-
Feature Request
-
Resolution: Unresolved
-
Normal
-
None
-
2.4
-
False
-
-
False
1. What is the nature and description of the request?
Cu wants to change the ciphers and to have the ability to change from the inventory file giving an example to have a parameter such as "pg_ssl_ciphers".
2. Why does the customer need this? (List the business requirements here)
We have changed the ciphers on the development hosts. This resolved the security vulnerability. However, setting these cipher configuration manually will cause them to be reset after each update/patch of the AAP platform. I have checked these settings in the AAP installer/setup script. The postgresql.conf and the pg_hba.conf configuration files are overwritten during the installer process using a Jinja2 template. The installer will always reset the options, when they are manually set. In my request, I propose to include the ability to configure the ciphers and maybe more options (pg_hba, listen address etc.) using inventory variables when executing the AAP installer. This way, the default setup can be used for customers that do not have the requirement to adjust the settings. As the PostgreSQL configuration files are already rendered using Jinja2 templates, this can be implemented easily (i.e. exactly like the other pg_XXXX variables in the inventory).
Allread told that they can refer to and can customize the ssl_ciphers manually under the /var/lib/pgsql/data/postgresql.conf as per their env requirement.
Strong crypto defaults in RHEL 8 and deprecation of weak crypto algorithms
https://access.redhat.com/articles/3642912