Configure TLS in Azure Cosmos DB for PostgreSQL
APPLIES TO:
Azure Cosmos DB for PostgreSQL (powered by the Citus database
extension to PostgreSQL)
The coordinator node requires client applications to connect with Transport Layer Security (TLS). Enforcing TLS between the database server and client applications helps keep data confidential in transit. Extra verification settings described below also protect against "man-in-the-middle" attacks.
Enforcing TLS connections
Applications use a "connection string" to identify the destination database and settings for a connection. Different clients require different settings. To see a list of connection strings used by common clients, consult the Connection Strings section for your cluster in the Azure portal.
The TLS parameters ssl and sslmode vary based on the capabilities of the connector, for example ssl=true or sslmode=require or sslmode=required.
Ensure your application or framework supports TLS connections
Some application frameworks don't enable TLS by default for PostgreSQL connections. However, without a secure connection, an application can't connect to the coordinator node. Consult your application's documentation to learn how to enable TLS connections.
Applications that require certificate verification for TLS connectivity
In some cases, applications require a local certificate file generated from a trusted Certificate Authority (CA) certificate file (.cer) to connect securely. The certificate to connect to an Azure Cosmos DB for PostgreSQL is located at https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem. Download the certificate file and save it to your preferred location.
Note
To check the certificate's authenticity, you can verify its SHA-256 fingerprint using the OpenSSL command line tool:
openssl x509 -in DigiCertGlobalRootG2.crt.pem -noout -sha256 -fingerprint
# should output:
# CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F
Connect using psql
The following example shows how to connect to your coordinator node using the psql command-line utility. Use the sslmode=verify-full connection string setting to enforce TLS certificate verification. Pass the local certificate file path to the sslrootcert parameter.
Below is an example of the psql connection string:
psql "sslmode=verify-full sslrootcert=DigiCertGlobalRootG2.crt.pem host=c-mydemocluster.12345678901234.postgres.cosmos.azure.com dbname=citus user=citus password=your_pass"
Tip
Confirm that the value passed to sslrootcert matches the file path for the certificate you saved.
Next steps
Increase security further with Firewall rules in Azure Cosmos DB for PostgreSQL.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for