When deployed, Certificate Manager adds the following database requirements.

Solution databases can be hosted on the same DBMS. However, do not merge tables from different solutions into a single database, as each solution requires a dedicated database. 

Database management system

Certificate Manager supports the following Database Management Systems (DBMS).

DBMS

version

PostgreSQL

15+

Database storage

Calculate the required database storage based on the expected data.

Database platform

Check the DBMS documentation for the DBMS requirements on each platform. In the case of PostgreSQL, we recommend downloading the official Docker image:

https://hub.docker.com/_/postgres 

If you are not using this Docker image, ensure that you install the following extensions.

Extension

Description

lo

Large objects extension

pg_trgm

Trigram matching for string search

uuid-ossp

Universal unique ID generation

To install the PostgreSQL extensions

  1. Run the following command on the server hosting the database.  
    sudo dnf install postgresql15-contrib
  2. Connect to the database as a user with permissions to install extensions. 
    psql -d <db_name> -U <username>
  3. Run the following SQL commands to install the extensions.
    CREATE EXTENSION IF NOT EXISTS lo;
    CREATE EXTENSION IF NOT EXISTS pg_trgm;
    CREATE EXTENSION IF NOT EXISTS uuid-ossp;
  4. Run the following SQL command to check that the extensions are installed.
    SELECT * FROM pg_available_extensions WHERE name IN ('lo', 'pg_trgm', 'uuid-ossp');

Database user permissions

The database user must have permissions on the public schema.

For example, to create a PostgreSQL database user with sufficient permissions, connect to PSQL using the default PostgreSQL user and execute the following commands.

CREATE USER ${POSTGRES_USER} WITH NOSUPERUSER CREATEDB ENCRYPTED PASSWORD '${POSTGRES_PWD}';
\c postgres ${POSTGRES_USER}
CREATE DATABASE mydb;
\c mydb ${POSTGRES_USER}
CREATE EXTENSION IF NOT EXISTS pg_trgm;

Where:

  • ${POSTGRES_USER} is the database user name.
  • ${POSTGRES_PWD} is the database user password.

Database allowed incoming connections

Restrict database incoming connections to only those originating from the Cryptographic Security Platform host.

To restrict incoming connections on a PostgreSQL database

  1. Edit the following PostgreSQL configuration file.

    pg_hba.conf

  2. Add the following line.

    hostssl cm ${POSTGRES_USER} <host> scram-sha-256

    Where <host> is the IP address of the Cryptographic Security Platform host.

Database supported number of connections

The Certificate Manager database must support 120 connections per cluster.

To calculate the number of connections your database must support, include those required by any installed solution. For PostgreSQL, set this final value as the max_connections parameter.

Database names

In the Certificate Manager database, names should not use uppercase letters to avoid case sensitivity problems. Unquoted identifiers in SQL syntax are converted to lowercase, which can cause issues when mapping to a name with uppercase letters.

Database TLS certificate

In TLS-protected connections with the database, the TLS certificate of the database must include the IP address or hostname Cryptographic Security Platform will use to connect with the database. You can alternatively:

  • Set the hostname or IP address in the CN attribute of the certificate subject.
  • Set the hostname in a SAN attribute of the dNSName type.
  • Set the IP address in a SAN attribute of the iPAddress type.

Entrust solutions in production mode should always be configured to enforce SSL-protected connections with the database.