Enabling TLS server certificate validation between internal PostgreSQL database and product components
The internal PostgreSQL database communicates with the following components of TrueSight Capacity Optimization:
- Application Server
- Local ETL Engine Server
Before you begin
Ensure that you use the supported database version. For more information, see TLS considerations for TrueSight Capacity Optimization.
To enable TLS 1.2 with server certificate validation, complete the following steps:
Important
If you have installed the Application Server components on multiple computers, repeat steps II and III on each computer.
I. Procure and copy the PostgreSQL server security certificate
Procure the PostgreSQL database server certificate (in the x509 format) from the system administrator of your organization if a self-signed certificate is used. For example, postgres.crt. If a certificate that is signed for PostgreSQL by an enterprise certificate authority (CA) or a third-party CA is used, import this signed certificate to avoid importing of multiple certificates signed by the same authority for all TLS connections.
Save the procured certificate file in the following locations:
Component Location Application Server <Application Server Installation Directory>/secure Local ETL Engine Server <Local ETL Engine Server Installation Directory>/secure
II. Install the security certificate
The Application Server and local ETL Engine Server use the cotruststore.ts truststore to communicate with the PostgreSQL database. This truststore is bundled along with the Server installation, and is located in the <Server Installation Directory>/secure directory.
Complete the following steps on both the Application Server and the local ETL Engine Server to import the security certificate into their truststore files:
Log on to the computer where the Server is installed. The keytool utility that is used to import the certificates is present in the <Server Installation Directory>/jre/bin directory. Add this directory path to the PATH environment variable by running the following command:
export PATH=<Server Installation Directory>/jre/bin:$PATH
Go to <Server Installation Directory>/secure directory and import the procured certificates by running the following command:
keytool -importcert -trustcacerts -file <path>/postgres.crt -keystore cotruststore.ts -alias CODB
When you are prompted, enter the password to access the keystore.
When you are prompted to trust the certificate, enter Yes.
The certificate is imported in the truststore.
III. Configure the components to enable TLS
Complete the following configuration steps on both the Application Server and the local ETL Engine Server:
- Navigate to the <Server Installation Directory>/tools directory and run the switchTLSmode.pl script.
#Example switchTLSmode.pl -on –dbport 2484 -tspwd -flow codb |
2. When you are prompted, enter the password to access the truststore.
The communication between the internal PostgreSQL database and the Application Server, and between the internal PostgreSQL database and local ETL Engine Server are now TLS 1.2 enabled with server certificate validation.
Comments
Log in or register to comment.