Primary/Standby Certificate Authentication Configuration
Scenarios
In the Lite scenario, the SSL certificate is required for direct authentication of the primary and standby nodes.
Prerequisites
The formal certificates and keys for the server and client have been obtained from the CA.
Precautions
Currently, openGauss supports only the X509v3 certificate in PEM format.
Procedure
Prepare certificates and private keys.
Conventions for configuration file names on the server:
- Certificate name: server.crt
- Private key name: server.key
- Private key password and encrypted file: server.key.cipher and server.key.rand
Conventions for configuration file names on the client:
- Certificate name: client.crt
- Private key name: client.key
- Private keypassword and encrypted file: client.key.cipher and client.key.rand
- Root certificate name: cacert.pem
- CRL file name: sslcrl-file.crl
Copy the certificates to the data directory of each node.
- Copy the configuration files server.crt, server.key, server.key.cipher, and server.key.rand on the server to the corresponding directories.
- Copy the configuration files client.crt, client.key, client.key.cipher, client.key.rand, and cacert.pem (if a CRL needs to be configured, the CRL must contain sslcrl-file.crl) on the client to the corresponding directories.
(Optional) Encrypt the user password (skip this step if private keys have been generated for the certificates).
- Primary node: gs_guc encrypt -M server -K key password -D ${GAUSSDATA}/
- Standby node: gs_guc encrypt -M client -K key password -D ${GAUSSDATA}/
${GAUSSDATA} indicates the data directory.
Configure SSL.
gs_guc set -D ${GAUSSDATA} -c "ssl=on" gs_guc set -D ${GAUSSDATA} -c "ssl_ciphers = 'ALL'" gs_guc set -D ${GAUSSDATA} -c "ssl_cert_file = 'server.crt'" gs_guc set -D ${GAUSSDATA} -c "ssl_key_file = 'server.key'" gs_guc set -D ${GAUSSDATA} -c "ssl_ca_file = 'cacert.pem'"
Export the following environment variables from the standby node (the file permission cannot be greater than 600):
export PGSSLCERT="${GAUSSDATA}/client.crt"
export PGSSLKEY="${GAUSSDATA}/client.key"
export PGSSLROOTCERT="${GAUSSDATA}/cacert.pem"
Restart the primary and standby openGauss in sequence.
gs_ctl restart -D ${GAUSSDATA}