PostgreSQL 8.0  OpenSSL Ȥ
							2005-01-09 version 8.0
							2001-05-10 version 7.1
								¼ 

  ƤPostgreSQLʸ˽񤤤Ƥޤ
http://www.postgresql.jp/document/pg800doc/html/ssl-tcp.html


  ޤOpenSSL-0.9.7e 򥤥󥹥ȡ뤷ƤĶǡPostgreSQL  
--with-openssl ǹƥ󥹥ȡ뤷Ƥ뤳ȤȤʤޤ
openssl ޥɤȤäƼʾȸɬפޤ
(OpenSSL ե OPENSSL_CONF ĶѿǻǤޤ)


1. ʽ̾Ѥ˾̾׵Ĥޤ
# 1. Create a quick self-signed certificate
#     the local host name as Common Name;
#     the challenge password can be left blank

  ʲΤ褦˼ޤ"Common Name" ˥ޥΥۥ̾
"challenge password" ˤϲʤǥ꥿󤷤ޤ

--
> openssl req -new -text -out server.req	<=
Generating a 1024 bit RSA private key
.....++++++
..++++++
writing new private key to 'privkey.pem'
Enter PEM pass phrase: XXXXXXXXXXXXXXXXXXX			<= ѥե졼
Verifying password - Enter PEM pass phrase: XXXXXXXXXXXXXXXXXXX	<= (⤦)
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP				<=
State or Province Name (full name) [Some-State]:Yokohama	<=
Locality Name (eg, city) []:MinatoMirai				<=
Organization Name (eg, company) [Internet Widgits Pty Ltd]:JPUG	<=
Organizational Unit Name (eg, section) []:Plamo			<=
Common Name (eg, YOUR name) []:mygres				<= ۥ̾
Email Address []:juk@yokohama.email.ne				<=

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:					<= ʤ
An optional company name []:					<=
--

ǡ(̾׵)ȥǥեȤ̾Υץ饤١ȸ
(privkey.pem)ޤ


2. ץ饤١ȸѥե졼ޤ
# 2. Remove the passphrase
#  (as you must if you want automatic start-up of the postmaster)
#     enter the old passphrase
(ϡpostmasterưưɬפǤ)

--
> openssl rsa -in privkey.pem -out server.key
read RSA key
Enter PEM pass phrase:			<= 1.ǻȤäѥե졼
writing RSA key
--


3. ̾׵򼫸ʽ̾ξѴޤ
# 3. Turn the certificate into a self-signed certificate

--
> openssl req -x509 -in server.req -text -key server.key -out server.crt
--

  ޤǤǤĤ줿եϡ
> ls -ltr
	.....
-rw-r--r--    1 postgres pgsql        2166  1  9  19:55 server.req
-rw-r--r--    1 postgres pgsql         963  1  9  19:55 privkey.pem
-rw-r--r--    1 postgres pgsql         887  1  9  19:57 server.key
-rw-r--r--    1 postgres pgsql        3513  1  9  19:59 server.crt


4. Ⱦ postmaster õˤ椯˥ԡޤ
# 4. copy the key and certificate to where the postmaster will look for

 ǥեȤǤξ $PGDATA ǻȤǥ쥯ȥǤ
 ץ饤١ȸΥѡߥϥʡˤޤ

> cp server.key $PGDATA/server.key
> cp server.crt $PGDATA/server.crt
> chmod go-rwx $PGDATA/server.key


5. postgresql.conf  SSL Ѥ뤿ѹäޤ
# 5. change postgresql.conf for using ssl

  Υե̾ $PGDATA/postgresql.conf Ȥ¸ߤޤ
ʲϡ postgresql.conf ѹƤǤ:
--
#listen_addresses = 'localhost'
#ssl = false
listen_addresses = '*'
ssl = true
--

6. pg_hba.conf  hostssl פ³ȥ򵭺ܤޤ
# 6. add entry for hostssl type connection

  Υե̾ $PGDATA/pg_hba.conf ¸ߤޤ
ʲ pg_hba.conf ؤɲǤ:
--
hostssl	sameuser	all	192.168.1.0/24	md5
--
ϡ 192.168.1.0/24Υͥåȥ(饹C)ˤۥȤ
³md5ϥåѥɤˤǧڤǥ桼Ʊ̾Υǡ١
륢򤹤٤ƤΥ桼˵Ĥ뤻äƻʤäƤޤ

--
(c) 2001-2005 Jun Kuwamura
