Configuring MMDB Connection over SSL

It is recommended to implement SSL encryption for communication between MMTE Server and PostgreSQL RDBMS for improved security.

SSL encryption is performed using the standard OpenSSL library.

Certificate Requirements

Now you need to issue a certificate and private key.

You can employ any valid SSL certificate.

An SSL certificate is required for establishing an encrypted connection. PostgreSQL establishes the following technical requirements:

• both self-signed certs and certs from an official trusted CA are supported.
• syntax standard: Public-Key Cryptography Standards #8 (PKCS#8)
• certificate file format: text (PEM / CRT)

Important

For enterprise users, it is recommended to get these certs from your corporate network/security team by providing the required server information.

Enabling SSL at PostgreSQL Side

If your MMTE Server is connected to multiple PostgreSQL servers, perform this operation on each of them.

To enable SSL encryption:

1. Log in to a computer where PostgreSQL is installed. For embedded PostgreSQL, log in to the MMTE Server computer.

2. Place certificate and private key created in the previous section to the data directory of PostgreSQL. In case of embedded PostgreSQL, place generated cert and key in <METAMINER INSTALLATION DIRECTORY>\server\data\mmdb

3. Navigate to the directory where the main PostgreSQL config file postgresql.conf is located. For embedded PostgreSQL, it is <METAMINER INSTALLATION DIRECTORY>\server\data\mmdb

   Read here for more information about setting PostgreSQL system parameters.

4. Edit file postgresql.conf. You may need sudo elevated privileges for doing this.

5. Find line

   ssl = off
   

   and change it to

   ssl = on
   

6. Add and configure encryption parameters:

   # - Security and Authentication
   authentication_timeout = 1min          # 1s-600s
   ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
   ssl_prefer_server_ciphers = on
   ssl_ecdh_curve = 'prime256v1'
   ssl_dh_params_file = ''
   ssl_cert_file = 'server.crt'
   ssl_key_file = 'server.key'
   ssl_ca_file = ''
   ssl_crl_file = ''
   

   Specify the filename of your certificate, choose ciphers, and configure other settings. Read here for further details.

7. Save the config file.

Now PostgreSQL is ready to accept SSL-encrypted connections.

Enabling SSL at MMTE Side

Configure MMTE Server for establishing SSL-encrypted connections to PostgreSQL.

1. Open MMTE Administrator.

2. Choose Configure MMDB in the main window. The Configure MMDB dialog window opens.

3. Click the SSL checkbox:

   

4. Click the Validate and Close button.

   MMTE Administrator tries the SSL connection and closes the Configure MMDB dialog box upon successful validation.

   Note

   In case you have a certificate but it is not valid (e. g., expired), it is highly recommended to obtain and install a new one as soon as possible. Meanwhile, you can temporarily disable validation of the cert by using the Use PG Non-validating SSL Factory setting.

5. Restart MMTE Server.

See Also

Configuring MMDB

Enabling MMTE over SSL