In a previous post we walked through configuring a PostgreSQL database server as the external database for our vRealize Orchestrator (vRO) cluster. In this post we'll cover adding SSL support to encrypt the traffic between our vReazlie Orchestrator cluster and our PostgreSQL database server.
PostgreSQL SSL Configuration
The first thing we need to do is get our SSL certificate for the database server. In this case we're going to use openssl to generate our certificate request and ultimately we'll use openssl self-sign the certificate.
openssl req -newkey rsa:4096 -nodes -keyout vrodb.key -out vrodb.csr
Provide the necessary information to the prompts.
Generating a 4096 bit RSA private key .............................................................++ ..................................................................................++ writing new private key to 'vrodb.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) :IL Locality Name (eg, city) [Default City]:Chicago Organization Name (eg, company) [Default Company Ltd]:Green Reed Technology Organizational Unit Name (eg, section) :IT Common Name (eg, your name or your server's hostname) :grtdb01.grt.local Email Address :[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :Green Reed Technology
Sign Certificate Request
We'll sign the certificate request with openssl since we're using a self-signed certificate but the CSR could be signed by a trusted CA as well.
openssl x509 -signkey vrodb.key -in vrodb.csr -req -days 365 -out vrodb.crt
Signature ok subject=/C=US/ST=IL/L=Chicago/O=Green Reed Technology/OU=IT/CN=grtdb01.grt.local/[email protected] Getting Private key
With the private key and certificate created we'll secure the file permissions.
chmod 400 vrodb.key chown postgres:postgres vrodb.key chown postgres:postgres vrodb.crt
Configure SSL Support
The following change must be made to the /var/lib/pgsql/9.6/data/postgresql.conf config file to enable SSL support.
ssl = on ssl_cert_file = 'vrodb.crt' ssl_key_file = 'vrodb.key' ssl_ca_file = 'vrodb.crt'
Restart the PostgreSQL Service
We need to restart the PostgreSQL service to apply the changes we've made.
systemctl restart postgresql-9.6
vRO SSL Configuration
With our database server configured to support SSL we just need to configure our vRealize Orchestrator (vRO) cluster to use SSL to connect to the database.
The first thing we need to do is import the SSL certificate for our database server into vRealize Orchestrator. From the vRealize Orchestrator (vRO) control center click "Certificates" to manage the vRealize Orchestrator (vRO) certificates.
Click "IMPORT" and select "Import from a PEM-encoded file".
Click "BROWSE" and select the SSL certificate that our database server utilizes. The SSL certificate may need to be copied from the database server is not present on the local machine.
Click "IMPORT" to import the SSL certificate into the keystore.
Verify the SSL certificate and click "IMPORT".
Once the import process has been completed the SSL certificate should show as a trusted SSL certificate.
Repeat the SSL certificate import process on all additional vRO appliances in the cluster.
With the SSL certificate of our database imported we need to configure our connection to use SSL. Click on "Database" from the Control Center home page to configure the database.
Toggle the "Use SSL" slider, select "require" for the SSL mode and click "SAVE" to configure SSL support.
If the connection was established successfully we should see a "Configuration saved" message.
Unfortunately even though we just configured SSL support the UI doesn't update properly so it seems like we don't have SSL configured if we go back to the database configuration screen.
One way to validate the SSL configuration is to log into one of the vRO appliances and run the following command.
cat /var/lib/vco/app-server/conf/vmo.properties | grep sslmode
The command output should be similar to that below if SSL is configured and no output if it's not.
PostgreSQL SSL Configuration
vRealize Orchestrator Database Configuration