PostgreSQL  OpenSSL ȤˡǤ
								2001-05-10
								¼ 

  Ƥϥޥ˥奢˽񤤤Ƥޤssl-tcp.html


  ޤOpenSSL-9.9.6a 򥤥󥹥ȡ뤷ƤĶǡPostgreSQL
 --with-openssl ǹƥ󥹥ȡ뤷ƤȤ˺ʤ



1. ʽ̾ξĤޤ
# 1. Create a quick self-signed certificate
#     the local host name as Common Name;
#     the challenge password can be left blank

  ʲΤ褦˼ޤ"Common Name" ˥ޥΥۥ̾
"challenge password" ˤϲʤǥ꥿󤷤ޤ

> /usr/local/ssl/bin/openssl req -new -text -out cert.req	<=
Using configuration from /usr/local/ssl/openssl.cnf
Generating a 1024 bit RSA private key
.....++++++
..++++++
writing new private key to 'privkey.pem'
Enter PEM pass phrase: XXXXXXXXXXXXXXXXXXX			<=
Verifying password - Enter PEM pass phrase: XXXXXXXXXXXXXXXXXXX	<=
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP				<=
State or Province Name (full name) [Some-State]:Yokohama	<=
Locality Name (eg, city) []:Aoba				<=
Organization Name (eg, company) [Internet Widgits Pty Ltd]:JPUG	<=
Organizational Unit Name (eg, section) []:Plamo			<=
Common Name (eg, YOUR name) []:penpen				<= ۥ̾
Email Address []:juk@yokohama.email.ne.jp			<=

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:					<= ʤ
An optional company name []:					<=


2. ѥե졼ޤ
# 2. Remove the passphrase
#  (as you must if you want automatic start-up of the postmaster)
#     enter the old passphrase

> /usr/local/ssl/bin/openssl rsa -in privkey.pem -out cert.pem
read RSA key
Enter PEM pass phrase:			<= 1.ǻȤäѥե졼
writing RSA key


3. 򼫸ʽ̾ξѴޤ
# 3. Turn the certificate into a self-signed certificate

> /usr/local/ssl/bin/openssl req -x509 -in cert.req -text -key cert.pem -out cert.cert
Using configuration from /usr/local/ssl/openssl.cnf

  ޤǤǤĤ줿եϡ
> ls -lt
total 56
-rw-r--r--   1 postgres pgsql        3447  4 21  22:33 cert.cert
-rw-r--r--   1 postgres pgsql         887  4 21  22:32 cert.pem
-rw-r--r--   1 postgres pgsql         963  4 21  22:32 privkey.pem
-rw-r--r--   1 postgres pgsql        2167  4 21  22:32 cert.req
	.....


4. Ⱦ postmaster ˤ椯˥ԡޤ
# 4. copy the key and certificate to where the postmaster will look for

> cp cert.pem $PGDATA/server.key
> cp cert.cert $PGDATA/server.crt

  ǥեȤ $PGDATA ǻȤꡧ
> ls -lt $PGDATA/
total 48
-rw-r--r--   1 postgres pgsql        3447  4 21  22:34 server.crt
-rw-r--r--   1 postgres pgsql         887  4 21  22:34 server.key
	.....

5. postgresql.conf  SSL Ѥ뤿ѹäޤ
# 5. change postgresql.conf for using ssl

  Υե̾ $PGDATA/postgresql.conf ¸ߤޤ
ʲ postgresql.conf ѹκʬ:

> diff -u $PGDATA/postgresql.conf.bak $PGDATA/postgresql.conf
--- /usr/local/pgsql/data/postgresql.conf.bak   Sat Apr 21 22:35:21 2001
+++ /usr/local/pgsql/data/postgresql.conf       Sat Apr 21 22:35:21 2001
@@ -28,6 +28,8 @@
 #
 #tcpip_socket = false
 #ssl = false
+tcpip_socket = true
+ssl = true
 
 #max_connections = 32 # 1-1024
 


6. pg_hba.conf  hostssl פ³򵭽Ҥޤ
# 6. add entry for hostssl type connection

  Υե̾ $PGDATA/pg_hba.conf ¸ߤޤ
ʲ pg_hba.conf ѹκʬ:

> diff -u  $PGDATA/pg_hba.conf.bak $PGDATA/pg_hba.conf
--- /usr/local/pgsql/data/pg_hba.conf.bak       Sat Apr 21 22:37:15 2001
+++ /usr/local/pgsql/data/pg_hba.conf   Sat Apr 21 22:37:15 2001
@@ -186,3 +186,5 @@
 # CAUTION: if you are on a multiple-user machine, the above default
 # configuration is probably too liberal for you --- change it to use
 # something other than "trust" authentication.
+
+hostssl      all         192.168.2.0   255.255.255.0           trust


