Jump to: navigation, search

Advance Secure Connection Configuration for PostGreSQL

Starting with release 8.5.300.32, UCS supports advanced secure configuration connection for PostGreSQL, including FIPS. This configuration can be achieved in any of three ways:

  • Within the DAP application itself (two methods are available)
  • On the connection link between the UCS application in Configuration Server and the Postgres DAP application
  • On the host object where the Postgres database resides

Configuration approaches are described below.

Configuration within the DAP Application

Method 1

  1. Enable the secure port option:

  2. FIPS2.png

  3. On the Options tab, create a section called [security]. This is because the connection is client only.
  4. In the new [security] section:
    1. Add all TLS-related information, such as certificates information.
    2. Manually add the option fips140-enabled and set its value to true to enable FIPS mode on the database connection. Note: FIPS mode is never enabled by default and must be explicitly (manually) set.
    3. For Postgres, if the Postgres sslmode is set to verify-ca or verify-full, create a CA root certificate.
    4. Example 1:
      [security]
      tls=1
      fips140-enabled=true
      trusted-ca=<certificate path>
      
      Example 2:

      FIPS3.png

      All parameters from Genesys TLS configuration are available but do not necessarily apply to the Postgres TLS connection. Specifically, the following options are not applicable to the Postgres database connection:
      • provider (hard-coded to Bouncy Castle)
      • tls-mutual (Postgres server-side configuration)
      • tls-crl (Postgres server-side configuration)
      • cipher-list (Postgres server-side configuration)
      • sec-protocol (Postgres server-side configuration)
      • tls-version (Postgres server-side configuration)
      • protocol-list (Postgres server-side configuration)
      All Postgres-specific options go in the [settings] section:
      [settings]
      sslmode=require
      

    Method 2

    Alternatively, you can configure the application through the Certificate View, which synchronizes the trusted-ca option in the [security] section previously described. Note that other options still need to be manually added in the [security] section.

    FIPSCertFinal.png

    Configuration on the connection link

    You can configure the connection between the UCS application and the Postgres DAP application to inject TLS configuration and its FIPS mode.


    FIPS7.png


    On the Advanced tab:

    1. Set the fips140-enabled option to true to enable FIPS mode, which must be specified manually.
    2. Specify any other other required parameters.

    Configuration on the Postgres host

    The connection between the UCS application and the Postgres DAP application can be configured to inject TLS configuration and its FIPS mode.

    FIPS5.png

    The host information on the Server Info tab should look like this:

    FIPS6.png

    Configuration hierarchy

    UCS first looks in the UCS DAP application for TLS/FIPS configuration. If it is not found there, the connection between UCS and UCS DAP is scanned for TLS/FIPS information.

    Logs

    Logs contain the TLS configuration retrieved (from which object) as well as the FIPS mode set:

    16:54:59.894 Dbg 09900 [Ucs-Main ] <[]> Registering DataAccessPoint 'UcsDap853' with role 'Main'
    16:54:59.900 Trc 09900 [Ucs-Main ] <[]> TLS flag enabled on application UcsDap853 (155)
    16:54:59.900 Dbg 09900 [Ucs-Main ] <[]> TLS Expected Hostname : null
    16:54:59.900 Dbg 09900 [Ucs-Main ] <[]> TLS Certificate : null
    16:54:59.900 Dbg 09900 [Ucs-Main ] <[]> TLS Certificate Key : null
    16:54:59.900 Dbg 09900 [Ucs-Main ] <[]> TLS Cipher List : null
    16:54:59.900 Dbg 09900 [Ucs-Main ] <[]> TLS Certificate Revocation List : null
    16:54:59.900 Dbg 09900 [Ucs-Main ] <[]> TLS Provider : null
    16:54:59.900 Dbg 09900 [Ucs-Main ] <[]> TLS Trusted CA Certificate : /tmp/postgres-ca/root.crt
    16:54:59.900 Std 21111 [Ucs-Main ] <[]> The Database Access Point 'UcsDap853' has been configured with an infinite timeout, default 60 s will be used.
    16:54:59.905 Int 09900 [Ucs-Main ] <[]> Ignoring invalid value 'null' for max-connections
    

    Further reading

    Please consult the following sources:

This page was last edited on July 1, 2019, at 18:27.
Comments or questions about this documentation? Contact us for support!