[pgpool-general: 7021] Re: SSL authentication in Pgpool

Tatsuo Ishii ishii at sraoss.co.jp
Mon May 18 16:24:58 JST 2020 

> Hello folks,
> 
> I need your expert advice on using SSL authentication in pgpool.
> 
> Environment:
> - OS - RHEL 7.6
> - PostgreSQL- 11.6 ( Master and Replica on different servers)
> - pgpool - 4.0.2 - active on master node ( sorry but I need this version)
> 
> My requirement is to have secure communication between client<=> pgpool and
> pgoll <=> postgres.
> Maintaining pool_passwd file is not possible ( no control over user and
> password)  in my use case.

You can use allow_clear_text_frontend_auth to not store passwords in pool_passwd file.

https://www.pgpool.net/docs/latest/en/html/runtime-config-connection.html#GUC-ALLOW-CLEAR-TEXT-FRONTEND-AUTH

> Another option is Certificate Authentication (SSL) between both client<=>
> pgpool and pgpool<=> postgres ( using same server cert).

Unfortunately Certificate Authentication is not supported between
pgpool <=> postgres.

> In order to achieve above , I performed below steps-
> *- generated self signed certificate *
> *- updated pgpool.conf*
> *- updated postgresql.conf , and  pg_hba.conf *
> *-  restarted whole setup.*
> 
> I can successfully login to  postgresql using cert( i.e. user can log in
> using client cert) but SSL between pgpool<=> postgres is not working.
> 
> pgpool log:

[snip]

> As I did not find any related document and the document that I found
> <https://www.highgo.ca/2020/02/25/setting-up-ssl-certificate-authentication-with-pgpool-ii/>is
> not working as expected. There is another contradictory information in
> pgpool doc  source-6.2.4
> <https://www.pgpool.net/docs/40/en/html/auth-methods.html>  , which says
> certificate authentication between pgppol <=> postgres is not possible.

Yes, it's not possible.

> Am I doing something wrong? or this is not at all a possible use case.

I recommend you following:

0. enable allow_clear_text_frontend_auth.

1. client<=>> pgpool

Use SSL connection and clear text password authenticatoion. You don't
need to set up pool_passwd. Password will be provided by client.

2. pgppol <=> postgres

Use SSL connection and md5 or SCRAM authenticatoion. The password used
for the authentication is provided by client if
allow_clear_text_frontend_auth is enabled.

Best regards,
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese:http://www.sraoss.co.jp

More information about the pgpool-general mailing list