Setting up an external PostgreSQL database server
You need to create the certificates and database objects if you use the new external database server for the first time to configure the external PostgreSQL database for IM or Zen service.
Complete the following procedures to set up the external database server:
- Setting up certificate for external database server
- Installing a PostgreSQL database
- Configuring a PostgreSQL database
- Creating database objects
Setting up certificate for external database server
To set up the Intermediate certificate authority (CA), database server certificate, and database client certificate, complete the following steps:
-
Set up the intermediate CA.
-
Generate the CA certificate singing request (CSR).
openssl req -new -nodes -text \ -out root.csr \ -keyout root.key \ -subj "/CN=IBM <IM or Zen service> Intermidiate Certificate Authority"
You can replace
<IM or Zen service>
withIM
orZen
service. -
Sign a CA certificate with
openssl
.find / -name openssl.cnf 2> /dev/null
openssl x509 -req -in root.csr \ -text \ -days 3650 \ -extfile /etc/pki/tls/openssl.cnf \ -extensions v3_ca \ -signkey root.key -out root.crt
chmod og-rwx root.key
-
-
Set up the database server certificate.
-
Generate the database server CSR.
openssl req -new -nodes -text \ -out server.csr \ -keyout server.key \ -subj "/CN=*.fyre.ibm.com"
chmod og-rwx server.key
-
Sign a database server certificate with the internal intermediate CA.
openssl x509 -req \ -in server.csr -text -days 730 \ -CA root.crt -CAkey root.key -CAcreateserial \ -out server.crt
-
-
Set up a database client certificate.
-
Generate the database client CSR.
openssl req -new -nodes -text \ -out client.csr \ -keyout client.key \ -subj "/CN=<username>"
You can replace
<username>
with the database username such asim_user
orzen_user
.chmod og-rwx client.key
-
Sign a database client certificate with the internal intermediate CA.
openssl x509 -req \ -in client.csr -text -days 730\ -CA root.crt -CAkey root.key -CAcreateserial \ -out client.crt
-
-
Verify the
root.crt
,server.crt
, andclient.crt
certificates.openssl x509 -in root.crt -noout -subject -issuer -startdate -enddate openssl x509 -in server.crt -noout -subject -issuer -startdate -enddate openssl x509 -in client.crt -noout -subject -issuer -startdate -enddate
-
Export
client.key
,client.crt
, androot.crt
certificates in the PEM formatopenssl rsa -in client.key -outform PEM -out client_key.pem openssl x509 -in client.crt -outform PEM -out client.pem openssl x509 -in root.crt -outform PEM -out root.pem
-
Verify the
root.pem
andclient.pem
certificates.openssl x509 -in root.pem -noout -subject -issuer -startdate -enddate openssl x509 -in client.pem -noout -subject -issuer -startdate -enddate
Installing a PostgreSQL database
Install the PostgreSQL version 16 to set up the database server and connections. To install the PostgreSQL version 16, complete the following steps:
-
Download and install the PostgreSQL version 16.
sudo dnf install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm sudo dnf -qy module disable postgresql sudo dnf install -y postgresql16-server
-
Create the PostgreSQL database cluster.
sudo /usr/pgsql-16/bin/postgresql-16-setup initdb
-
Enable and start the
Postgresql-16
service.sudo systemctl enable postgresql-16 sudo systemctl start postgresql-16 sudo systemctl status postgresql-16
Configuring a PostgreSQL database
To configure the PostgreSQL database for the new external database server, complete the following steps:
-
Copy the
server.crt
,server.key
, androot.crt
files to the$PGDATA
directory (/var/lib/pgsql/16/data
) and change the owner of the files topostgres
.cp -p server.crt /var/lib/pgsql/16/data/server.crt cp -p server.key /var/lib/pgsql/16/data/server.key cp -p root.crt /var/lib/pgsql/16/data/root.crt chown postgres:postgres /var/lib/pgsql/16/data/server.* chown postgres:postgres /var/lib/pgsql/16/data/root.*
-
Access shell prompt for
postgres
to edit the files.su - postgres cd $PGDATA
-
Edit the
postgresql.conf
file to update the following values.listen_addresses = '*' max_connections = 600 ssl = on ssl_ca_file = 'root.crt' ssl_cert_file = 'server.crt' #ssl_crl_file = '' #ssl_crl_dir = '' ssl_key_file = 'server.key'
-
Edit the
pg_hba.conf
file to add the following command to enable SSL encryption for database connections.hostssl all all 0.0.0.0/0 cert
Creating database objects
To create the database objects, complete the following steps:
-
Create the database, database user, and monitoring schema.
-
For
Zen
service, run the following command:psql -U postgres -tc "SELECT 1 FROM pg_database WHERE datname = 'zen'" | grep -q 1 || psql -U postgres -c "CREATE DATABASE zen" psql -U postgres -tc "SELECT 1 FROM pg_user WHERE usename = 'zen_user'" | grep -q 1 || psql -U postgres -c "CREATE USER zen_user" psql -U postgres -c "GRANT CONNECT ON DATABASE zen TO public;" -c "ALTER DATABASE zen OWNER TO zen_user;" -c "GRANT ALL PRIVILEGES ON DATABASE zen to zen_user;" psql -U postgres -d zen -tc "SELECT 1 FROM information_schema.schemata WHERE schema_name = 'watchdog'" | grep -q 1 || psql -U postgres -d zen -c "CREATE SCHEMA watchdog;" -c "ALTER SCHEMA watchdog OWNER TO zen_user;" -c "GRANT ALL ON SCHEMA watchdog TO zen_user;" psql -U postgres -d zen -c "ALTER DATABASE zen SET timezone TO 'Etc/UTC';"
Zen supports the
watchdog
andpublic
monitoring schemas. You can update theschema_name =
in the command withwatchdog
orpublic
for theZen
service. -
For
IM
service, run the following command:psql -U postgres -tc "SELECT 1 FROM pg_database WHERE datname = 'im'" | grep -q 1 || psql -U postgres -c "CREATE DATABASE im" psql -U postgres -tc "SELECT 1 FROM pg_user WHERE usename = 'im_user'" | grep -q 1 || psql -U postgres -c "CREATE USER im_user" psql -U postgres -c "GRANT CONNECT ON DATABASE im TO public;" -c "ALTER DATABASE im OWNER TO im_user;" -c "GRANT ALL PRIVILEGES ON DATABASE im to im_user;" psql -U postgres -d im -c "ALTER DATABASE im SET timezone TO 'Etc/UTC';"
IM operator creates the required database schemas for the
IM
service.
-
-
Restart the PostgreSQL database.
sudo systemctl restart postgresql-16
You can start the external database connection for IM or Zen service after you set up the external database server. To configure an external PostgreSQL database for IM or Zen service, see Configuring an external PostgreSQL database for IM or Configuring an external PostgreSQL database for Zen.