Connection DSNs and SSL (TLS) v5.6
Because nodes connect
using libpq
, the DSN of a node is a libpq
connection string. As such, the connection string can contain any permitted libpq
connection
parameter, including those for SSL. The DSN must work as the
connection string from the client connecting to the node in which it's
specified. An example of such a set of parameters using a client certificate is:
With this setup, the files bdr_client.crt
, bdr_client.key
, and
root.crt
must be present in the data directory on each node, with the
appropriate permissions.
For verify-full
mode, the server's SSL certificate is checked to
ensure that it's directly or indirectly signed with the root.crt
certificate
authority and that the host name or address used in the connection matches the
contents of the certificate. In the case of a name, this can match a subject's
alternative name or, if there are no such names in the certificate, the
subject's common name (CN) field.
Postgres doesn't currently support subject alternative names for IP
addresses, so if the connection is made by address rather than name, it must
match the CN field.
The CN of the client certificate must be the name of the user making the
PGD connection,
which is usually the user postgres. Each node requires matching
lines permitting the connection in the pg_hba.conf
file. For example:
Another setup might be to use SCRAM-SHA-256
passwords instead of client
certificates and not verify the server identity as long as
the certificate is properly signed. Here the DSN parameters might be:
The corresponding pg_hba.conf
lines are:
In such a scenario, the postgres user needs a .pgpass
file
containing the correct password.