verify-ca but it does not work.
Can anyone help me on this ? Maybe I missed the documentation about the connection URI format but I dit not find anything relevant.
Thanks
Related
So I am trying to connect to postgres in golang using GSSAPI (kerberos). Currently I am using pgx library along with gopgkrb5. I am successfully connecting and authenticating with gssapi, the only problem is - connection is not secure. When I edit pg_hba.conf to accept only secure gssapi connections, It does not work (no entry found for insecure connection). I read that postgres supports GSSAPI encryption, but It seems like pgx(pgconn in particular) does not support it. Am I wrong? Or, if not, does pq support it?
As per links below, PostgreSql supports several ssl mode connections, but its ADO.net driver, npgsql does not support the modes verify-ca and verify-full, which are supported by the its JDBC driver.
Is there any reason for this?
Is it possible to use these modes somehow else?
PostgreSql docu
https://www.postgresql.org/docs/9.1/libpq-ssl.html
Npgsql driver docu
https://www.npgsql.org/doc/connection-string-parameters.html
JDBC driver docu
https://jdbc.postgresql.org/documentation/head/ssl-client.html
Npgsql will by default verify the server certificate, so SSL Mode=Require would correspond to libpq's verify-ca or verify-full (the documentation is not entirely clear on that).
From the documentation link in your question:
By default, Npgsql will validate your server's certificate; if you're using a self-signed certificate, this will fail. You can instruct Npgsql to ignore this by specifying Trust Server Certificate=true in the connection string. To precisely control how the server's certificate is validated, you can register UserCertificateValidationCallback on NpgsqlConnection (this works just like on .NET's SslStream).
Right now I have the following, which works:
host all all all ldap ldapserver=ldap.server.name ldapprefix="DOMAIN\"
but to my understanding the connection between the ldap server and pg db isn't encrypted and I need it to be. So i change to:
host all all all ldap ldapserver=ldap.server.name ldapprefix="DOMAIN\" ldaptls=1
this give me an error saying "could not start ldap tls session connect error".
What are the steps that Im missing in order to get this working? I have a feeling I need to be dropping certs either somewhere on my ldap instance or pg instance (or both) but I don't really have any experience configuring any of this.
If you are looking to use ldaptls=1, then please make sure that you are using the correct certs to connect to the LDAP server. Also, depending on how LDAP is set up, you may need to add ldapport=389 to tell Postgres to use the TLS port on the LDAP side.
More information at https://richyen.com/postgres/2018/02/09/making_postgres_talk_to_ldap_with_starttls.html
I provisioned Databases for PostgreSQL on IBM Cloud. Now I try to connect SQuirreL to my database. However, my attempts result in this error:
FATAL: no pg_hba.conf entry for host "xx.xx.xx.xx", user "myuser",
database "my-database", SSL off
Is this related to the JDBC driver or any SSL setting? The credentials say sslmode=verify-full, but not sure how to specify it in SQuirreL.
I was able to connect with the standard JDBC driver for PostgreSQL after changing the driver properties:
Simple, but not secure approach:
- ssl=true
- sslfactory=org.postgresql.ssl.NonValidatingFactory
Secure, more effort:
- download the SSL certificate as provided in the credentials
- add ?sslmode=verify-full&sslrootcert=path-to-certificate to the connection URI
Now SQuirrel connects to my database with IBM Cloud Databases for PostgreSQL. This also works with Hyper Protect DBaaS.
I can't connect to db using this code in application.conf:
db.default.driver=org.postgresql.Driver
db.default.url="jdbc:postgres:my_db123_dev"
db.default.user=my_user
db.default.password=123
The error: play.api.Configuration$$anon$1: Configuration error[Cannot connect to database [default]]
I'm not specifying localhost in there because it should be it by default.
I believe it should be postgresql, not postgres in your db.default.url.
Also, while the stuff below might not matter completely, it's good best practice:
Change db.default.url to jdbc:postgresql://localhost/my_db123_dev (having localhost there is always good).
Put quotes around your username and password, because it's good form.