Jira (PDB-765) Puppetdb connexion to postgresql using client certificate
Title: Message Title Kenneth Barber commented on an issue Re: Puppetdb connexion to postgresql using client certificate Justin Holguin I can release the module whenever we need to I guess. What particular reason do you have for having to turn off the db management in the PDB module? I'm just curious because it looked like all the settings you have in that GIST are correct. Oh and BTW, you're not quite following the route Brian Cain had laid out, in particular his instructions did not require modifying the global JKS, which is actually a bit of a bad thing. Instead it uses the libpqfactory method, you can see this outlined here: http://docs.puppetlabs.com/puppetdb/master/postgres_ssl.html#using-your-own-self-signed-ca. Having another look at that documentation, ideally even the Puppet cert instructions need to be modified to use this really instead of JKS. I think I made a mess of the documentation review, I guess I wasn't paying enough attention at the time. If you want a better explanation ping me on hipchat or something. Add Comment PuppetDB / PDB-765 Puppetdb connexion to postgresql using client certificate For people wanting to authenticate on a posgresql server, using a X509 client certificate, this procedure might help. This procedure does it in the java way, ie it take a jks store, not pem files. First create a jks with the private key for your account and put in it all the needed certificates in the chain (both server and user). The cn for user cert... This mess
Jira (PDB-765) Puppetdb connexion to postgresql using client certificate
Title: Message Title Justin Holguin commented on an issue Re: Puppetdb connexion to postgresql using client certificate Kenneth Barber I managed to replicate Brian Cain's results with PuppetDB 2.1.0 and Puppet 3.6.2 (open source), but there were many more steps involved. If you like, you can check out my notes/pre-docs from the process in this gist. Bottom line, I found two major issues: 1. I had to check out puppetlabs-puppetdb from GitHub because I needed to be able to set the manage_dbserver parameter to false, and the latest version on the Forge doesn't have that parameter. Without it, the module will install PostgreSQL 8.4 on RHEL 6, which doesn't support this kind of configuration. 2. The new HBA rule has to be added as a puppet resource or any changes will just get overwritten. My question really is this: when do you think there will be a new release of the module? I'm not very enthusiastic about publishing this doc until the manage_dbserver param is part of an official release. Alternatively, if there's a workaround that I'm missing then that would also help. Add Comment PuppetDB / PDB-765 Puppetdb connexion to postgresql using client certificate For people wanting to authenticate on a posgresql server, using a X509 client certificate, this procedure might help. This procedure does it in the java way, ie it take a jks store, not pem files. First create a jks with the private key for your account and put in it all the needed certificates in the chain (both server and user). The cn for user cert...
Jira (PDB-765) Puppetdb connexion to postgresql using client certificate
Title: Message Title Justin Holguin updated an issue PuppetDB / PDB-765 Puppetdb connexion to postgresql using client certificate Change By: Justin Holguin Story Points: 2 3 Add Comment This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PDB-765) Puppetdb connexion to postgresql using client certificate
Title: Message Title Justin Holguin updated an issue PuppetDB / PDB-765 Puppetdb connexion to postgresql using client certificate Change By: Justin Holguin Story Points: 1 2 Add Comment This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PDB-765) Puppetdb connexion to postgresql using client certificate
Title: Message Title Kenneth Barber commented on an issue Re: Puppetdb connexion to postgresql using client certificate Nicholas Fagerlund we've had some good success with a different technique that avoids the need to use JKS stores, it can use PEM based public/private files. Brian Cain has already updated our docs for this new technique. What is needed is a new section with the extra settings required to enable client based authentication from the PuppetDB configuration perspective (database.ini), and a corresponding section for the Postgresql side (should be similar to what Fabrice Bacchella has provided). Add Comment PuppetDB / PDB-765 Puppetdb connexion to postgresql using client certificate For people wanting to authenticate on a posgresql server, using a X509 client certificate, this procedure might help. This procedure does it in the java way, ie it take a jks store, not pem files. First create a jks with the private key for your account and put in it all the needed certificates in the chain (both server and user). The cn for user cert... This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- Y
Jira (PDB-765) Puppetdb connexion to postgresql using client certificate
Title: Message Title Nicholas Fagerlund updated an issue PuppetDB / PDB-765 Puppetdb connexion to postgresql using client certificate Change By: Nicholas Fagerlund Assignee: Justin Holguin Add Comment This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PDB-765) Puppetdb connexion to postgresql using client certificate
Title: Message Title Nicholas Fagerlund commented on an issue Re: Puppetdb connexion to postgresql using client certificate Thanks for the pointers! We'll look into adding something about this to the http://docs.puppetlabs.com/puppetdb/2.1/postgres_ssl.html page. Add Comment PuppetDB / PDB-765 Puppetdb connexion to postgresql using client certificate For people wanting to authenticate on a posgresql server, using a X509 client certificate, this procedure might help. This procedure does it in the java way, ie it take a jks store, not pem files. First create a jks with the private key for your account and put in it all the needed certificates in the chain (both server and user). The cn for user cert... This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google
Jira (PDB-765) Puppetdb connexion to postgresql using client certificate
Title: Message Title Fabrice Bacchella commented on an issue Re: Puppetdb connexion to postgresql using client certificate This setting don't check if the certificate name matches the connection name. One should add : &sslhostnameverifier = org.postgresql.ssl.jdbc4.LibPQFactory in the subname. Add Comment PuppetDB / PDB-765 Puppetdb connexion to postgresql using client certificate For people wanting to authenticate on a posgresql server, using a X509 client certificate, this procedure might help. This procedure does it in the java way, ie it take a jks store, not pem files. First create a jks with the private key for your account and put in it all the needed certificates in the chain (both server and user). The cn for user cert... This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet
Jira (PDB-765) Puppetdb connexion to postgresql using client certificate
Title: Message Title Kenneth Barber updated an issue PuppetDB / PDB-765 Puppetdb connexion to postgresql using client certificate Change By: Kenneth Barber Story Points: 1 Affects Version/s: 2.1.0 Issue Type: Story New Feature Add Comment This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PDB-765) Puppetdb connexion to postgresql using client certificate
Title: Message Title Kenneth Barber updated an issue PuppetDB / PDB-765 Puppetdb connexion to postgresql using client certificate Change By: Kenneth Barber Labels: trivial Add Comment This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PDB-765) Puppetdb connexion to postgresql using client certificate
Title: Message Title Fabrice Bacchella created an issue PuppetDB / PDB-765 Puppetdb connexion to postgresql using client certificate Issue Type: Story Affects Versions: 2.1.0 Assignee: Unassigned Components: DOCS Created: 17/Jul/14 7:20 AM Priority: Minor Reporter: Fabrice Bacchella For people wanting to authenticate on a posgresql server, using a X509 client certificate, this procedure might help. This procedure does it in the java way, ie it take a jks store, not pem files. First create a jks with the private key for your account and put in it all the needed certificates in the chain (both server and user). The cn for user certificate should match the username used latter. Add to your JVM args : -Djavax.net.ssl.trustStore=.../puppetdb.jks -Djavax.net.ssl.trustStorePassword= -Djavax.net.ssl.keyStore=.../puppetdb.jks -Djavax.net.ssl.keyStorePassword= In case of problems, -Djavax.net.debug=ssl,defaultctx might help. My database.ini is : [database] classname = org.postgresql.Driver subprotocol = postgresql subname = //localhost:5432/puppetdb?ssl=true username = puppetd