DoC Computing Support Group


Differences between revisions 29 and 30
Revision 29 as of 2011-11-05 09:19:00
Size: 9478
Editor: ldk
Comment:
Revision 30 as of 2011-11-05 09:20:48
Size: 9511
Editor: ldk
Comment:
Deletions are marked like this. Additions are marked like this.
Line 174: Line 174:
You can use the command {{{psql -h db.doc.ic.ac.uk -d theDB -U pgUser}}} on a DoC Linux computer to Remember that you can use the command {{{psql --host localhost --port 12345 -U pgUser --dbname=theDB
}}} on a DoC Linux computer to

PostgreSQL connections from off-site

If you want to connect directly to the PostgreSQL server from outside the college network, you must use SSL encryption. Here are four possible ways to address this.

Use the college VPN service

If you first connect using the college VPN service, then your PostgreSQL connection will be considered as being from on-site. In this case, you will not need to use SSL encryption.

Use SSH tunnelling

This is similar to using VPN but at an application-level. Use an SSH client to create a tunnel from your computer outside the network to db.doc.ic.ac.uk through one of the externally-accessible SSH servers: shell1.doc.ic.ac.uk - shell4.doc.ic.ac.uk. Here is the syntax from a Linux terminal (the same command can be run in a Mac OS X terminal):

ssh -L 12345:db.doc.ic.ac.uk:5432 shell1.doc.ic.ac.uk

After you authenticate, the above command will set up a tunnel from port 12345 on your local computer to port 5432 (upon which the PostgreSQL service listens on db.doc.ic.ac.uk). You can then configure the PostgreSQL client on your local computer to connect to localhost:12345. Here is the syntax from a Linux terminal:

psql --host localhost --port 12345 -U pgUser --dbname=theDB

(Replace pguser and theDB with the appropriate DoC PostgreSQL user-name and database respectively)

The above psql command assumes that the PostgreSQL command-line client application of that name is installed locally. You can use plink under Windows to run the same SSH port-forwarding (plink documentation here).

SSL Connection without Validation

We assume that you are using Java; please adapt the following as required for other programming languages.

Suppose that you want to (or must) use SSL encryption but you do not care about validating the SSL certificate for db.doc.ic.ac.uk. First of all, you will need the PostgreSQL jdbc driver in your Java classpath. Download the JAR file from http://jdbc.postgresql.org/ or if you are using Debian or Ubuntu, 'apt-get install libpg-java' (which installs /usr/share/java/postgresql.jar). Update your CLASSPATH environment variable to reference the relevant JAR file location or include it in the '-cp' argument of your java/javac invocations.

You should then specify a data-source of the following form:

jdbc:postgresql://db.doc.ic.ac.uk/theDB?ssl=true&
sslfactory=org.postgresql.ssl.NonValidatingFactory

(That is one line: it has been line-wrapped above so that it is fully displayed).

Replace theDB in the above URI with the name of the database to which you wish to connect. Having established the URI, you must now specify the appropriate user-name and password as parameters to make a successful database connection. Here is a simple Java example illustrating these concepts:

import java.util.Properties;
import java.io.IOException;
import java.lang.ClassNotFoundException;
import java.net.Socket;
import java.lang.reflect.Constructor;
import javax.net.ssl.SSLSocketFactory;
import java.sql.*;

public class CheckDoCDB1 {

    public static void main(String[] args) {

        try {
            Class pgClass = Class.forName("org.postgresql.Driver");
        } catch ( java.lang.ClassNotFoundException e ) {
            System.out.println( "Could not find org.postgresql.Driver class " +
                                "- please check your classpath." );
            System.out.println( e );
        }
        
        String uri = "jdbc:postgresql://db.doc.ic.ac.uk/theDB?&ssl=true" +
                     "&sslfactory=org.postgresql.ssl.NonValidatingFactory";

        Connection db = null;
        try {
            db = DriverManager.getConnection(uri, "pgUser", "pgUserPassword");
            if ( db != null ) {
                System.out.println("Successfully connected to db.doc using " +
                                   "unauthenticated SSL.");
                db.close();
            }
        } catch ( java.sql.SQLException e ) {
                System.out.println( e );
        }
    }
}

Change the obvious strings (theDB, pgUser and pgUserPassword), save it under the file-name 'CheckDoCDB1.java' and compile it like so (we assume that you are using Debian/Ubuntu; adjust JAR file location as required):

javac -cp /usr/share/java/postgresql.jar:. CheckDoCDB1.java

Run it like so (as before, adjust JAR file location as required):

java -cp /usr/share/java/postgresql.jar:. CheckDoCDB1

SSL Connection with Validation

For our more-discerning clientèle, we can offer you the SSL certificate for db.doc.ic.ac.uk. This allows you to be more sure that your off-site database client is truly talking to db.doc.ic.ac.uk. Please e-mail help@doc.ic.ac.uk requesting the certificate if you want to go down this path. If you know of a straight-forward way to query a PostgreSQL server for its SSL certificate, then (a) you can get the certificate directly and (b) please let us know!

We assume that you have obtained the SSL certificate (in .crt form) and have it in the file 'db.doc.ic.ac.uk.crt'. You need to add that certificate to a local key store in order that your Java application accepts that certificate when making a connection.

First, convert the certificate to DER format using the openssl tool:

openssl x509 -in db.doc.ic.ac.uk.crt -out db.doc.ic.ac.uk.crt.der -outform der

(If you are unable to do this, we can give you the DER-format file directly).

Now import the certificate into a local key store:

keytool -keystore ~/.keystore -alias doc_postgresql -import -file db.doc.ic.ac.uk.crt.der

If you are creating this key store for the first time, you will be asked to specify a password. This password is solely for the key store and should be distinct from any other password referenced in this document.

Having done the above, you can now make your database connection code check that you trust the presented SSL certificate before connecting. We revisit the previous code accordingly:

import java.util.Properties;
import java.io.IOException;
import java.lang.ClassNotFoundException;
import java.net.Socket;
import java.lang.reflect.Constructor;
import javax.net.ssl.SSLSocketFactory;
import java.sql.*;


public class CheckDoCDB2 {

    public static void main(String[] args) {

        System.setProperty("javax.net.ssl.trustStore", "/home/userName/.keystore");
        System.setProperty("javax.net.ssl.trustStorePassword", "keystorePassword");

        try {
            Class pgClass = Class.forName("org.postgresql.Driver");
        } catch ( java.lang.ClassNotFoundException e ) {
             System.out.println( "Could not find org.postgresql.Driver class " +
                                "- please check your classpath." );
             System.out.println( e );
        }


        String trustStore = System.getProperty("javax.net.ssl.trustStore");
        if (trustStore == null) {
            System.out.println("javax.net.ssl.trustStore is not defined");
        } else {
            System.out.println("javax.net.ssl.trustStore = " + trustStore);
        }

        String uri = "jdbc:postgresql://db.doc.ic.ac.uk/theDB?ssl=true";
        
        Connection db = null;
        try {
            db = DriverManager.getConnection(uri, "pgUser", "pgUserPassword");
            if ( db != null ) {
                System.out.println("Successfully connected to db.doc using " +
                                   "authenticated SSL.");
                db.close();
            }
        } catch ( java.sql.SQLException e ) {
                System.out.println( e );
        }
    }
} 

As before, change the parameters as required (theDB, pgUser and pgUserPassword). You should also adjust /home/userName/.keystore to refer to the local path of the created key store and keystorePassword to be the password string that you specified for the key store. Save the above code under the file-name 'CheckDoCDB2.java' and compile it like so:

javac -cp /usr/share/java/postgresql.jar:. CheckDoCDB2.java

Run it like so:

java -cp /usr/share/java/postgresql.jar:. CheckDoCDB2

Trouble-shooting

  • Have you specified the correct data source URI?
  • Have you specified the correct user-name?
  • Does that user have access to the specified database?
  • Did you specify the correct password for the user?
  • Have you checked that all the above parameters work correctly for none-SSL connections?
  • Have you tried adding the following option (for extra debugging information) when invoking your Java application?
    • -Djavax.net.debug=ssl

Remember that you can use the command {{{psql --host localhost --port 12345 -U pgUser --dbname=theDB }}} on a DoC Linux computer to eliminate the SSL aspect and check that the basic connection parameters are correct.

Further information

Please see the PostgreSQL and JDBC documentation for more details.

 
 

guides/databases/postgres-ssl (last edited 2015-10-04 18:09:06 by ldk)