diff options
Diffstat (limited to 'doc/src')
| -rw-r--r-- | doc/src/sgml/runtime.sgml | 70 |
1 files changed, 8 insertions, 62 deletions
diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml index ab7a6b4795b..31810dc19d8 100644 --- a/doc/src/sgml/runtime.sgml +++ b/doc/src/sgml/runtime.sgml @@ -1,5 +1,5 @@ <!-- -$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.29 2000/10/19 04:53:41 tgl Exp $ +$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.30 2000/10/20 14:00:49 thomas Exp $ --> <Chapter Id="runtime"> @@ -1014,7 +1014,7 @@ env PGOPTIONS='--geqo=off' psql <listitem> <para> Enables <acronym>SSL</> connections. Please read - <xref linkend="ssl"> before using this. The default + <xref linkend="ssl-tcp"> before using this. The default is off. </para> </listitem> @@ -1637,7 +1637,7 @@ set semsys:seminfo_semmsl=32 </para> </sect1> - <sect1 id="ssl"> + <sect1 id="ssl-tcp"> <title>Secure TCP/IP Connections with SSL</title> <para> @@ -1654,7 +1654,8 @@ set semsys:seminfo_semmsl=32 can be started with the argument <option>-l</> (ell) to enable SSL connections. When starting in SSL mode, the postmaster will look for the files <filename>server.key</> and <filename>server.crt</> in - the data directory. These files should contain the server private key + the data directory (pointed to by <envar>PGDATA</envar>). + These files should contain the server private key and certificate respectively. These files must be set up correctly before an SSL-enabled server can start. If the private key is protected with a passphrase, the postmaster will prompt for the passphrase and will @@ -1664,7 +1665,8 @@ set semsys:seminfo_semmsl=32 <para> The postmaster will listen for both standard and SSL connections on the same TCP/IP port, and will negotiate with any connecting - client wether to use SSL or not. See <xref linkend="client-authentication"> + client whether or not to use SSL. + See <xref linkend="client-authentication"> about how to force on the server side the use of SSL for certain connections. </para> @@ -1695,63 +1697,7 @@ openssl x509 -inform PEM -outform PEM -in newreq.pem -out newkey_no_passphrase.p </para> </sect1> - <sect1 id="ssl"> - <title>Secure TCP/IP Connection with SSL</title> - - <para> - PostgreSQL has native support for connections over SSL to encrypt - client/server communications for increased security. This requires - <productname>OpenSSL</productname> to be installed on both client - and server systems and support enabled at compile-time using - the configure script. - </para> - - <para> - With SSL support compiled in, the Postgres backend can be - started with argument -l to enable SSL connections. - When starting in SSL mode, the postmaster will look for the - files <filename>server.key</filename> and - <filename>server.cert</filename> in the <envar>PGDATA</envar> - directory. These files should contain the server private key and - certificate respectively. If the private key is protected with a - passphrase, the postmaster will prompt for the passphrase and not - start until it has been provided. - </para> - - <para> - The postmaster will listen for both standard and SSL connections - on the same TCP/IP port, and will negotiate with any connecting - client wether to use SSL or not. Use the <filename>pg_hba.conf</filename> - file to optionally require SSL in order to accept a connection. - </para> - - <para> - For details on how to create your server private key and certificate, - refer to the OpenSSL documentation. A simple self-signed certificate - can be used to get started testing, but a certificate signed by a CA - (either one of the global CAs or a local one) should be used in - production so the client can verify the servers identity. To create - a quick self-signed certificate, use the <filename>CA.pl</filename> - script included in OpenSSL: -<programlisting> - CA.pl -newcert -</programlisting> - Fill out the information the script asks for. Make sure to enter - the local hostname as Common Name. The script will generate a key - which is passphrase protected. To remove the passphrase (required - if you want automatic startup of the postmaster), run the command -<programlisting> - openssl x509 -inform PEM -outform PEM -in newreq.pem -out newkey_no_passphrase.pem -</programlisting> - Enter the old passphrase to unlock the existing key. Copy the file - <filename>newreq.pem</filename> to <filename>PGDATA/server.cert</filename> - and <filename>newkey_no_passphrase.pem</filename> to - <filename>PGDATA/server.key</filename>. Remove the PRIVATE KEY part - from the <filename>server.cert</filename> using any text editor. - </para> - </sect1> - - <sect1 id="ssh"> + <sect1 id="ssh-tunnels"> <title>Secure TCP/IP Connections with SSH tunnels</title> <note> |