Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive

SSL Certificates

Updated on 2023-03-17 GMT+08:00
NOTICE:

The information about using SSL certificates is for reference only. For details about the certificates and the security guidelines for managing the certificates and related files, see the database server documentation.

Data Studio can connect to the database using the Secure Sockets Layer (SSL) option. Adding a Connection lists the files required.

#

Certificate/Key

Description

1

Client SSL Certificate

Provided by the system/database administrator

2

Client SSL Key

Provided by the system/database administrator

3

Root Certificate

Provided by the system/database administrator

SSL Certificate Generation and Server Configuration

Perform the following steps to generate a certificate:

  1. Establish a Certificate Authority (CA) environment: Assume that user omm has been created and the CA path is test.

    Log in to SUSE Linux as user root and switch to user omm.

    Run the following commands:

    mkdir test
    cd /etc/ssl

    Copy the configuration file openssl.cnf to the test directory.

    Run the following commands:

    cp openssl.cnf ~/test
    cd ~/test

    Establish the CA environment under the test folder.

    Create a folder in the demoCA./demoCA/newcerts./demoCA/private directory.

    Run the following commands:

    mkdir ./demoCA ./demoCA/newcerts ./demoCA/private
    chmod 777 ./demoCA/private

    Create the serial file and write it to 01.

    Run the following command:

    echo '01'>./demoCA/serial

    Create the index.txt file.

    Run the following command:

    touch /home/omm/test/demoCA/index.txt

    Modify parameters in the openssl.cnf configuration file.

    Run the following commands:

    dir = /home/omm/test/demoCA
    default_md = sha256

    The CA environment has been established.

  2. Generate a root private key: Generate a CA private key.

    Run the following command:

    openssl genrsa -aes256 -out demoCA/private/cakey.pem 2048

    A 2048-bit RSA private key is generated.

  3. Generate a root certificate request file: The root certificate application file name is server.req.

    Run the following commands:

    openssl req -config openssl.cnf -new -key demoCA/private/cakey.pem -out demoCA/careq.pem

    Enter the password of demoCA/private/cakey.pem.

    Enter the private key password of user root.

    You need to enter information that will be included in your certificate request.

    The information you need to enter is a Distinguished Name (DN).

    You can leave some fields blank.

    For a field that contains a default value, enter a period (.) to leave the field blank. Enter the following information in the generated server certificate and client certificate.

    Country Name (2 letter code) [AU]:CN
    State or Province Name (full name) [Some-State]:xxxx
    Locality Name (eg, city) []:xxxx
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Abc
    Organizational Unit Name (eg, section) []:hello
    -Common name can be any name
    Common Name (eg, YOUR name) []:world
    -Email is optional.
    Email Address []:
    A challenge password []:
    An optional company name []:

  4. Generate a self-signed root certificate.

    Run the following command:

    openssl ca -config openssl.cnf -out demoCA/cacert.pem -keyfile demoCA/private/cakey.pem -selfsign -infiles demoCA/careq.pem

    Use the configurations of openssl.cnf.

    Enter the password of demoCA/private/cakey.pem.

    Enter the private key password of user root.

    Check whether the request matches the signature.

    Signature ok
    Certificate Details:
    Serial Number: 1 (0x1)
    Validity
    Not Before: Feb 28 02:17:11 2017 GMT
    Not After : Feb 28 02:17:11 2018 GMT
    Subject:
    countryName = CN
    stateOrProvinceName = shanxi
    organizationName = Abc
    organizationalUnitName = hello
    commonName = world
    X509v3 extensions:
    X509v3 Basic Constraints:
    CA:FALSE
    Netscape Comment:
    OpenSSL Generated Certificate
    X509v3 Subject Key Identifier:
    F9:91:50:B2:42:8C:A8:D3:41:B0:E4:42:CB:C2:BE:8D:B7:8C:17:1F
    X509v3 Authority Key Identifier:
    keyid:F9:91:50:B2:42:8C:A8:D3:41:B0:E4:42:CB:C2:BE:8D:B7:8C:17:1F
    Certificate is to be certified until Feb 28 02:17:11 2018 GMT (365 days)
    Sign the certificate? [y/n]:y
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated

    A CA root certificate named demoCA/cacert.pem has been issued.

  5. Generate a server certificate private key: Generate the private key file server.key.

    Run the following command:

    openssl genrsa -aes256 -out server.key 2048

  6. Generate a server certificate request file: Generate the server certificate request file server.req.

    Run the following command:

    openssl req -config openssl.cnf -new -key server.key -out server.req

    Enter the password of server.key.

    You need to enter information that will be included in your certificate request.

    The information you need to enter is a Distinguished Name (DN).

    You can leave some fields blank.

    For a field that contains a default value, enter a period (.) to leave the field blank.

    Configure the following information and ensure that the configuration is the same as that upon CA creation.
    Country Name (2 letter code) [AU]:CN
    State or Province Name (full name) [Some-State]:xxxx
    Locality Name (eg, city) []:xxxx
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Abc
    Organizational Unit Name (eg, section) []:hello
    -Common name can be any name
    Common Name (eg, YOUR name) []:world
    Email Address []:
    -- The following information is optional.
    A challenge password []:
    An optional company name []:

  7. Generate a server certificate: Set the demoCA/index.txt.attr attribute to no.

    vi demoCA/index.txt.attr

    Issue the generated server certificate request file. After it is issued, the official server certificate server.crt is generated.

    openssl ca -config openssl.cnf -in server.req -out server.crt -days 3650 –md sha256

    Use the configurations of /etc/ssl/openssl.cnf.

    Enter the password of /demoCA/private/cakey.pem.

    Check whether the request matches the signature.

    Signature ok
    Certificate Details:
    Serial Number: 2 (0x2)
    Validity
    Not Before: Feb 27 10:11:12 2017 GMT
    Not After : Feb 25 10:11:12 2027 GMT
    Subject:
    countryName = CN
    stateOrProvinceName = shanxi
    organizationName = Abc
    organizationalUnitName = hello
    commonName = world
    X509v3 extensions:
    X509v3 Basic Constraints:
    CA:FALSE
    Netscape Comment:
    OpenSSL Generated Certificate
    X509v3 Subject Key Identifier:
    EB:D9:EE:C0:D2:14:48:AD:EB:BB:AD:B6:29:2C:6C:72:96:5C:38:35
    X509v3 Authority Key Identifier:
    keyid:84:F6:A1:65:16:1F:28:8A:B7:0D:CB:7E:19:76:2A:8B:F5:2B:5C:6A
    Certificate is to be certified until Feb 25 10:11:12 2027 GMT (3650 days)
    -- Choose y to sign and issue the certificate.
    Sign the certificate? [y/n]:y
    -- Select y, the certificate singing and issuing is complete.
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated

    Enable password protection for the private key: If the password protection for the server private key is not enabled, you need to use gs_guc to encrypt the password.

    gs_guc encrypt -M server -K root private key password -D ./

    After the password is encrypted using gs_guc, two private key password protection files server.key.cipher and server.key.rand are generated.

  8. Generate a client certificate and private key: Generate a client private key.

    openssl genrsa -aes256 -out client.key 2048

    Generate a client certificate request file.

    openssl req -config openssl.cnf -new -key client.key -out client.req

    After the generated client certificate request file is signed and issued, the official client certificate client.crt will be generated.

    openssl ca -config openssl.cnf -in client.req -out client.crt -days 3650 –md sha256
    NOTE:

    If METHOD is set to cert in the pg_hba.conf file of the server, the client must use the username (common user) configured in the license file client.crt to connect to a database. If METHOD is set to md5 or sha256, the client does not have this restriction.

    If the password protection for the client private key is not removed, you need to use gs_guc to encrypt the password.

    gs_guc encrypt -M client -K root private key password -D ./

    After the password is encrypted using gs_guc, two private key password protection files client.key.cipher and client.key.rand are generated.

Replacing Certificates

Default security certificates and keys required for SSL connection are configured in LibrA. Before the operation, obtain official certificates and keys for the server and client from the CA.

  1. Prepare for a certificate and a key. The conventions for configuration file names on the server are as follows:

    l Certificate name: server.crt
    l Key name: server.key
    l Key password and encrypted file: server.key.cipher and server.key.rand
    Conventions for configuration file names on the client:
    l Certificate name: client.crt
    l Key name: client.key
    l Key password and encrypted file: client.key.cipher and client.key.rand
    l Certificate name: cacert.pem
    l Names of files on in the revoked certificate list: sslcrl-file.crl

  2. Create a package.

    Package name: db-cert-replacement.zip

    Package format: ZIP

    Package file list: server.crt, server.key, server.key.cipher, server.key.rand, client.crt, client.key, client.key.cipher, client.key.rand, and cacert.pem

    If you need to configure the certificate revocation list (CRL), the package file list must contain sslcrl-file.crl.

    Run the following commands:
    zip db-cert-replacement.zip client.crt client.key client.key.cipher client.key.rand server.crt server.key server.key.cipher server.key.rand
    zip -u ../db-cert-replacement.zip cacert.pem

  3. Call the certificate replacement interface to replace a certificate. Upload the package db-cert-replacement.zip to any path of a cluster user, for example, /home/gaussdba/test/db-cert-replacement.zip.

    Run the following command to replace the certificate in Coodinator (CN):

    gs_om -t cert --cert-file=/home/gaussdba/test/db-cert-replacement.zip

    Starting SSL cert files replace.

    Backing up old SSL cert files.

    Backup SSL cert files on BLR1000029898 successfully.

    Backup SSL cert files on BLR1000029896 successfully.

    Backup SSL cert files on BLR1000029897 successfully.

    Backup gds SSL cert files on successfully.

    BLR1000029898 replace SSL cert files successfully.

    BLR1000029896 replace SSL cert files successfully.

    BLR1000029897 replace SSL cert files successfully.

    Replace SSL cert files successfully.

    Distribute cert files on all coordinators successfully.

    You can run the gs_om -t cert --rollback command to remotely call the interface and the gs_om -t cert --rollback -L command.

Client Configuration

  1. Run the following command on the client key file:

    openssl pkcs8 -topk8 -inform PEM -outform DER -in Client.key -out client.pk8

  2. Copy the created client.pk8, client.crt, and cacert.pem files to the client.

    NOTE:

    When you select Client SSL Key on Data Studio, the key file cannot be selected and only the *.pk8 file can be selected. However, this file is not included in the downloaded certificate.

  3. Configure Two way SSL authentication for the client on the server.

    hostssl      all           all           10.18.158.95/32        cert

    Configure One way SSL authentication for the client on the server.

    hostssl      all           all           10.18.158.95/32        sha256

  4. During the login to Data Studio, password is not validated in the two-way SSL authentication.

    You need to enter the SSL password.

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback