Documentation
Table of Contents
2 PostgreSQL encryption configuration
Overview
This section provides several encryption configuration examples for CentOS 8.2 and PostgreSQL 13.
Connection between Áú»¢¶Ä²© frontend and PostgreSQL cannot be encrypted (parameters in GUI are disabled), if the value of Database host field begins with a slash or the field is empty.
Since Áú»¢¶Ä²© 5.0.5 TLS encryption parameter names in the frontend have changed slightly: for better clarity the "Database" prefix has been added. In versions 5.0.0-5.0.4 parameters are named TLS encryption, TLS certificate file, etc.
Pre-requisites
Install the PostgreSQL database using the .
PostgreSQL is not configured to accept TLS connections out-of-the-box. Please follow instructions from PostgreSQL documentation for and also for through ph_hba.conf.
By default, the PostgreSQL socket is binded to the localhost, for the network remote connections allow to listen on the real network interface.
PostgreSQL settings for all modes can look like this:
/var/lib/pgsql/13/data/postgresql.conf:
...
ssl = on
ssl_ca_file = 'root.crt'
ssl_cert_file = 'server.crt'
ssl_key_file = 'server.key'
ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL'
ssl_prefer_server_ciphers = on
ssl_min_protocol_version = 'TLSv1.3'
...For access control adjust /var/lib/pgsql/13/data/pg_hba.conf:
...
### require
hostssl all all 0.0.0.0/0 md5
### verify CA
hostssl all all 0.0.0.0/0 md5 clientcert=verify-ca
### verify full
hostssl all all 0.0.0.0/0 md5 clientcert=verify-full
...Required mode
Frontend
To enable transport-only encryption for connections between Áú»¢¶Ä²© frontend and the database:
- Check Database TLS encryption
- Leave Verify database certificate unchecked
Server
To enable transport-only encryption for connections between server and the database, configure /etc/zabbix/zabbix_server.conf:
...
DBHost=10.211.55.9
DBName=zabbix
DBUser=zbx_srv
DBPassword=<strong_password>
DBTLSConnect=required
...Verify CA mode
Frontend
To enable encryption with certificate authority verification for connections between Áú»¢¶Ä²© frontend and the database:
- Check Database TLS encryption and Verify database certificate
- Specify path to Database TLS key file
- Specify path to Database TLS CA file
- Specify path to Database TLS certificate file
Alternatively, this can be set in /etc/zabbix/web/zabbix.conf.php:
...
$DB['ENCRYPTION'] = true;
$DB['KEY_FILE'] = '';
$DB['CERT_FILE'] = '';
$DB['CA_FILE'] = '/etc/ssl/pgsql/root.crt';
$DB['VERIFY_HOST'] = false;
$DB['CIPHER_LIST'] = '';
...Server
To enable encryption with certificate verification for connections between Áú»¢¶Ä²© server and the database, configure /etc/zabbix/zabbix_server.conf:
...
DBHost=10.211.55.9
DBName=zabbix
DBUser=zbx_srv
DBPassword=<strong_password>
DBTLSConnect=verify_ca
DBTLSCAFile=/etc/ssl/pgsql/root.crt
...Verify full mode
Frontend
To enable encryption with certificate and database host identity verification for connections between Áú»¢¶Ä²© frontend and the database:
- Check Database TLS encryption and Verify database certificate
- Specify path to Database TLS key file
- Specify path to Database TLS CA file
- Specify path to Database TLS certificate file
- Check Database host verification
Alternatively, this can be set in /etc/zabbix/web/zabbix.conf.php:
$DB['ENCRYPTION'] = true;
$DB['KEY_FILE'] = '';
$DB['CERT_FILE'] = '';
$DB['CA_FILE'] = '/etc/ssl/pgsql/root.crt';
$DB['VERIFY_HOST'] = true;
$DB['CIPHER_LIST'] = '';
...Server
To enable encryption with certificate and database host identity verification for connections between Áú»¢¶Ä²© server and the database, configure /etc/zabbix/zabbix_server.conf: