Security
Communication

Communication security

Kubling uses a transport-independent securing mechanism, which works at communication level using SSL (or TLS). In other words, it is possible to secure native and PostgreSQL transport protocols using the same standard TLS configuration.

When a secure connection is established, the packets exchanged between clients and the Kubling instance are encrypted using TLS 1.3, making the data exchanged completely secure.


Enabling security

In each transport configuration, you can enable security by activating the transports.[protocol].secure: true. However, when enabled, also a server certificate must be specified, otherwise the TLS configuration will be ignored.

Generate Certificate

kdv CLI provides a convenient command to generate certificates, that can be directly read by the engine, without having to convert formats.

kdv cert create -s /certs/server.ks -c /certs/client.ks -x myserverpass -p myclientpass -o

Command generates both client and server certificates. Client certificate is only required in case the client is configured to validate the server certificate.

When no password is specified for either client and/or server certificates, kdv generates them and prints them out in the console, copy those passwords in a secure store.

Configure transports

For security reasons, you may want to use a different certificate per transport, reason why their configurations are independent, as follows:

transports:
  nativeProtocol:
    bindAddress: "0.0.0.0"
    portNumber: 35482
    secure: true
    sslConfig:
      storeFilePath: "/certs/server-native.ks"
      storePassword: "123abc"
  pgProtocol:
    bindAddress: "0.0.0.0"
    portNumber: 35432
    secure: true
    sslConfig:
      storeFilePath: "/certs/server-pg.ks"
      storePassword: "456def"