Enabling SSL Connections for Bundled PostgreSQL

Overview

Starting with MetaDefender Core version 5.16.0, users can optionally enable SSL connections for the bundled PostgreSQL database during installation using the ignition file. This feature enhances security by encrypting data transmissions between the application and the database.

This feature applies exclusively to the bundled PostgreSQL database.
It is available only for automated deployments via the ignition file.
Enabling the SSL connection has overhead and might impact the performance in general.
It does not apply during upgrades of MetaDefender Core.
SSL connections can be disabled by customers at any time post-installation.
This configuration is not supported in Docker environments.

Setting Up SSL Connections

Enabling SSL is an optional step performed during the installation of MetaDefender Core using the ignition file. In addition to preparing the ignition file, you must create a configuration file named postgres_ssl.conf in the following fixed location:

Windows: C:\opswat\postgres_ssl.conf
Linux: /etc/opswat/postgres_ssl.conf

The file must be placed exactly in this path for the installation process to detect and apply the settings.

Contents of the Configuration File

The postgres_ssl.conf file should contain the following PostgreSQL SSL parameters. Replace the placeholders with the absolute paths to your certificate, key, and CA files:

Bash
    
 
ssl = onssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL'ssl_prefer_server_ciphers = onssl_cert_file = '<absolute_path_to_cert_file>'ssl_key_file = '<absolute_path_to_key_file>'ssl_ca_file = '<absolute_path_to_root_ca_cert_file>'
Copy

For example, in Linux

Bash
    
 
ssl = onssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL'ssl_prefer_server_ciphers = onssl_cert_file = '/etc/tmp_cert/server.crt'ssl_key_file = '/etc/tmp_cert/server.key'ssl_ca_file = '/etc/tmp_cert/root.crt'
Copy

Users can store the cert/key files in any place, but please make sure that the cert/key files have the right permissions, so MetaDefender Core can copy them to the right location. For example, in Linux, the files need to have read permission for other users. Users can use this command in Linux to set the permissions

Bash
    
 
chmod 555 -R /path/to/store/cert_files/# For examplechmod 555 -R /etc/tmp_cert/
Copy

During installation, the specified certificate file (server.crt), key file (server.key), and root CA file (root.crt) will be automatically copied to the PostgreSQL data directory:

Windows: <installation folder>/data/pg_data
Linux: /var/lib/ometascan/pg_data

Once the installation is complete and verified, you may safely delete the original files from their source locations if they are no longer needed.

How to disable bundled PostgreSQL SSL connection

Go to postgres folder and remove the file postgres_ssl.conf
1. Windows: <installation folder>/postgres/postgres_ssl.conf
2. Linux: /usr/lib/ometascan/postgres/postgres_ssl.conf
Go to pg_data folder, remove the file pg_hba.conf then rename pg_hba_bk.conf to pg_hba.conf
Restart the MetaDefender Core service.

Last updated on

Was this page helpful?