Step 3: Configuring Postgres for SSL
You must configure SSL certificates for Postgres to prevent the possibility of a Man-in-the-Middle (MITM) attack between the master and receiver appliance.
For the verify-full
security option, a server.crt
,
server.key
, and root.crt
is required for each of the appliances.
For the verify-ca
security option, you require the server.crt
,
server.key
, and root.crt
but it is a lower security option that
might not verify against the common name, depending on the certificate authority. The
require
option does not provide server identity verification and does not require
the server to be trusted by the Certificate Authority. However, it does provide data encryption
between the master and receiver appliances.
Configure Postgres for SSL by either manually installing the Postgres SSL certificates or by supplying the certificates to be installed by Ansible®, both of which are described below.
intermediate.crt
or multiple
intermediate.crt
files in a chain, each intermediate.crt
file must
be concatenated to the server.crt
file, in the correct order. For example:
bash$ leaf.crt intermediate1.crt intermediate2.crt intermediate3.crt > server.crt
The
server.crt
can also be called a leaf.crt
but the final certificate
must be called server.crt
for DR.Manually installing postgres SSL certificates
About this task
manual
option in the vault file, as described in Step 5: Creating Ansible vault files.
Complete these configuration steps on each of the appliances.Procedure
What to do next
Ensure that you complete these configuration steps on both of the SOAR Platform systems.
After the appliances are configured, proceed to Step 4: Creating Ansible inventory files.Supplying postgres SSL certificates
About this task
supply
method in the vault file as described in Step 5: Creating Ansible vault files. It is
important to supply the correct certificates in the correct SSL certificates vault file, especially
if you are using the verify-full
security setting. The certificates and certificate
vault file must relate to the master host specified in the same inventory file.