Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Installing Deep Security Manager (DSM) on RHEL 7 using AWS RDS PostgreSQL 10.10 R1 with SSL enforced

    • Updated:
    • 21 Oct 2020
    • Product/Version:
    • Deep Security 12.0
    • Platform:
Summary

When SSL is enforced on PostgreSQL (RDS), the installation of DSM on Red Hat Enterprise Linux (RHEL) 7 is failing with the following error found in server0.log

Jan 24, 2020 1:14:54.912000000 AM [+0000] com.thirdbrigade.manager.core.Core processInitDatabase
WARNING: ThID:18|TID:0|TNAME:Primary|UID:-1|UNAME:|Unable to connect to the database. Retrying in 10 seconds.
org.postgresql.util.PSQLException: FATAL: no pg_hba.conf entry for host "172.19.20.37", user "postgres", database "postgres", SSL off
Details
Public

Follow these steps:

  1. Do not enforce SSL yet on the RDS PostgreSQL or disable it by setting the value for rds.force_ssl to 0. You can find this setting from AWS Console under RDS > Parameters Groups > (PostgreSQL.DB-Name) then search for rds.force_ssl.

  2. Install DSM using the installer script file. Use this command:

    # bash Manager-Linux-12.0.383.x64.sh -q -console -varfile install.properties

    Here is the content of our install.properties file.

    AddressAndPortsScreen.ManagerAddress=<type the DSM IP here>
    AddressAndPortsScreen.NewNode=True
    UpgradeVerificationScreen.Overwrite=False
    LicenseScreen.License.-1=<type the license here>
    DatabaseScreen.DatabaseType=PostgreSQL
    DatabaseScreen.Hostname=<type the database hostname or database endpoint FQDN here>
    DatabaseScreen.Transport=TCP
    DatabaseScreen.DatabaseName=<type the database name here>
    DatabaseScreen.Username=<type the database user account with necessary permission to database here>
    DatabaseScreen.Password=<type you preferred password here>
    AddressAndPortsScreen.ManagerPort=4119
    AddressAndPortsScreen.HeartbeatPort=4120
    CredentialsScreen.Administrator.Username=masteradmin
    CredentialsScreen.Administrator.Password=<type you preferred password here>
    CredentialsScreen.UseStrongPasswords=False
    SecurityUpdateScreen.UpdateComponents=True
    SecurityUpdateScreen.Proxy=False
    SecurityUpdateScreen.ProxyType=""
    SecurityUpdateScreen.ProxyAddress=""
    SecurityUpdateScreen.ProxyPort=""
    SecurityUpdateScreen.ProxyAuthentication="False"
    SecurityUpdateScreen.ProxyUsername=""
    SecurityUpdateScreen.ProxyPassword=""
    SoftwareUpdateScreen.UpdateSoftware=True
    SoftwareUpdateScreen.Proxy=False
    SoftwareUpdateScreen.ProxyType=""
    SoftwareUpdateScreen.ProxyAddress=""
    SoftwareUpdateScreen.ProxyPort=""
    SoftwareUpdateScreen.ProxyAuthentication="False"
    SoftwareUpdateScreen.ProxyUsername=""
    SoftwareUpdateScreen.ProxyPassword=""
    SoftwareUpdateScreen.ProxyAuthentication="False"
    RelayScreen.Install=True
    SmartProtectionNetworkScreen.EnableFeedback=False
    
    	
  3. Check and confirm if DSM web console is accessible.
  4. Stop DSM service using this command:

    # service dsm_s stop

  5. Stop PostgreSQL RDS database instance and change the parameter rds.force_ssl to 1 then boot back the RDS DB.

  6. In the file, /opt/dsm/webclient/webapps/ROOT/WEB-INF/dsm.properties, add the following parameter:

    database.PostgreSQL.connectionParameters=ssl=true

    This will encrypt the communication between DSM and the database.

    (Reference: Encrypt communication between the Deep Security Manager and the database)

  7. Download the PEM file from AWS using command:

    # wget https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem

    References:

  8. Use OpenSSL tool to convert outform from PEM to DER. Use this command:

    # openssl x509 -outform der -in /tmp/rds-ca-2019-root.pem -out /tmp/rds-ca-2019-root.der

  9. Import the DER certification to DSM certificate keystore using the command:

    # /opt/dsm/jre/bin/keytool -import -alias rds-root -keystore /opt/dsm/jre/lib/security/cacerts -file /tmp/rds-ca-2019-root.der -storepass changeit

    <show certificate details>
    Trust this certificate? [no]: yes
    Certificate was added to keystore

  10. Since certificate was added to keystore successfully, start the dsm service back using the command:

    # service dsm_s start

  11. Confirm if DSM web console is accessible. Check server0.log if there are still issues accessing the console.
Premium
Internal
Partner
Rating:
Category:
Configure; Install
Solution Id:
000278360
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.