Bug 1020952
| Summary: | [RFE] SSL encrypted connection for external PostgreSQL database | ||
|---|---|---|---|
| Product: | Red Hat Satellite 5 | Reporter: | Matej Kollar <mkollar> |
| Component: | Server | Assignee: | Matej Kollar <mkollar> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Martin Korbel <mkorbel> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 560 | CC: | cperry, jhutar, mkollar, mkorbel, xdmoon |
| Target Milestone: | --- | Keywords: | FutureFeature |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | spacewalk-config-2.3.0-3-sat, spacewalk-setup-2.3.0-15-sat | Doc Type: | Enhancement |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-01-20 11:18:10 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1128175 | ||
Spacewalk.git: b59805075c45e0d03156b48d76c4e9fb9b4c46d9 f04c975fc675e4eaa5d6535a2049f7e10abf8760 bc89a7d2b00da730b1655606622ff61dfe789a8a 01afc927f1fb519884cfe900c4169360fcbf243c 7a22df856e85d474132dfd667b1b5e24b6e66041 HowTo document for spacewalk: https://fedorahosted.org/spacewalk/wiki/HowToPostgreSQLoverSSL I agree Martin. It seems the instructions "How to setup Spacewalk with PostgreSQL database over SSL" work nice on a running Spw/Sat. However the Spw/Sat installer isn't ready to setup the server to communicate with the external DB via SSL only. Ideally if the installer would detect the external DB is setup to accept SSL connections, it would ask the user, whether he wants to setup Spw/Sat to communicate with the DB over SSL only. If so, it would set the "db_ssl_enabled = 1" to rhn.conf, and ask for the postgresql-db-root-ca.cert, or other needed information. I mean something a little different. No autodetect, but if the user configures the installer for installation with SSL (he has to set all required parameters CA certicate, port, ...) and this setting can be used in rhn.conf and Java before restarting of tomcat. I mean, we should have two ways to setup SSL: 1. installation with SSL (the installator automaticly configures rhn.conf and Java for using SSL) 2. installation without SSL (or existing satellite), manualy changes in rhn.conf and Java for enable SSL Some work on installer. spacewalk.git: d7be2430cc0ebf5aa803203898d3e24eb430f564 Also updated https://fedorahosted.org/spacewalk/wiki/HowToPostgreSQLoverSSL appropriately. upstream work spacewalk.git: 2a23154816658b06b73a6b577f6be31869a1b9ed Upstream work spacewalk.git: bcda94c0148a59e73c287d81e85a493cdbeb5e85 @#c18: That is ok. |
Description of problem: PostgreSQL supports SSL for connections. It would be convenient if Satellite had the ability to employ this particular feature. Version-Release number of selected component: Satellite 5.6 How reproducible: always/deterministic Steps to Reproduce: 1. Configure your external PostgreSQL to allow inbound connection only over SSL. 2. Restart Satellite. Actual results: Few things work (those that use pglib), but no certificate verification is performed. WebUI/other\ Java\ components that require direct database connection does not work at all). Expected results: All components are not only able to connect to database over SSL, provided certificate should be verified to mitigate unpleasant possibilities.