Support Stories: Secure GeoServer connections to Postgres for Heroku

OpenGeo SuiteOne of our recent OpenGeo Suite support requests came from a customer exploring the use of Heroku, a cloud-based platform for database storage. Because Heroku sensibly requires that all connections use a secure SSL connection, their question involved making such a connection using GeoServer.

Some Background

While OpenGeo Suite installs GeoServer and Postgres on the same server by default, many production deployments require GeoServer and Postgres services to be split between two (or more) machines. When these computers are all on the same local area network, this usually doesn't introduce any additional security considerations. However, when these computers need to communicate across the internet or any other unsecure network, then it is important to force the database traffic over an SSL connection.

JNDI

While GeoServer doesn't offer an SSL connection to regular database stores, we can use a JNDI connection instead. JNDI, short for Java Naming and Directory Interface, is typically used to improve performance by providing connection pooling to databases, and it also serves our purpose by enabling secure connections.

Our Solution

To demonstrate how to secure data and improve integration with OpenGeo Suite, we will create a new JNDI resource — which we’ll arbitrarily call jdbc/heroku — that can be used in GeoServer.

Identify the Connection Parameters

The first step is to collect the connection parameters for our database. If you are using Heroku, these are on your database settings page:

Heroku Connection Settings

Update the Tomcat Context

Once we have this information, we can open /etc/tomcat6/context.xml for editing. Add the following block of code before the </Context> tag, replacing HOST, DATABASE, PORT, USER and PASSWORD based on the information from above:

<Resource
  name="jdbc/heroku"
  auth="Container"
  type="javax.sql.DataSource"
  driverClassName="org.postgresql.Driver" 
  url="jdbc:postgresql://HOST:PORT/DATABASE?ssl=true&amp;sslfactory=org.postgresql.ssl.NonValidatingFactory"
  username="USER"
  password="PASSWORD"
  maxActive="20"
  maxIdle="10" maxWait="-1"
/>

Note that, with the sslfactory=org.postgresql.ssl.NonValidatingFactory setting, the identity of the server will not be confirmed, which could compromise your security; if the host's certificate is certified by a trusted authority or you have imported the certificate into Java's keystore, then you should remove that connection parameter.

Update the GeoServer Configuration

The next step is to edit web.xml in /usr/share/opengeo/geoserver/WEB-INF and add the following just before the </web-app> line at the bottom of the file.

  <resource-ref>
    <description>Postgres Datasource</description>
    <res-ref-name>jdbc/heroku</res-ref-name>
    <res-type>javax.sql.DataSource</res-type>
    <res-auth>Container</res-auth>
  </resource-ref>

This gives GeoServer access to the JNDI resource. We can now restart the Tomcat application server.

Create the Secure Connection

Finally, add a new PostGIS JNDI store and set the jndiReferenceName to java:comp/env/jdbc/heroku (all other options are the same as a regular PostGIS store). Click Save and your secure connection is ready to use!

Learn more

More information on JNDI connections with Tomcat is available in the GeoServer documentation.

Benjamin Trigona-Harany leads our global support team from our offices in Victoria, BC. Interested in support or training for your enterprise? Contact us to learn more.

EmailTwitterFacebookGoogle+tumblrLinkedIn

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>