Step 3: Configuring Postgres for SSL

You must configure SSL certificates for Postgres to prevent the possibility of a Man-in-the-Middle (MITM) attack between the master and receiver appliance.

For the verify-full security option, a server.crt, server.key, and root.crt is required for each of the appliances. For the verify-ca security option, you require the server.crt, server.key, and root.crt but it is a lower security option that might not verify against the common name, depending on the certificate authority. The require option does not provide server identity verification and does not require the server to be trusted by the Certificate Authority. However, it does provide data encryption between the master and receiver appliances.

Configure Postgres for SSL by either manually installing the Postgres SSL certificates or by supplying the certificates to be installed by Ansible®, both of which are described below.

Note: If you are using an intermediate.crt or multiple intermediate.crt files in a chain, each intermediate.crt file must be concatenated to the server.crt file, in the correct order. For example: 
bash$ leaf.crt intermediate1.crt intermediate2.crt intermediate3.crt > server.crt
The server.crt can also be called a leaf.crt but the final certificate must be called server.crt for DR.

Manually installing postgres SSL certificates

About this task

Complete the following steps to configure Postgres for SSL by manually installing the Postgres SSL certificates. You must specify the manual option in the vault file, as described in Step 5: Creating Ansible vault files. Complete these configuration steps on each of the appliances.

Procedure

  1. On one of the appliances, create the /crypt/postgresql directory with the owner:group set to postgres:postgres and the permissions set to 0750.
  2. Place the server.crt in the /crypt/postgresql directory with the owner:group set to postgres:postgres and the permissions set to 0644.
  3. Place the server.key in the /crypt/postgresql directory with the owner:group set to postgres:postgres and the permissions set to 0600.
  4. On the other appliance:
    1. Create the .postgresql directory in the home directory of the postgres user, for example, /var/lib/pgsql/.postgresql with the owner:group set to postgres:postgres and the permissions set to 0731.
    2. To enable the postgres client to trust the server.crt, place the root.crt in the .postgresql directory with the owner:group set to postgres:postgres and the permissions set to 0644.
    Note: For the verify-full postgres SSL security setting, you must ensure that the inv_vars_master_host matches the server.crt common name, otherwise the connection will fail because of a suspected MITM (man-in-the-middle) attack. The result of this is that you need two server.crt files and two server.key files, one set for each host.
    Tip: To check that OpenSSL on the appliance can verify the server certificates using the root certificate, run the following command as the root or postgres user from the /crypt/postgresql directory on either of the appliances:
    openssl verify -CAfile root.crt server.crt
    If configured correctly, this returns:
    server.crt: OK

What to do next

Ensure that you complete these configuration steps on both of the SOAR Platform systems.

After the appliances are configured, proceed to Step 4: Creating Ansible inventory files.

Supplying postgres SSL certificates

About this task

Complete the following steps to supply the postgres SSL certificates to be installed by Ansible. You must also specify the supply method in the vault file as described in Step 5: Creating Ansible vault files. It is important to supply the correct certificates in the correct SSL certificates vault file, especially if you are using the verify-full security setting. The certificates and certificate vault file must relate to the master host specified in the same inventory file.

Procedure

  1. Make two copies of the ansible/templates/ssl_certs_vault.template.yml template file and rename them to ansible/files/ssl_certs_vault_machine_a.yml and ansible/files/ssl_certs_vault_machine_b.yml. Use each vault file for the corresponding machine's SSL certificates file and replace the tags in each file with the corresponding certificate content.
  2. Make the following changes for each of the two files:
    • Replace <INSERT_ROOT_CERT_HERE> with the root.crt.
    • Replace <INSERT_SERVER_CERT_HERE> with the server.crt.
    • Replace <INSERT_SERVER_KEY_HERE> with the server.key.
    Attention: The indentation and formatting must be exactly as defined by the yml format. The entire contents must have the same indentation from start to finish for each inserted certificate.
    The following example shows a sample ssl certificates vault file:
    # Place your ssl certificate files
ssl_cert_files:
  /crypt/postgresql/root.crt:
    owner: "postgres"
    group: "postgres"
    mode: "0644"
    content: |
      -----BEGIN CERTIFICATE-----
      MIIDHTCCAgWgAwIBAgIJAOJr4mI/E3FJMA0GCSqGSIb3DQEBCwUAMCUxIzAhBgNV
      BAMMGnJvb3QucmVzaWxpZW50LmxvY2FsZG9tYWluMB4XDTE4MDYyMTEyMDUwNVoX
      DTI4MDYxODEyMDUwNVowJTEjMCEGA1UEAwwacm9vdC5yZXNpbGllbnQubG9jYWxk
      b21haW4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCuYZ1ilzZ/itAy
      iG7uijxwLS4i591V2YHAxqPa41uJCI5X4oRUiqNj+hWURyb+SaRzrIwIeQ1I9Mid
      aeT6G1tmpMsD8ergw______SAMPLE_SAMPLE_____sdfcawfaUb9Zedfc2341sdc
      WkEObT6G1tmpMsD88XvXvGZOkJUHPMTjGMIgcT0/Ub9ZFh95kpv0Ii8GAYQtC7ns
      mvUYZkmBSYdgSPBzzSb/0M1tC5n5eH97LsgA6wRHM7ggmvn5dxYZ/Gj6xhYzxeGW
      fZ7ZzG3u9cgCWKLxeW5tz10ZRgLQdqy18FIrlIZaFh84EPCo661Kt8CGEMn1zeqH
      Dfrk0/b0+KdHPhYWGEEKDcPH5YKIWsW4cO7F2/gggJcw/i/vdJe6KmLjJjeb4Qyz
      BcAMKyqmLVC/y1mRHmPq5uLHJ5vgJWzL+dRLNjIWuVl5eoif6yshlaaalcpoASWH
      -----END CERTIFICATE-----
  /crypt/postgresql/server.crt:
    owner: "postgres"
    group: "postgres"
    mode: "0644"
    content: |
      -----BEGIN CERTIFICATE-----
      MIICujCCAaICCQCfQ+J6H0EctzANBgkqhkiG9w0BAQsFADAlMSMwIQYDVQQDDBpy
      b290LnJlc2lsaWVudC5sb2NhbGRvbWFpbjAeFw0xODA2MjExMjA1MDdaFw0xOTA2
      MjExMjA1MDdaMBkxFzAVBgNVBAMMDjE3Mi4xNi4xOTAuMTMwMIIBIjANBgkqhkiG
      9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4608b8Tk13RPRnlVOvyf3UzAaeahlC7/VvfD
      8Rvax7X+NVxExWJAU1RpZD+pKT3u/cO9kA8xXCjT2NfJuytt+g/rajebyPFhcm9q
      aeT6G1tmpMsD8ergw______SAMPLE_SAMPLE_____sdfcawfaUb9Zedfc2341sdc
      qr8hPOX+pjuEYJXxLaY35PPGG8ZjI6m7k9s50O0BVDn/TQN7sMlnWwThLSmEvQv7
      p2OgBHllwSVHfRlAcZtcAaIyQA6Ibe4GaQH64EznrIyMD6wtKDp3Y8dxTpP93o4m
      VDlR/KWuasLmhpmQwqTdNSM7htDUL9gltoBmJHU22l2TthLkL0zRCNef07gA3YKz
      H+l/EQjSzYfPPpTHangPbv8muomV0vut4XwbpfmQF16SZI1GojTmgR/e+ZzBqttw
      OaB2BJhhtjse2Z+iPREq+y4ug2ZRZ0U2tcPYUG4mth67jmvsbfwoiefazq20jkmi
      -----END CERTIFICATE-----
  /crypt/postgresql/server.key:
    owner: "postgres"
    group: "postgres"
    mode: "0600"
    content: |
      -----BEGIN PRIVATE KEY-----
      MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDjrTxvxOTXdE9G
      eVU6/J/dTMBp5qGULv9W98PxG9rHtf41XETFYkBTVGlkP6kpPe79w72QDzFcKNPY
      18m7K236D+tqN5vI8WFyb2qCgQHRLp0S/xfYgCksdzdKu3szui4Gi0XPWWPSdV1E
      32zLYuFMSm2JDZh7jQ82oVSrKCoMw4ERKORTFT0CGIh8Wb1plboTLRg4QG+xGLRe
      GeIasvaDu+sVVcr3B3lVC88PnwcrV8OKf2lnn/LCrOvtOSerNPRg9hqROZ+F+bwu
      uhXRjgqBiLQ0mnEoSDL1d9ItX5ep6aEvv+ew6+i2eNEoRIc3H4AB2ULIkVymqqb0
      aeT6G1tmpMsD8ergw_____SAMPLE_SAMPLE______sdfcawfaUb9Zedfc2341sdc
      lwM/nnp6fErE53ZFmdZkSLtZ2uJzWrLjuhqxoC90lvuhffI3rai4dWN1PwgLZ4E7
      rI8H+q1SFLhLftoTyTGbuop7PaeJGETi+8BTCcTvwDAmT/PNt7s93ySQ2YXpVoc6
      EwU85KlXAB3ZjOCo96HgI11pueX8PCbl+L1KFjkhAoGBAIg/H9ghvQEkRvjW4a+s
      N0I2WzVsj6MqVH7DgcD72hLcj012rohPywos3zjW85dQWka+53pScfLMzqLAu8tz
      LZAn/3ilPMcDy/ge7RYxPcSufxI/RDJ465u3Sf2lExC5uErFg7QhYGBeLufrZX3W
      XnkjUVkkZ44626OWsMyq85MXWFGBNOFDGLPOIUSCVJDJIJIZAIDJPzhwihsc239r
      -----END PRIVATE KEY-----
  3. Activate the built-in Ansible environment. 
    source /opt/ansible-venv/python/ansible-python-env-latest/bin/activate
  4. To protect the SSL certificate vault files, encrypt each file using the following command: 
    ansible-vault encrypt ssl_certs_vault_machine_a.yml
ansible-vault encrypt ssl_certs_vault_machine_b.yml
    Note: Because of an Ansible limitation, you must use the same password when encrypting all of your vault files, including ssl_certs_vault_machine_a.yml and ssl_certs_vault_machine_b.yml.
    Note: To subsequently decrypt the certificate vault files, enter the following commands from the /usr/share/resilient-dr/ansible directory:
    ansible-vault decrypt ssl_certs_vault_machine_a.yml
ansible-vault decrypt ssl_certs_vault_machine_b.yml

What to do next

Proceed to Step 4: Creating Ansible inventory files.