1

My Postgres DB in GCP (Google Cloud Platform) only accepts connections over SSL.
I tried the below inside my node.conf without any success:

dataSourceProperties {
    dataSourceClassName = "org.postgresql.ds.PGSimpleDataSource"
    dataSource.url = "jdbc:postgresql://db-private-ip:5432/my_node"
    dataSource.ssl = true
    dataSource.sslMode = verify-ca
    dataSource.sslRootCert = "/opt/corda/db-certs/server-ca.pem"
    dataSource.sslCert = "/opt/corda/db-certs/client-cert.pem"
    dataSource.sslKey = "/opt/corda/db-certs/client-key.pem"
    dataSource.user = my_node_db_user
    dataSource.password = my_pass
}

I'm sure that the keys (sslMode, sslRootCert, sslCert, and sslKey) are acceptable in node.conf (even though they are not mentioned anywhere in Corda docs), because in the logs I didn't get any errors that those key are not recognized.
I get this error when I try to start the node:

[ERROR] 21:58:48+0000 [main] pool.HikariPool. - HikariPool-1 - Exception during pool initialization. [errorCode=zmhrwq, moreInformationAt=https://errors.corda.net/OS/4.3/zmhrwq]
[ERROR] 21:58:48+0000 [main] internal.NodeStartupLogging. - Could not connect to the database. Please check your JDBC connection URL, or the connectivity to the database.: Could not connect to the database. Please check your JDBC connection URL, or the connectivity to the database. [errorCode=18t70u2, moreInformationAt=https://errors.corda.net/OS/4.3/18t70u2]

I tried adding ?ssl=true to the end of the data source URL as suggested in (Azure Postgres Database requires SSL Connection from Corda) but that didn't fix the problem.

Also for the same values I'm able to use the psql client to connect my VM to the DB:

psql "sslmode=verify-ca sslrootcert=server-ca.pem sslcert=client-cert.pem sslkey=client-key.pem hostaddr=db-private-ip user=some-user dbname=some-pass"
Improve this question
2
  • Is it OpenSource or Enterprise? Commented Dec 3, 2019 at 9:08
  • It's OpenSource. Commented Dec 3, 2019 at 13:34

1 Answer 1

Reset to default
1

Turns out the JDBC driver cannot read the key from a PEM file, it has to be converted to a DER file using:

openssl pkcs8 -topk8 -inform PEM -in client-key.pem -outform DER -nocrypt -out client-key.der

chmod 400 client-key.der
chown corda:corda client-key.der

More details here: https://github.com/pgjdbc/pgjdbc/issues/1364

So the correct config should look like this:

dataSourceProperties {
    dataSourceClassName = "org.postgresql.ds.PGSimpleDataSource"
    dataSource.url = "jdbc:postgresql://db-private-ip:5432/db-name"
    dataSource.ssl = true
    dataSource.sslMode = verify-ca
    dataSource.sslRootCert = "/opt/corda/db-certs/server-ca.pem"
    dataSource.sslCert = "/opt/corda/db-certs/client-cert.pem"
    dataSource.sslKey = "/opt/corda/db-certs/client-key.der"
    dataSource.user = db-user-name
    dataSource.password = db-user-pass
}
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Full details are here: blog.b9lab.com/…

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.