Cryptographic Security Platform 1.1.0 - Installation and administration guide [PDF][Releases]

The Cryptographic Security Platform does not require a database. However, some Entrust solutions have the requirements described in the table below.

Certificate Authority and Certificate Manager cannot share the same database.

Database Management System

The external databases of Entrust solutions support the following Database Management Systems (DBMSs).

Solution	Oracle	PostgreSQL	Microsoft SQL Server
Certificate Authority		15+
Certificate Manager		15+
Validation Authority	21.3.0	14.3 or 15.10	2019 CU15
Validation Authority	21.3.0	14.3 or 15.10	2022 CU13
Certificate Enrollment Gateway		15+	2019+
Certificate Enrollment Gateway		15+	2022+

Database storage

Calculate the required database storage based on the expected data.

For example, the Certificate Manager solution database requires nearly 1GB for 25,000 certificates and a few weeks of reports.

25,000 certificates x 20 KB/certificate = 500 MB

200 reports x 1 MB/report = 200 MB

Total: 700 MB

Database platform

Check the DBMS documentation for the DBMS requirements on each platform. In the case of PostgreSQL, we recommend downloading the official Docker image:

https://hub.docker.com/_/postgres

If you are not using this Docker image, make sure to install the pg_trgm extension by running this command.

sudo dnf install postgresql15-contrib

Database user permissions

The database user must have permissions on the public schema.

For example, to create a Certificate Manager database user with sufficient permissions, connect to PSQL using the default PostgreSQL user and execute the following commands.

CREATE USER ${POSTGRES_USER} WITH NOSUPERUSER CREATEDB ENCRYPTED PASSWORD '${POSTGRES_PWD}';
\c postgres ${POSTGRES_USER}
CREATE DATABASE cm;
\c cm ${POSTGRES_USER}
CREATE EXTENSION IF NOT EXISTS pg_trgm;

Where:

${POSTGRES_USER} is the database user name selected when Configuring and deploying Certificate Manager.
${POSTGRES_PWD} is the database user password selected when Configuring and deploying Certificate Manager.

Database allowed connections

Restrict database incoming connections to those originating from the Cryptographic Security Platform host.

To restrict incoming connections on a PostgreSQL database

Edit the following PostgreSQL configuration file.

pg_hba.conf
Add the following line.

hostssl cm ${POSTGRES_USER} <host> scram-sha-256

Where <host> is the IP address of the Cryptographic Security Platform host.

Database TLS certificate

In TLS-protected connections with the database, the TLS certificate of the database must include the IP address or hostname Cryptographic Security Platform will use to connect with the database. You can alternatively:

Set the hostname or IP address in the CN attribute of the certificate subject.
Set the hostname in a SAN attribute of the dNSName type.
Set the IP address in a SAN attribute of the iPAddress type.

Entrust solutions in production mode should always be configured to enforce SSL-protected connections with the database.

Database names

In the Certificate Manager database, names should not use uppercase letters to avoid case sensitivity problems. Unquoted identifiers in SQL syntax are converted to lowercase, which can lead to problems when mapping to a name with uppercase letters.