Communication security
Kubling uses a transport-independent securing mechanism, which works at communication level using SSL (or TLS). In other words, it is possible to secure native and PostgreSQL transport protocols using the same standard TLS configuration.
When a secure connection is established, the packets exchanged between clients and the Kubling instance are encrypted using TLS 1.3
, making the
data exchanged completely secure.
Enabling security
In each transport configuration, you can enable security by activating the transports.[protocol].secure: true
.
However, when enabled, also a server certificate must be specified, otherwise the TLS configuration will be ignored.
Generate Certificate
kdv
CLI provides a convenient command to generate certificates, that can be directly read by the engine, without having to convert formats.
kdv cert create -s /certs/server.ks -c /certs/client.ks -x myserverpass -p myclientpass -o
Command generates both client and server certificates. Client certificate is only required in case the client is configured to validate the server certificate.
When no password is specified for either client and/or server certificates, kdv
generates them and prints them out in the console, copy those passwords in a secure store.
Configure transports
For security reasons, you may want to use a different certificate per transport, reason why their configurations are independent, as follows:
transports:
nativeProtocol:
bindAddress: "0.0.0.0"
portNumber: 35482
secure: true
sslConfig:
storeFilePath: "/certs/server-native.ks"
storePassword: "123abc"
pgProtocol:
bindAddress: "0.0.0.0"
portNumber: 35432
secure: true
sslConfig:
storeFilePath: "/certs/server-pg.ks"
storePassword: "456def"