EnterpriseDB · nidhibhammar · Sep 26, 2024
@@ -0,0 +1,95 @@
+---
+title: "Regenerating the agent self-signed SSL certificates"
+
+redirects:
+- /pem/latest/managing_certificates/#updating-agent-ssl-certificates
+---
+
+You need to regenerate the agent certificates and key files:
+- If the PEM server certificates are regenerated
+- If the PEM agent certificates are near expiring
+
+You must regenerate a certificate and a key for each agent interacting with the PEM server and copy it to the agent.
+
+Each agent has a unique identifier that's stored in the pem.agent table of the pem database. You must replace the certificate and key files with the certificate or key files that corresponds to the agent's identifier. 
+
+Prerequisites:
+- PEM server has self-signed certificates.
+- `ca_certificate.crt` and `ca_key.key` are in the data directory of the PEM backend database server.
+- `ca_certificate.crt` is the same as `root.crt`.
+- `ca_certificate.crt` and `ca_key.key` are valid SSL certificates and keys. 
+
+To generate a PEM agent certificate and key file pair:
+
+1. Use psql to find the number of agents and their corresponding identifiers:
+
+   ```shell
+   # Running as enterprisedb
+   psql -p 5444 -U enterprisedb -d pem --no-psqlrc -t -A -c "SELECT id FROM pem.agent WHERE active=true"
+   ```
+
+1. Stop all the running PEM agents:
+
+   ```shell
+   # Running as root
+   systemctl stop pemagent
+   ```
+
+   On Windows, use the Services applet to stop the PEM agent. The PEM agent service is named Postgres Enterprise Manager Agent. In the Services dialog box, select the service name, and select **Stop the service**.
+
+1. After identifying the agents that need key files, generate an `agent.key` for each agent:
+
+    ```shell
+    openssl genrsa -out agent<ID>.key 4096
+   ```
+
+   Where `ID` is the agent identifier.
+
+1. Generate a certificate signing request (CSR) for each agent:
+
+   ```shell
+   openssl req -new -key agent<ID>.key -out agent<ID>.csr -subj '/C=IN/ST=MH/L=Pune/O=PEM/CN=agent<ID>'
+   ```
+
+   Where `CN` is the `agent<ID>`.
+
+1. Use the `openssl x509` command to sign the CSR and generate an agent certificate:
+
+   ```shell
+   openssl x509 -req -days 365 -in agent<ID>.csr -CA ca_certificate.crt -CAkey ca_key.key -CAcreateserial -out agent<ID>.crt
+   ```
+
+   Where `-req` indicates the input is a CSR. The `-CA` and `-CAkey` options specify the root certificate and private key to use for signing the CSR.
+
+   Before generating the next certificate and key file pair, move the `agent.key` and `agent.crt` files generated in the steps 2 and 4 on their respective PEM agent host.
+
+1. Change the permission on the new `agent<ID>.crt` and `agent<ID>.key` file:
+
+   ```shell
+   chmod 600 agent<ID>.crt agent<ID>.key
+   ```
+
+1. Back up the old agent certificate and key files:
+
+   ```shell
+   mkdir root/.pem/certs
+   mv root/.pem/agent<ID>.* root/.pem/certs
+   ```
+
+1. Replace each agent's certificate and key file with the newly generated files: 
+
+   ```shell
+   cp agent<ID>.key agent<ID>.crt root/.pem
+   ```
+
+1. Start the PEM agent service.
+
+   - On Linux:
+
+     ```shell
+     # Running as root
+     systemctl start pemagent
+     ```
+
+    - On Windows:
+      Use the Services applet to start the PEM agent. The PEM agent service is named Postgres Enterprise Manager Agent. In the Services dialog box, select the service name, and select **Start the service**.
@@ -0,0 +1,130 @@
+---
+title: "Regenerating the server self-signed SSL certificates"
+
+redirects:
+- /pem/latest/managing_certificates/#replacing-ssl-certificates
+---
+
+If the PEM backend database server certificates are near expiring, plan to regenerate the certificates and key files.
+
+To replace the self-signed SSL certificates:
+
+1. Stop all running PEM agents, first on the server host and then on any monitored host.
+   - On Linux: 
+
+     ```shell
+     # Running as root
+     systemctl stop pemagent
+     ```
+
+   - On Windows: 
+     Use the Services applet to stop the PEM agent. The PEM agent service is named Postgres Enterprise Manager Agent. In the Services dialog box, select the service name, and select **Stop the service**.
+
+1. Back up the existing SSL certificates and keys:
+
+    ```shell
+   cd /var/lib/edb/as<x>/data
+   mkdir certs
+   mv server.* root.* ca_* certs/
+   ```
+
+1. Use the `openssl` command to generate the `ca_key.key` file:
+
+   ```shell
+   openssl genrsa -out ca_key.key 4096 
+   ```
+
+1. Move the `ca_key.key` file to the data directory of the backend server, and change the permissions:
+
+   ```shell
+   mv ca_key.key /var/lib/edb/as<x>/data
+   chmod 600 /var/lib/edb/as<x>/data/ca_key.key
+   ```
+
+1. Use `ca_key.key` to generate the `ca_certificate.crt` file:
+
+   ```shell
+   openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout ca_key.key -out ca_certificate.crt
+   ```
+
+1. Change the permissions of the `ca_certificate.crt` file:
+
+   ```shell
+   chmod 600 /var/lib/edb/as<x>/data/ca_certificate.crt
+   ```
+
+1. Reuse the `ca_certificate.crt` file as the `root.crt` file:
+
+   ```shell
+   cp /var/lib/edb/as<x>/data/ca_certificate.crt /var/lib/edb/as<x>/data/root.crt
+   ```
+
+1. Change the owner and permissions on the `root.crt` file:
+
+   ```shell
+   chown enterprisedb /var/lib/edb/as<x>/data/root.crt
+   chmod 600 /var/lib/edb/as<x>/data/root.crt
+   ```
+
+1. Use the `openssl_rsa_generate_crl()` function to create the certificate revocation list `root.crl`:
+
+   ```shell
+   psql -U enterprisedb -d pem --no-psqlrc -t -A -c
+   "SELECT openssl_rsa_generate_crl('/var/lib/edb/as<x>/data/ca_certificate.crt', '/var/lib/edb/as<x>/data/ca_key.key')" > /var/lib/edb/as<x>/data/root.crl
+   ```
+
+1. Change the ownership and permissions of the `root.crl` file:
+
+   ```shell
+   chown enterprisedb /var/lib/edb/as<x>/data/root.crl
+   chmod 600 /var/lib/edb/as<x>/data/root.crl
+   ```
+
+1. Use the `openssl` command to generate the `server.key` file:
+
+   ```shell
+   openssl genrsa -out server.key 4096 
+   ```
+
+1. Move the `server.key` to the data directory of the backend server, and change the ownership and permissions:
+
+   ```shell
+   mv server.key /var/lib/edb/as<x>/data
+   chown enterprisedb /var/lib/edb/as<x>/data/server.key
+   chmod 600 /var/lib/edb/as<x>/data/server.key
+   ```
+
+1. Use the `openssl req` command to create the CSR:
+
+   ```shell
+   openssl req -new -key server.key -out server.csr -subj '/C=IN/ST=MH/L=Pune/O=EDB/CN=PEM'
+   ```
+
+   Where `-subj` is provided as per your requirements. You define `CN` asthe hostname/domain name of the PEM server host. 
+
+1. Use the `openssl x509` command to sign the CSR and generate a server certificate. Move the `server.crt` to the data directory of the backend database server:
+
+   ```shell
+   openssl x509 -req -days 365 -in server.csr -CA ca_certificate.crt -CAkey ca_key.key -CAcreateserial -out server.crt
+   mv server.crt /var/lib/edb/as<x>/data
+   ```
+
+   Where `-req` indicates the input is a CSR. The `-CA` and `-CAkey` options specify the root certificate and private key to use for signing the CSR.
+
+1. Change the owner and the permissions on the `server.crt` file:
+
+   ```shell
+   chown enterprisedb /var/lib/edb/as<x>/data/server.crt
+   chmod 600 /var/lib/edb/as<x>/data/server.crt
+   ```
+
+1. Restart the PEM server:
+
+   ```shell
+   systemctl restart edb-as-<x>
+   ```
+
+   Restarting the backend database server restarts the PEM server.
+
+1. Regenerate each PEM agent's self-signed SSL certificates. For more information, see [Regenerating agent SSL certificates](regenerating_agent_certificates).
+
@@ -0,0 +1,54 @@
+---
+title: "Changing the default port"
+---
+
+By default, the 8443 port is assigned for the web services at the time of configuration of the PEM server. You can change the port after configuration by changing a few parameters in the Apache configuration files. The Apache configuration files names and locations are platform specific.
+
+## For RHEL
+
+
+1. Edit the file `/etc/httpd/conf.d/edb-ssl-pem.conf`, replacing 8443 with your port number in the following parameters:
+   ```text
+   Listen 8443
+   <VirtualHost _default_:8443>
+   ServerName localhost:8443
+   RewriteRule ^(.*)$ https://%{HTTP_HOST}:8443%{REQUEST_URI} [L,R=301]
+   ```
+
+1. If `semanage` isn't installed, install it:
+   ```shell
+   sudo yum -y install policycoreutils-python
+   ```
+
+1. Check whether your port is listed:
+   ```text
+   semanage port -l | grep http
+   ```
+
+1. If your port doesn't appear in the list, run this command:
+   ```shell
+   sudo semanage port -a -t http_port_t -p tcp <your_port_number>
+   ```
+
+1. Restart the httpd service:
+   ```shell
+   sudo systemctl restart httpd
+   ```
+
+You can now access the PEM web interface using your port. For more details, see [Accessing the web interface](pem_web_interface).
+
+## For Debian and Ubuntu
+
+1. Edit the file `/etc/apache2/sites-available/edb-ssl-pem.conf`, replacing 8443 with your port number in the following parameters:
+   ```ini
+   Listen 8443
+   <VirtualHost _default_:8443>
+   ServerName HTTPD-EDBPEM-SERVER-v8:8443
+   ```
+
+1. Restart the httpd service:
+   ```shell
+   sudo systemctl restart apache2
+   ```
+
+You can now access the PEM web interface using your port. For more details, see [Accessing the web interface](pem_web_interface).
@@ -0,0 +1,44 @@
+---
+title: "Configuring the PEM server to use two-factor authentication"
+# This file is moved from pem_inst_guide_linux/04_installing_postgres_enterprise_manager
+redirects:
+- /pem/latest/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/07_1_configuring_2fa_authentication/
+- /pem/latest/pem_inst_guide_windows/04_installing_postgres_enterprise_manager/01.1_configuring_2fa_authentication/
+- /pem/latest/installing_pem_server/authentication_options/configuring_2fa_authentication/
+
+---
+
+PEM supports two methods for 2FA:
+
+-   Email authentication
+-   Authenticator app (such as Google Authenticator)
+
+To enable 2FA, you can copy these settings from the `config.py` file to the `config_local.py` file and modify the following parameters.
+
+| Parameter              | Description                                                                                                                                                       |
+| ---------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| MFA_ENABLED            | Set to `true` to enable the two-factor authentication. Default value is `false`.                                                                                 |
+| MFA_FORCE_REGISTRATION | Set to `true` to ask the users to register forcefully for the two-factor authentication methods at login. Default value is `false`.                              |
+| MFA_SUPPORTED_METHODS  | Set to `email` to use the email authentication method (send a one-time code by email) or `authenticator` to use the TOTP-based application authentication method. |
+| MFA_EMAIL_SUBJECT      | Set to the subject of the email for email authentication. Default value is `<APP_NAME> - Verification Code`.                                                 |
+
+## Mail server configuration
+
+To use the email authentication method, you need to configure mail server settings.
+
+PEM server can send an email using either the SMTP configurations saved in the PEM configuration or using Flask-Mail.
+
+To send the email verification code using the internal SMTP configuration from the PEM configuration, set the parameter `MAIL_USE_PEM_INTERNAL` to `True`. If set to `False`, the following mail configuration is used to send the code on the user-specified email address:
+
+-   MAIL_SERVER = 'localhost'
+-   MAIL_PORT = 25
+-   MAIL_USE_TLS = False
+-   MAIL_USE_SSL = False
+-   MAIL_USERNAME = None
+-   MAIL_PASSWORD = None
+-   MAIL_DEFAULT_SENDER = None
+
+For more details about these configurations, see the [Flask-Mail documentation](https://pythonhosted.org/Flask-Mail/).
+
+!!! Note
+    PEM SMTP alerts don't use this configuration.