TechNote: PostgreSQL hardening for Daml for PSQL

Basing on our previous Secure DAML Infra example, here we details how to perform some “hardening” steps for daml-for-postgresql including:

• Creating a new PSQL account and database for ledger and not use default Admin
• Enabling and enforcing strong authentication and TLS for PSQL connection
• Some notes on CIS Benchmark and application to Docker image

github.com

digital-asset/ex-secure-daml-infra/blob/ceb1225f937d5dc3a8cbc88e836208477c6530bc/Documentation/technote-postgresql.md

[![DAML logo](https://daml.com/wp-content/uploads/2020/03/logo.png)](https://www.daml.com)

[![Download](https://img.shields.io/github/release/digital-asset/daml.svg?label=Download)](https://docs.daml.com/getting-started/installation.html)
[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/digital-asset/daml/blob/master/LICENSE)

# TechNote: Hardening PostgreSQL for TLS and default authentication options

In this document we look at how to lock down access the PostgreSQL database connections. We use the PostgreSQL 12 Docker images as the
basis for this configuration. It also assumes you are using the full example reference app in this repo which implements a sample
two-tier PKI CA hierarchy.

The lockdown steps includes the following:

- Docker startup
- Enable TLS certicates on the server side
- Initialisation of the PostgreSQL database on first use
  - initialisation scripts
  - Create a non-superuser user and separate database
- Enable JDBC TLS and client certs
  - Convert keys to DER format:

This file has been truncated. show original