Configuring SSL for a PostgreSQL instance
To secure the connection between the i2® Analyze application server and the database instance, you must enable SSL on the PostgreSQL database server, then configure and deploy the toolkit.
Enable support for remote connections
By default, PostgreSQL deployments support connections only from localhost. For use in a production environment, you should enable remote connections before you enable SSL.
You can find the files that you need to modify, pg_hba.conf
and postgresql.conf
, in the data
folder on the PostgreSQL database server.
To allow connection from any host to all PostgreSQL databases, using any PostgreSQL user and password, add these lines to the end of the pg_hba.conf
file:
host all all 0.0.0.0/0 scram-sha-256
host all all ::/0 scram-sha-256
If you need to set restrictions, see the instructions at the top of the pg_hba.conf
file and modify the file as required.
In the postgresql.conf
file, set the listen_addresses
to '*'
to allow connection from any host. If you need to set restrictions, see the comments for listen_addresses
in the postgresql.conf
file and modify the file as required.
Note: When you allow connections from any host, this includes connections from localhost.
Open the PostgreSQL port in the firewall. Before you enable SSL, check the changes are working by redeploying i2 Analyze. For more information, see Redeploying Liberty.
Enable SSL on the PostgreSQL database server
Follow the steps in the PostgreSQL documentation to configure SSL for your PostgreSQL instance. For more information, see Secure TCP/IP Connections with SSL.
Configure the toolkit and deploy
After you enable PostgreSQL to use SSL, you can configure i2 Analyze to connect securely. You'll need the Certificate Authority (CA) certificate file that was used to sign the certificate with which you enabled SSL on the database server.
Place the CA certificate file in a suitable folder on the i2 Analyze server.
Edit the
topology.xml
file and add the following settings to the Information Store-related database node, where<CA file-path>
is the absolute file path of the CA certificate file:secure-connection="true" trust-store="<CA file-path>"
For example:
<databases> <database database-type="InfoStore" dialect="postgres" database-name="ISTORE" instance-name="" xa="false" id="infostore" host-name="hostname" port-number="5432" secure-connection="true" trust-store="C:/i2/server.crt"/> </databases>
Note: For PostgreSQL, the
trust-store
value means the location of the CA certificate itself, not the location of a password-protected trust-store file that contains the CA certificate.To deploy the SSL configuration changes, run:
setup -t deploy
When the Liberty server is started and it connects to the Information Store database, it verifies the certificate obtained from the PostgreSQL database server, using the local CA certificate file. If verification fails, it fails to connect to the database. For more information, see SSL Support.
If you are planning to use the ETL toolkit, you must re-create the ETL toolkit after you configure SSL. For more information, see Deploying the ETL toolkit.