Configuring SSL for a PostgreSQL instance

To secure the connection between the i2® Analyze application server and the database instance, you must enable SSL on the PostgreSQL database server, then configure and deploy the toolkit.

Enable support for remote connections

By default, PostgreSQL deployments support connections only from localhost. For use in a production environment, you should enable remote connections before you enable SSL.

You can find the files that you need to modify, pg_hba.conf and postgresql.conf, in the data folder on the PostgreSQL database server.

To allow connection from any host to all PostgreSQL databases, using any PostgreSQL user and password, add these lines to the end of the pg_hba.conf file:

host    all     all     0.0.0.0/0       scram-sha-256
host    all     all     ::/0            scram-sha-256

If you need to set restrictions, see the instructions at the top of the pg_hba.conf file and modify the file as required.

In the postgresql.conf file, set the listen_addresses to '*' to allow connection from any host. If you need to set restrictions, see the comments for listen_addresses in the postgresql.conf file and modify the file as required.

Note: When you allow connections from any host, this includes connections from localhost.

Open the PostgreSQL port in the firewall. Before you enable SSL, check the changes are working by redeploying i2 Analyze. For more information, see Redeploying Liberty.

Enable SSL on the PostgreSQL database server

Follow the steps in the PostgreSQL documentation to configure SSL for your PostgreSQL instance. For more information, see Secure TCP/IP Connections with SSL.

Configure the toolkit and deploy

After you enable PostgreSQL to use SSL, you can configure i2 Analyze to connect securely. You'll need the Certificate Authority (CA) certificate file that was used to sign the certificate with which you enabled SSL on the database server.

  1. Place the CA certificate file in a suitable folder on the Liberty server.

  2. Edit the topology.xml file and add the following settings to the Information Store-related database node, where <CA file-path> is the absolute file path of the CA certificate file:

    secure-connection="true" trust-store="<CA file-path>"

    For example:

    <databases>
      <database database-type="InfoStore" dialect="postgres"
                database-name="ISTORE" instance-name="" xa="false"
                id="infostore" host-name="hostname" port-number="5432"
                secure-connection="true" trust-store="C:/i2/server.crt"/>
    </databases>

    Note: For PostgreSQL, the trust-store value means the location of the CA certificate itself, not the location of a password-protected trust-store file that contains the CA certificate.

  3. To deploy the SSL configuration changes, run:

    setup -t stopLiberty
    setup -t deployLiberty
    setup -t startLiberty

When the Liberty server is started and it connects to the Information Store database, it verifies the certificate obtained from the PostgreSQL database server, using the local CA certificate file. If verification fails, it fails to connect to the database. For more information, see SSL Support.

If you are planning to use the ETL toolkit, you must re-create the ETL toolkit after you configure SSL. For more information, see Deploying the ETL toolkit.