[pgpool-hackers: 2946] Re: New feature: supporting SCRAM and CERT based authentication in Pgpool-II

Jesper Pedersen jesper.pedersen at redhat.com
Wed Aug 15 03:04:25 JST 2018


Hi,

On 07/21/2018 05:03 PM, Muhammad Usama wrote:
> *Using CERT authentication between Pgpool-II and frontend*
> 
> To use the cert authentication between Pgpool-II and frontend configure the
> following ssl configurations in pgpool.conf
> 
> ssl_key = '/server.key'
> 
> ssl_cert = 'server.crt'
> 
> ssl_ca_cert = 'root.crt'
> Note: You must use the same ssl certificates in Pgpool-II that are used by
> backend PostgreSQL server.
> 
> Now configure pool_hba.conf to use cert ( in this example we want
> PostgreSQL user named cert_user to use cert auth)
> 
> 
> *hostssl    all         cert_user         0/0     cert*
> 
> 
> This will enable the cert authentication between pgpool and frontend
> clients. After this cert_user will only be able to connect to Pgpool-II
> when it will present the valid ssl client certificate with the certificate
> having the common name  same as the database user name (cert_user in this
> case)
> 
> 
> You can use any other auth method for same cert_user in backend.
> 
> I will also share the detailed step by step guide for using the cert
> authentication later.
> 

Could you expand a bit on this ?

I have

pg_hba.conf:
------------
hostssl  all  all  all  scram-sha-256 clientcert=1

so clients, in this case pgpool, require a certificate to connect.

However, in pgpool.conf I see

* ssl
* ssl_key
* ssl_cert
* ssl_ca_cert

which are "server" side configuration. We need a ssl_client_cert option, 
right ?

At the moment I get:

ERROR:  failed to authenticate
DETAIL:  connection requires a valid client certificate

psql works (-p 5432) through the implicit ~/.postgresql defaults.

The goal is to have SCRAM-SHA256 with SSL client certificate 
authentication in the entire stack: client <-> pgpool <-> PostgreSQL.

Thanks in advance !

Best regards,
  Jesper


More information about the pgpool-hackers mailing list