puppetdb and client certificate
268 views
Skip to first unread message
Fabrice Bacchella
Jul 16, 2014, 10:41:00 AM7/16/14
to puppet...@googlegroups.com
I'm trying to authenticate a puppetdb on a postgresql server using a client certificate.
I managed to set up SSL on server side without any problem but http://docs.puppetlabs.com/puppetdb/2.1/postgres_ssl.html says :
Note: At this point the documentation below only covers server-based SSL, client certificate support is not documented.
So did someone with a better knowledge of the postgresql jdbc connector did try this and succeed ?
I managed to set up SSL on server side without any problem but http://docs.puppetlabs.com/puppetdb/2.1/postgres_ssl.html says :
Note: At this point the documentation below only covers server-based SSL, client certificate support is not documented.
So did someone with a better knowledge of the postgresql jdbc connector did try this and succeed ?
Ken Barber
Jul 16, 2014, 11:06:29 AM7/16/14
to Puppet Users
I wrote that document, at the time client based certificates weren't
really supported or something like that.
Specifically not supporting client auth is hinted in the JDBC driver
details here: http://jdbc.postgresql.org/documentation/head/ssl-factory.html
I seem to recall there being a problem with the current default
SslFactory not allowing this kind of thing easily, but there is an
alternate factory one can possibly use:
https://github.com/pgjdbc/pgjdbc/blob/master/org/postgresql/ssl/jdbc4/LibPQFactory.java
Sorry, the main documentation page doesn't contain details of this
class, its fairly unknown to most people - I had to go digging for it
in source to find it.
This should in theory allow one to provide parameters in the JDBC url
to provide a client certificate, but I've never seen it working yet
(and we may not even ship a version of the jdbc driver that has this
class :-).
The parameters gleaned from the source are:
sslmode,sslcert,sslkey,sslrootcert,sslhostnameverifier,sslpasswordcallback,sslpassword
So you could construct something like:
[database]
classname = org.postgresql.Driver
subprotocol = postgresql
subname = //<HOST>:<PORT>/<DATABASE>?ssl=true&sslfactory=org.postgresql.ssl.LibPQFactory&sslmode=<whatever>&sslcert=<whatever>
... etc ...
username = <USERNAME>
password = <PASSWORD>
But the details are something I'm not across sorry, you'll have to
experiment on your own :-). Respond if you need more help, or if you
make more progress.
ken.
> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/1082A318-AA8C-4C47-BAE9-4A980DD1D4D6%40spamcop.net.
> For more options, visit https://groups.google.com/d/optout.
really supported or something like that.
Specifically not supporting client auth is hinted in the JDBC driver
details here: http://jdbc.postgresql.org/documentation/head/ssl-factory.html
I seem to recall there being a problem with the current default
SslFactory not allowing this kind of thing easily, but there is an
alternate factory one can possibly use:
https://github.com/pgjdbc/pgjdbc/blob/master/org/postgresql/ssl/jdbc4/LibPQFactory.java
Sorry, the main documentation page doesn't contain details of this
class, its fairly unknown to most people - I had to go digging for it
in source to find it.
This should in theory allow one to provide parameters in the JDBC url
to provide a client certificate, but I've never seen it working yet
(and we may not even ship a version of the jdbc driver that has this
class :-).
The parameters gleaned from the source are:
sslmode,sslcert,sslkey,sslrootcert,sslhostnameverifier,sslpasswordcallback,sslpassword
So you could construct something like:
[database]
classname = org.postgresql.Driver
subprotocol = postgresql
subname = //<HOST>:<PORT>/<DATABASE>?ssl=true&sslfactory=org.postgresql.ssl.LibPQFactory&sslmode=<whatever>&sslcert=<whatever>
... etc ...
username = <USERNAME>
password = <PASSWORD>
But the details are something I'm not across sorry, you'll have to
experiment on your own :-). Respond if you need more help, or if you
make more progress.
ken.
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/1082A318-AA8C-4C47-BAE9-4A980DD1D4D6%40spamcop.net.
> For more options, visit https://groups.google.com/d/optout.
Fabrice Bacchella
Jul 17, 2014, 7:04:57 AM7/17/14
to puppet...@googlegroups.com
I got it !
I dit it using the java way (with a standard jks).
First create a jks with the private key for your account and put in it all the needed certificates in the chain (both server and user). The cn for user certificate should match the username used latter.
Add to your JVM args :
-Djavax.net.ssl.trustStore=.../puppetdb.jks -Djavax.net.ssl.trustStorePassword=<JKS password> -Djavax.net.ssl.keyStore=.../puppetdb.jks -Djavax.net.ssl.keyStorePassword=<JKS password>
In case of problems, "-Djavax.net.debug=ssl,defaultctx" might help.
My database.ini is :
log-slow-statements = 10
username = puppetdb
In pg_hba.conf, I added :
hostssl all all 0.0.0.0/0 cert clientcert=1
And in postgresql.conf :
ssl = on
ssl_cert_file = 'server.crt'
ssl_key_file = 'server.key'
ssl_ca_file = 'root.crt'
The file root.crt contains all the needed certificates (both client and server)
The file server.crt contains only the server certificate
The file server.key contains the private key.
Those 3 files are stored as PEM files.
org.postgresql.ssl.LibPQFactory is used if you want to mimic the psql client configuration and use PEM files instead of JKS, and it take the same arguments, some documentation can be found at :
http://www.postgresql.org/docs/8.4/static/libpq-connect.html#LIBPQ-CONNECT-SSLMODE
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAE4bNTkEqRYWCJQ8JgFBPX8F9A-ZgkD5h5Pxn7_3foHCa5BWgw%40mail.gmail.com.
I dit it using the java way (with a standard jks).
First create a jks with the private key for your account and put in it all the needed certificates in the chain (both server and user). The cn for user certificate should match the username used latter.
Add to your JVM args :
-Djavax.net.ssl.trustStore=.../puppetdb.jks -Djavax.net.ssl.trustStorePassword=<JKS password> -Djavax.net.ssl.keyStore=.../puppetdb.jks -Djavax.net.ssl.keyStorePassword=<JKS password>
In case of problems, "-Djavax.net.debug=ssl,defaultctx" might help.
My database.ini is :
[database]
classname = org.postgresql.Driver
subprotocol = postgresql
subname = //localhost:5432/puppetdb?ssl=true
classname = org.postgresql.Driver
subprotocol = postgresql
log-slow-statements = 10
username = puppetdb
In pg_hba.conf, I added :
hostssl all all 0.0.0.0/0 cert clientcert=1
And in postgresql.conf :
ssl = on
ssl_cert_file = 'server.crt'
ssl_key_file = 'server.key'
ssl_ca_file = 'root.crt'
The file root.crt contains all the needed certificates (both client and server)
The file server.crt contains only the server certificate
The file server.key contains the private key.
Those 3 files are stored as PEM files.
org.postgresql.ssl.LibPQFactory is used if you want to mimic the psql client configuration and use PEM files instead of JKS, and it take the same arguments, some documentation can be found at :
http://www.postgresql.org/docs/8.4/static/libpq-connect.html#LIBPQ-CONNECT-SSLMODE
Ken Barber
Jul 17, 2014, 10:01:53 AM7/17/14
to Puppet Users
Aah well done :-).
Perhaps you can create a ticket with these details in it, that way it
will be preserved for other users and we can later find some time to
extend the current docs:
https://tickets.puppetlabs.com/browse/PDB
Of course you can always raise a pull request with the doc changes
yourself, if thats possible it would be greatly appreciated :-).
https://github.com/puppetlabs/puppetdb/blob/master/documentation/postgres_ssl.markdown
ken.
On Thu, Jul 17, 2014 at 12:03 PM, Fabrice Bacchella
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/2A284464-F69A-45D5-B3D6-DC68A7CA8AF2%40spamcop.net.
Perhaps you can create a ticket with these details in it, that way it
will be preserved for other users and we can later find some time to
extend the current docs:
https://tickets.puppetlabs.com/browse/PDB
Of course you can always raise a pull request with the doc changes
yourself, if thats possible it would be greatly appreciated :-).
https://github.com/puppetlabs/puppetdb/blob/master/documentation/postgres_ssl.markdown
ken.
On Thu, Jul 17, 2014 at 12:03 PM, Fabrice Bacchella
Fabrice Bacchella
Jul 17, 2014, 10:22:10 AM7/17/14
to puppet...@googlegroups.com
The ticket : https://tickets.puppetlabs.com/browse/PDB-765
I leave the documentation pull for people more fluent than me in english.
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAE4bNT%3DcTSzyuPeBj_b5S499PdK0qtVVt1OYWSm6a4jmdh-Gjw%40mail.gmail.com.
I leave the documentation pull for people more fluent than me in english.
Reply all
Reply to author
Forward
0 new messages