Configuring SSL for a PostgreSQL instance
To secure the connection between the i2® Analyze application server and the database instance, you must enable SSL on the PostgreSQL database server, then configure and deploy the toolkit.
Enable support for remote connections
By default, PostgreSQL deployments support connections only from localhost. For use in a production environment, you should enable remote connections before you enable SSL.
You can find the files that you need to modify, pg_hba.conf and postgresql.conf, in the data folder on the PostgreSQL database server.
To allow connection from any host to all PostgreSQL databases, using any PostgreSQL user and password, add these lines to the end of the pg_hba.conf file:
host all all 0.0.0.0/0 scram-sha-256
host all all ::/0 scram-sha-256
If you need to set restrictions, see the instructions at the top of the pg_hba.conf file and modify the file as required.
In the postgresql.conf file, set the listen_addresses to '*' to allow connection from any host. If you need to set restrictions, see the comments for listen_addresses in the postgresql.conf file and modify the file as required. After you modify this file, restart Postgres to apply the changes.
Note: When you allow connections from any host, this includes connections from localhost.
Open the PostgreSQL port in the firewall. Before you enable SSL, check the changes are working by redeploying i2 Analyze. For more information, see Redeploying Liberty.
Enable SSL on the PostgreSQL database server
Follow the steps in the PostgreSQL documentation to configure SSL for your PostgreSQL instance. For more information, see Secure TCP/IP Connections with SSL.
Configure the toolkit and deploy
After you enable PostgreSQL to use SSL, you can configure i2 Analyze to connect securely. You'll need the Postgres server's public certificate file that was used when you enabled SSL on the database server.
Place the certificate file in a suitable folder on the Liberty server.
Edit the topology.xml file and add the following settings to the Information Store-related database node, where <public certificate file-path> is the absolute file path of the Postgres server's public certificate file:
secure-connection="true" trust-store="<public certificate file-path>"
For example:
<databases> <database database-type="InfoStore" dialect="postgres" database-name="ISTORE" instance-name="" xa="false" id="infostore" host-name="hostname" port-number="5432" secure-connection="true" trust-store="C:/i2/server.crt"/> </databases>
Note: For PostgreSQL, the trust-store value means the location of the server's public certificate itself, not the location of a password-protected trust-store file that contains the certificate.
To deploy the SSL configuration changes, run:
setup -t stopLiberty setup -t deployLiberty setup -t startLiberty
When the Liberty server is started and it connects to the Information Store database, it verifies the certificate obtained from the PostgreSQL database server, using the local CA certificate file. If verification fails, it fails to connect to the database. For more information, see SSL Support.
If you are planning to use the ETL toolkit, you must re-create the ETL toolkit after you configure SSL. For more information, see Deploying the ETL toolkit.