Release History
Help

YMatrix

Quick Start

Deployment

Data Usage

Manage Clusters

Security

Best Practice

Technical Principles

Advanced Features

Guide

SQL Reference

FAQ

SSL Encrypted Transmission

Transport-layer encryption secures communication between clients and the database server, enhancing data transmission security. Administrators can specify the encryption method for connections between clients and servers through the pg_hba.conf configuration file.

SSL connections encrypt all data transmitted over the network, including passwords, query statements, and returned results. Clients can enforce SSL connections to the server.

Configuration Overview

Note!
SSL connection encryption requires OpenSSL to be installed on both the client and server, and SSL support must be enabled at compile time.

  • Example configuration in pg_hba.conf:
hostssl  all             mxadmin         10.51.0.40/32           scram-sha-256

Usage Example

  1. Install OpenSSL:

    sudo yum install openssl openssl-devel

  2. Navigate to the cluster directory and use OpenSSL to issue a certificate:

    cd $MASTER_DATA_DIRECTORY

  3. Generate a server certificate request:

    openssl req -new -text -out server.req

    Note!
    The PEM pass phrase must not be empty (e.g., enter 123456). Other fields may be left blank.

  4. Generate a password-protected key and decrypt it:

    openssl rsa -in privkey.pem -out server.key

    Note!
    Enter the PEM pass phrase provided in the previous step.

  5. Convert the certificate into a self-signed certificate:

    openssl req -x509 -in server.req -text -key server.key -out server.crt

  6. Restrict access permissions on the private key:

    chmod og-rwx server.key

  7. Configure the YMatrix server. Set ssl in postgresql.conf to on to enable SSL support when starting the YMatrix server:

    gpconfig -c ssl -v off -m on
gpstop -u
gpconfig -s ssl

  8. Capture network traffic using tcpdump:

    tcpdump -i enp33s0f0 -nn port 5432 -w /tmp/http.tcpdump

  9. Verify SSL connection from the client side (using another machine as the client):

    psql -h dev-150 -p 5432 -d postgres -U mxadmin

  10. Create a table and insert data:

    create table abcd(a text);
insert into abcd values('123456789');

  11. Open the packet capture file in Wireshark:
    Search for the inserted data pattern '123456789' in the captured packets (the plaintext should not be found).

    sudo yum -y install wireshark 
sudo yum -y install wireshark-gnome
wireshark /tmp/http.tcpdump

Comparison of Results

  • ssl = no
    ssl01
    ssl02

  • ssl = off
    ssl03

← Previous
GSSAPI
Next →
Encryption