Configuration steps to enable SSL in Greenplum
search cancel

Configuration steps to enable SSL in Greenplum

book

Article ID: 404178

calendar_today

Updated On:

Products

VMware Tanzu Greenplum

Issue/Introduction

By default, Greenplum Database allows unencrypted client connections, which can expose sensitive data to security risks. Enabling SSL (Secure Sockets Layer) ensures encryption for client-server communication, helping protect data in transit and meet compliance requirements.

This article provides step-by-step instructions to configure SSL for client connections in Greenplum, including certificate generation, configuration changes, and master restart.

Environment

VMware Tanzu Greenplum 6.XX

Cause

Greenplum does not enable SSL by default. To secure client communications:

  • SSL must be explicitly configured.

  • Certificates and keys must be generated and installed.

  • Configuration files must be updated to support SSL.

Resolution

Step 1: Generate SSL Certificates

Use OpenSSL to generate the necessary keys and certificates.

# Generate private key and certificate request
openssl req -new -text -out server.req

# Remove passphrase (PostgreSQL does not support passphrase-protected keys)
openssl rsa -in privkey.pem -out server.key
rm privkey.pem

# Generate certificate signing request
openssl req -new -key server.key -out server.csr

# Self-sign the certificate
openssl req -x509 -in server.req -text -key server.key -out server.crt

# Set secure permissions
chmod 600 server.key
chmod 644 server.crt

Step 2: Copy Certificate and Key to Master Directory

# cp server.crt server.key $MASTER_DATA_DIRECTORY/
# chown gpadmin:gpadmin $MASTER_DATA_DIRECTORY/server.*
 
Ensure the files are owned by the gpadmin user and are located in the appropriate master data directory (e.g., /data/master/gpseg-1/).
 

Step 3: Enable SSL in postgresql.conf

Edit the master node’s postgresql.conf file (found in $MASTER_DATA_DIRECTORY) and add or update the following lines:

ssl = on
ssl_cert_file = 'server.crt'
ssl_key_file = 'server.key'

# Optional: Enable CA verification for clients
# ssl_ca_file = 'root.crt'

Step 4: Update pg_hba.conf for SSL Connections

In the same directory, edit the pg_hba.conf file to add SSL support for client connections:

hostssl all all 0.0.0.0/0 md5

Step 5: Configure Replication Access (Optional)

Replication can still use non-SSL or SSL connections. Example configuration:

local    replication gpadmin                                ident
host     replication gpadmin         same
host     replication gpadmin         10.159.240.160/32       trust
host     replication gpadmin         192.168.122.1/32        trust
# Optionally use hostssl for replication over SSL
# hostssl replication gpadmin       <replica-ip>/32         md5

Adjust the IP addresses and authentication method (trust, md5, etc.) according to your environment and security policies.

Step 6: Restart the Greenplum Master

Apply the SSL configuration changes by restarting the Greenplum master:

gpstop -u

This performs a fast restart, preserving the segment processes.

 
Powered by Wolken Software