[pgpool-hackers: 2946] Re: New feature: supporting SCRAM and CERT based authentication in Pgpool-II
Jesper Pedersen
jesper.pedersen at redhat.com
Wed Aug 15 03:04:25 JST 2018
Hi,
On 07/21/2018 05:03 PM, Muhammad Usama wrote:
> *Using CERT authentication between Pgpool-II and frontend*
>
> To use the cert authentication between Pgpool-II and frontend configure the
> following ssl configurations in pgpool.conf
>
> ssl_key = '/server.key'
>
> ssl_cert = 'server.crt'
>
> ssl_ca_cert = 'root.crt'
> Note: You must use the same ssl certificates in Pgpool-II that are used by
> backend PostgreSQL server.
>
> Now configure pool_hba.conf to use cert ( in this example we want
> PostgreSQL user named cert_user to use cert auth)
>
>
> *hostssl all cert_user 0/0 cert*
>
>
> This will enable the cert authentication between pgpool and frontend
> clients. After this cert_user will only be able to connect to Pgpool-II
> when it will present the valid ssl client certificate with the certificate
> having the common name same as the database user name (cert_user in this
> case)
>
>
> You can use any other auth method for same cert_user in backend.
>
> I will also share the detailed step by step guide for using the cert
> authentication later.
>
Could you expand a bit on this ?
I have
pg_hba.conf:
------------
hostssl all all all scram-sha-256 clientcert=1
so clients, in this case pgpool, require a certificate to connect.
However, in pgpool.conf I see
* ssl
* ssl_key
* ssl_cert
* ssl_ca_cert
which are "server" side configuration. We need a ssl_client_cert option,
right ?
At the moment I get:
ERROR: failed to authenticate
DETAIL: connection requires a valid client certificate
psql works (-p 5432) through the implicit ~/.postgresql defaults.
The goal is to have SCRAM-SHA256 with SSL client certificate
authentication in the entire stack: client <-> pgpool <-> PostgreSQL.
Thanks in advance !
Best regards,
Jesper
More information about the pgpool-hackers
mailing list