Try Puppet 
Search Puppet.com
Why Puppet

Puppet is the industry standard for IT automation.

Manage and automate more infrastructure and complex workflows in a simple, yet powerful way.

Customers
Open source
Cloud & Hybrid Automation

Accelerate your cloud journey with an enterprise automation platform for your hybrid estate.

Continuous Compliance

Enforce compliance across hybrid infrastructure with policy as code and model-driven automation.

Scaling DevOps

Modernize faster with Puppet DevOps consulting and infrastructure as code.

Use Cases
Integrations
ProductsEcosystem
Pricing & PackagingGet Puppet Enterprise

First 10 Nodes are free!

Custom consulting services

Get you up and running quickly with a custom solution that addresses your unique business goals and easily allows for growth as your needs evolve.

Professional services
TrainingOpen source
Support
Puppet Compass Logo
Puppet Compass

Puppet Compass is your source for learning best practices to address common business challenges.

Get started
Resource library
State of DevOps Report

Since launching our first DevOps survey in 2012, we’ve learned a lot about the power of DevOps to transform organizations.

Puppet Events
Join us for a Puppet event

It's our community that makes Puppet great. Connect with Puppet users and employees.

Virtual events
Puppet CommunityContribute content
Connect
Puppet Events
About Us

Puppet frees you to do what robots can’t. We make automation software because you’ve got better things to do.

Company
Press & news
Our voiceWorking at Puppet

Setting up SSL for PostgreSQL

PuppetDB5.2
Sections

Talking to PostgreSQL using SSL/TLS

This guide will help you configure SSL/TLS-secured connectivity between PuppetDB and PostgreSQL.

When configuring SSL, you need to decide whether you will use:

  1. A self-signed certificate on the PuppetDB server (for example, the Puppet CA)
  2. A publicly signed certificate on the PuppetDB server

Both methodologies are valid, but while self-signed certificates are far more common in the real world, this type of configuration must be set up with care.

Before beginning, take a look at PostgreSQL’s secure TCP/IP connections with SSL documentation, which explains in detail how to configure SSL on the server side.

Note: Our guide focuses on server-based SSL. Client certificate support is not documented at this time.

Using Puppet’s certificates for SSL

If you don’t have a signed Puppet certificate on your PostgreSQL server, see the ssl documentaion for alternate SSL connection options.

Using Puppet certificates to secure your PostgreSQL server has the following benefits:

  • Because you are using PuppetDB, we can presume that you are using Puppet on each server. This means you can reuse the local Puppet agent certificate for PostgreSQL.
  • Because your local Puppet agent’s certificate must be signed for Puppet to work, you likely have an established workflow for getting these signed.
  • We also recommend this methodology for securing the HTTPS interface for PuppetDB.

Make sure you place your signed certificate and private key in the locations specified by the ssl_cert_file and ssl_key_file locations, and that you change the ssl setting to on in your postgresql.conf. Don’t forget to give the correct permissions for each file (such as chmod 0600 file). Otherwise, PostgreSQL will reject the key and cert files.

After this is done, modify the JDBC URL in the database configuration section for PuppetDB. For example:

[database]
classname = org.postgresql.Driver
subprotocol = postgresql
subname = //<HOST>:<PORT>/<DATABASE>?ssl=true&sslfactory=org.postgresql.ssl.LibPQFactory&sslmode=verify-full&sslrootcert=/etc/puppetlabs/puppetdb/ssl/ca.pem
username = <USERNAME>
password = <PASSWORD>

Restart PuppetDB and monitor your logs for errors. If all goes well your connection should now be SSL. If you are on a PuppetDB version before 6.8.0, the sslfactory will be org.postgresql.ssl.jdbc4.LibPQFactory

Setting up SSL with a publicly signed certificate on the PuppetDB server

First, obtain your signed certificate using the process required by your commercial Certificate Authority.

Note: If you don’t want to pay for individual certificates for each server in your enterprise, you can probably get away with using wildcards in the subject or CN for your certificate. Note, however, that while at the moment DNS resolution based on CN isn’t tested using the default SSLSocketFactory, we do not know if this will change going forward, and therefore if wildcard support will be included.

Follow the documentation for secure TCP/IP connections with SSL, which explains in detail how to configure SSL on the server. Make sure you place your signed certificate and private key in the locations specified by the ssl_cert_file and ssl_key_file locations, and that you change the ssl setting to on in your postgresql.conf. Don’t forget to give the correct permissions for each file (such as chmod 0600 file). Otherwise, PostgreSQL will reject the key and cert files.

Because the JDBC PostgreSQL driver utilizes the Java’s system KeyStore, and because the system KeyStore usually contains all public CAs, there should be no trust issues with the client configuration. Simply modify the JDBC URL as provided in the database configuration section for PuppetDB.

For example:

[database]
classname = org.postgresql.Driver
subprotocol = postgresql
subname = //<HOST>:<PORT>/<DATABASE>?ssl=true&sslmode=verify-full&sslfactory=org.postgresql.ssl.DefaultJavaSSLFactory
username = <USERNAME>
password = <PASSWORD>

Restart PuppetDB and monitor your logs for errors. Your connection should now be SSL.

Using a custom Java keystore

If your CA cert is not in Java’s default keystore, it may be necessary to create your own. Create a TrustStore containing your CA certificate. If you have been using PuppetDB for a while, you might already have such a file in /etc/puppetdb/ssl/truststore.jks. If not, the quickest way to create this file is:

$ sudo keytool -import -alias "My CA" -file /path/to/ca_crt.pem -keystore /etc/puppetdb/ssl/truststore.jks

Tell Java to use this TrustStore instead of the system’s default by specifying values for the properties for trustStore and trustStorePassword. These properties can be applied by modifying your service settings for PuppetDB and appending the required settings to the JAVA_ARGS variable. In Red Hat, the path to this file is /etc/sysconfig/puppetdb. In Debian, use /etc/default/puppetdb. For example:

# Modify this if you'd like to change the memory allocation, enable JMX, etc.
JAVA_ARGS="-Xmx192m -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/log/puppetlabs/puppetdb/puppetdb-oom.hprof -Djavax.net.ssl.trustStore=/etc/puppetlabs/puppetdb/ssl/truststore.jks -Djavax.net.ssl.trustStorePassword=<PASSWORD>"

Note: Replace <PASSWORD> with the password you used to create the KeyStore, or the one found in /etc/puppetdb/ssl/puppetdb_keystore_pw.txt.

After this is complete, modify the database JDBC connection URL in your PuppetDB configuration as the documentation describes above for publicly signed certificates.

Disabling SSL verification

Warning: This is not recommended. SSL connections offer a higher level of security. Disabling SSL verification effectively removes the ability for the SSL client to detect man-in-the-middle attacks.

However, if you wish to disable SSL verification, you can do so by simply modifying your JDBC URL in the database configuration section of PuppetDB as follows:

[database]
classname = org.postgresql.Driver
subprotocol = postgresql
subname = //<HOST>:<PORT>/<DATABASE>?ssl=true&sslfactory=org.postgresql.ssl.NonValidatingFactory
username = <USERNAME>
password = <PASSWORD>

Restart PuppetDB and monitor your logs for errors. Your connection should now be SSL, with validation disabled.

See an issue? Please file a JIRA ticket in our [DOCUMENTATION] project.
Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.