PGX 20.1.1
Documentation

Distributed Server Handshaking

Prepare a Keystore for Secured Handshaking

PGX Distributed server uses TLS-PSK based secured handshaking, and it needs a keystore which stores a secret. The secret will be used as a token for symmetric message encryption/decryption. The server requires a keystore in PKCS12 format.

Pre-Shared Key

You need to create your keystore once and copy the keystore into machines of your cluster.

  1. To create a keystore in PKCS12 format, first you need to create any keystore using a program keytool. For example,

    keytool -genkey -alias pgx -keyalg RSA -keystore keystore.jks
    

    In this example, it will create a Java Keystore keystore.jks as a output.

  2. Convert the Java Keystore into PKCS12 format.

    keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -srcalias pgx \
    -srcstoretype jks -deststoretype pkcs12
    

If the password is set on the keystore, the server will ask for the password via prompt during server starts up. PGX distributed server also supports an auto-start option which enables starting the server without asking the password, in case the keystore does not have a password set.

  1. To create a keystore without a password, you need to extract a key and a certificate from keystore.p12 in the PEM format. For example,

    openssl pkcs12 -in keystore_passwd.p12 -nokeys -out cert.pem
    openssl pkcs12 -in keystore_passwd.p12 -nodes -nocerts -out key.pem
    
  2. Then you can create a keystore with auto-start by using following commands. You can skip the password setting by entering empty passphrase on the opnessl command below.

    cat key.pem cert.pem > key_cert.pem
    openssl pkcs12 -export -in key_cert.pem -out keystore_nopw.p12
    

Configuration

Set the absolute path of the keystore (keystore.p12 or keystore_nopw.p12) to secure_handshake_secret_file in pgxd.conf.