Communication security
Kubling uses a transport-independent securing mechanism, which works at communication level using SSL (or TLS). In other words, it is possible to secure native and PostgreSQL transport protocols using the same standard TLS configuration.
When a secure connection is established, the packets exchanged between clients and the Kubling instance are encrypted using TLS 1.3, making the
data exchanged completely secure.
Enabling security
In each transport configuration, you can enable security by activating the transports.[protocol].secure: true.
However, when enabled, also a server certificate must be specified, otherwise the TLS configuration will be ignored.
Generate Certificate
kdv CLI provides a convenient command to generate certificates, that can be directly read by the engine, without having to convert formats.
kdv cert create -s /certs/server.ks -c /certs/client.ks -x myserverpass -p myclientpass -oCommand generates both client and server certificates. Client certificate is only required in case the client is configured to validate the server certificate.
When no password is provided for either the client or server certificates, kdv will automatically generate them and display the passwords in the console. Make sure to copy and store these passwords securely.
Configure transports
For security reasons, you may want to use a different certificate per transport, reason why their configurations are independent, as follows:
transports:
nativeProtocol:
bindAddress: "0.0.0.0"
portNumber: 35482
secure: true
sslConfig:
storeFilePath: "/certs/server-native.ks"
storePassword: "123abc"
pgProtocol:
bindAddress: "0.0.0.0"
portNumber: 35432
secure: true
sslConfig:
storeFilePath: "/certs/server-pg.ks"
storePassword: "456def"