By the end of this tutorial, you will have enabled TLS/SSL on a PostgreSQL device registered in Segura®, uploaded the required certificate and key files, and confirmed that the DB Proxy connection uses the configured certificate.
Prerequisites
- Access: an administrator account in PAM Core with permission to manage devices.
- Files ready: the following files in hand before starting:
- Client certificate file (
.crt). - Private key file (
.pem). - (Optional) CA certificate file, if your environment requires server certificate validation.
- (Optional) Key passphrase, if the private key is password-protected.
- Client certificate file (
- Device already registered: a PostgreSQL device registered in Segura®. If you have not registered a device yet, see Device registration.
- Version: Segura® 4.2.5 or later.
The scenario
In this tutorial, you will configure TLS/SSL authentication for a PostgreSQL device named db-postgres-01. You will enable the TLS/SSL option, upload the certificate and key files, and verify that Segura® stores the configuration correctly.
Step 1 - Open the device for editing
- On Segura®, in the navigation bar, hover over the Products menu and select PAM Core.
- In the side menu, select Devices > All devices.
- On the Devices screen, locate the row with the desired device, in this example
db-postgres-01. - In the Actions column, click Edit.
- The Device wizard opens on the Information tab.
Step 2 - Navigate to the Certificate section
- Click the Connectivity tab at the top of the wizard.
- The Connectivity tab loads, showing the Enable remote application usage, Network Connector, and Connectivity fields, followed by the Certificate section.
- Scroll down to the Certificate section.
- The section header reads Certificate and the subtitle reads Certificate for DB Proxy connection. Required if TLS/SSL connection is enabled.
Step 3 - Enable TLS/SSL
- In the Certificate section, set Use TLS/SSL? to Yes.
- The Certificate file and Key file upload areas become active.
Step 4 - Upload the certificate and key files
- In the Certificate file upload area, drag your
.crtfile onto the area, or click the area and select the file from your file system. - In the Key file upload area, drag your
.pemfile onto the area, or click the area and select the file from your file system. - If your private key is password-protected, type the passphrase in the Key password field.
- (Optional) In the Certificate CA upload area, drag your CA file onto the area, or click the area and select the file from your file system.
:::(warning) (Attention) To replace the certificate or key in the future, upload a new file in the same upload area. Segura® overwrites the previous file on save. :::
Step 5 - Save and review
- Click Continue to advance to the Additional settings tab.
- Click Continue again to advance to the Review tab.
- On the Review tab, confirm that the Connectivity section shows the TLS/SSL configuration you entered.
- Click Save.
- Segura® saves the device with the updated certificate configuration.
Verify what you built
To confirm the certificate is stored and active:
- On the Devices screen, click Edit on
db-postgres-01. - Go to the Connectivity tab and scroll to the Certificate section.
- Verify that Use TLS/SSL? is set to Yes and that the upload areas display the file names of the certificate and key you uploaded.
- (Optional) Open a DB Proxy session to
db-postgres-01through PAM Core and confirm the connection completes without TLS errors.
:::(Info) (Info) If a credential associated with db-postgres-01 has its own certificate configured, the credential-level certificate takes precedence over the device-level certificate configured here. :::
Where to go next
- Reference: Device registration full field reference for the Device wizard, including all Connectivity tab fields.
- How-To: How to configure a device concise task guide for registering and editing devices without step-by-step hand-holding.
- How-To: How to check the device connectivity verify that Segura® can reach your device after saving changes.