Connecting with PostgreSQL Client
This page describes specific database client requirements when connecting to databases using the PostgresSQL database protocol.
Supported PostgreSQL Protocol Versions
PrivX database proxy supports the latest postgreSQL protocol version 3.
Supported Configurations
PostgreSQL databases can be configured as host DB service to PrivX in three different ways:
Protocol: PostgreSQL and Account Type: Explicit
With this configuration:
- PrivX authenticates the database client connection with PrivX user password
- PrivX injects the target database user credentials to the protocol stream
- PrivX session records the decrypted postgreSQL protocol stream after authentication phase has completed
- psql client is required to use TLS
Protocol: PostgreSQL and Account Type: User-defined
With this configuration:
- PrivX forwards end user provided target database user credentials to database server
- PrivX session records the decrypted postgreSQL protocol stream after authentication phase has completed
- psql client is required to use TLS
Protocol: Passthrough and Account Type: User-defined
With this configuration:
- PrivX forwards unmodified raw protocol stream
- End user provided target database user credentials are sent in the protocol stream
- PrivX session records raw protocol stream. If the database client and server use TLS, the session recording will contain encrypted protocol stream. If the database client and server use unencrypted connections, any client provided database user credentials may end up in the session recordings, unless proper value for Skip Audit (Bytes) is configured to host DB service.
Enabling TLS Server Certificate Validation
By default psql client uses sslmode=prefer setting. With this setting the server TLS certificate is not validated. To enable server TLS certificate validation, you need to use sslmode=verify-ca or sslmode=verify-full , and make the psql client trust the "PrivX Database Proxy CA".
To connect psql client to target database through PrivX using sslmode=verify-full:
- Copy "PrivX Database Proxy CA" certificate from PrivX UI under Monitoring -> Certificates and store the CA certificate to a file (for example privx-db-proxy-ca.pem)
- Configure psql client to verify server TLS certificate and to trust the CA:
$ psql "port=5432 host=localhost user=dbuser sslrootcert=privx-db-proxy-ca.pem sslmode=verify-full"