When deployed, Validation Authority adds the following requirements to the third-party database.
Database management system
Validation Authority supports the following Database Management Systems (DBMS).
DBMS | Version |
|---|---|
Oracle | 21.3.0 |
PostgreSQL | 17.5 |
Microsoft SQL Server | 2022 CU13 |
Database storage
Calculate 75MB for every 100,000 certificates managed by the Validation Authority solution.
Storage data are approximate, as the size of each certificate depends on factors such as the certificate algorithm and extensions.
Database platform
Check the DBMS documentation for the DBMS requirements on each platform. In the case of PostgreSQL, we recommend downloading the official Docker image:
https://hub.docker.com/_/postgres
If you are not using this Docker image, ensure that you install the following extensions.
Extension | Description |
|---|---|
lo | Large objects extension |
pg_trgm | Trigram matching for string search |
uuid-ossp | Universal unique ID generation |
To install the PostgreSQL extensions
- Run the following command on the server hosting the database.
sudo dnf install postgresql17-contrib - Connect to the database as a user with permissions to install extensions.
psql -d <db_name> -U <username> - Run the following SQL commands to install the extensions.
Although usually optional, the quotes around the extension identifiers may be required in some environments.
CREATEEXTENSION IFNOTEXISTS"lo";CREATEEXTENSION IFNOTEXISTS"pg_trgm";CREATEEXTENSION IFNOTEXISTS"uuid-ossp"; - Run the following SQL command to check that the extensions are installed.
SELECT*FROMpg_available_extensionsWHEREnameIN('lo','pg_trgm','uuid-ossp');
Database user permissions
The database user must have permissions on the public schema (the default permissions assigned when creating the user should be sufficient). For example, to create a PostgreSQL database user with sufficient permissions, connect to PSQL using the default PostgreSQL user and execute the following commands.
CREATE ROLE ${POSTGRES_USER} LOGIN NOSUPERUSER CREATEDB PASSWORD '${POSTGRES_PWD}';\c postgres ${POSTGRES_USER}CREATE DATABASE ${POSTGRES_DB};\c ${POSTGRES_DB} ${POSTGRES_USER}CREATE EXTENSION IF NOT EXISTS pg_trgm;Where:
${POSTGRES_USER}is the database user name.${POSTGRES_PWD}is the database user password.${POSTGRES_DB}is the database name.
Database allowed incoming connections
Restrict database incoming connections to those originating from the PKI Hub host.
To restrict incoming connections on a PostgreSQL database
Edit the following PostgreSQL configuration file.
pg_hba.confAdd the following line.
hostssl cm ${POSTGRES_USER} <host> scram-sha-256Where
<host>is the IP address of the PKI Hub host.
Database supported number of connections
The Validation Authority database must support 192 connections per cluster.
To calculate the number of connections your database must support, include those required by the cluster and any installed solution. For PostgreSQL, set this final value as the max_connections parameter.
Database TLS certificate
RFC2818 deprecates the use of the Common Name (CN) field in the Subject for hostname verification. TLS clients use the Subject Alternative Name (SAN) extension instead.
TLS certificate validation will fail if the hostname or IP address is not present in the Subject Alternative Name (SAN), even if it appears in the Common Name.