1020952 – [RFE] SSL encrypted connection for external PostgreSQL database

Bug 1020952 - [RFE] SSL encrypted connection for external PostgreSQL database

Summary: [RFE] SSL encrypted connection for external PostgreSQL database

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Satellite 5
Classification:	Red Hat
Component:	Server
Sub Component:
Version:	560
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	---
Assignee:	Matej Kollar
QA Contact:	Martin Korbel
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	sat570-misc
TreeView+	depends on / blocked

Reported:	2013-10-18 15:15 UTC by Matej Kollar
Modified:	2015-01-20 11:18 UTC (History)
CC List:	5 users (show)
Fixed In Version:	spacewalk-config-2.3.0-3-sat, spacewalk-setup-2.3.0-15-sat
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-01-20 11:18:10 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Matej Kollar 2013-10-18 15:15:29 UTC

Description of problem:

  PostgreSQL supports SSL for connections. It would be convenient
  if Satellite had the ability to employ this particular feature.

Version-Release number of selected component: Satellite 5.6


How reproducible: always/deterministic


Steps to Reproduce:

  1. Configure your external PostgreSQL to allow
     inbound connection only over SSL.
  2. Restart Satellite.

Actual results:
  Few things work (those that use pglib), but no certificate verification is performed.
  WebUI/other\ Java\ components that require direct database connection does
  not work at all).

Expected results:
  All components are not only able to connect to database over SSL,
  provided certificate should be verified to mitigate unpleasant possibilities.

Comment 1 Matej Kollar 2013-11-04 13:18:06 UTC

Spacewalk.git:
  b59805075c45e0d03156b48d76c4e9fb9b4c46d9
  f04c975fc675e4eaa5d6535a2049f7e10abf8760
  bc89a7d2b00da730b1655606622ff61dfe789a8a
  01afc927f1fb519884cfe900c4169360fcbf243c
  7a22df856e85d474132dfd667b1b5e24b6e66041

Comment 3 Matej Kollar 2013-11-07 09:23:21 UTC

HowTo document for spacewalk: https://fedorahosted.org/spacewalk/wiki/HowToPostgreSQLoverSSL

Comment 6 Tomas Lestach 2014-11-28 13:23:46 UTC

I agree Martin.
It seems the instructions "How to setup Spacewalk with PostgreSQL database over SSL" work nice on a running Spw/Sat.
However the Spw/Sat installer isn't ready to setup the server to communicate with the external DB via SSL only.

Ideally if the installer would detect the external DB is setup to accept SSL connections, it would ask the user, whether he wants to setup Spw/Sat to communicate with the DB over SSL only.
If so, it would set the "db_ssl_enabled = 1" to rhn.conf, and ask for the postgresql-db-root-ca.cert, or other needed information.

Comment 7 Martin Korbel 2014-11-28 16:20:18 UTC

I mean something a little different. No autodetect, but if the user configures the installer for installation with SSL (he has to set all required parameters CA certicate, port, ...) and this setting can be used in rhn.conf and Java before restarting of tomcat.
I mean, we should have two ways to setup SSL:
1. installation with SSL (the installator automaticly configures rhn.conf and Java for using SSL)
2. installation without SSL (or existing satellite), manualy changes in rhn.conf and Java  for enable SSL

Comment 8 Matej Kollar 2014-12-11 14:53:22 UTC

Some work on installer.

spacewalk.git: d7be2430cc0ebf5aa803203898d3e24eb430f564

Also updated https://fedorahosted.org/spacewalk/wiki/HowToPostgreSQLoverSSL appropriately.

Comment 9 Matej Kollar 2014-12-16 08:09:26 UTC

upstream work
spacewalk.git: 2a23154816658b06b73a6b577f6be31869a1b9ed

Comment 13 Matej Kollar 2015-01-06 09:15:16 UTC

Upstream work
spacewalk.git: bcda94c0148a59e73c287d81e85a493cdbeb5e85

Comment 22 Matej Kollar 2015-01-20 08:37:30 UTC

@#c18: That is ok.

Note You need to log in before you can comment on or make changes to this bug.