One of our recent OpenGeo Suite support requests came from a customer exploring the use of Heroku, a cloud-based platform for database storage. Because Heroku sensibly requires that all connections use a secure SSL connection, their question involved making such a connection using GeoServer.
While OpenGeo Suite installs GeoServer and Postgres on the same server by default, many production deployments require GeoServer and Postgres services to be split between two (or more) machines. When these computers are all on the same local area network, this usually doesn't introduce any additional security considerations. However, when these computers need to communicate across the internet or any other unsecure network, then it is important to force the database traffic over an SSL connection.
While GeoServer doesn't offer an SSL connection to regular database stores, we can use a JNDI connection instead. JNDI, short for Java Naming and Directory Interface, is typically used to improve performance by providing connection pooling to databases, and it also serves our purpose by enabling secure connections.
To demonstrate how to secure data and improve integration with OpenGeo Suite, we will create a new JNDI resource — which we’ll arbitrarily call
jdbc/heroku — that can be used in GeoServer.
Identify the Connection Parameters
The first step is to collect the connection parameters for our database. If you are using Heroku, these are on your database settings page:
Update the Tomcat Context
Once we have this information, we can open
/etc/tomcat6/context.xml for editing. Add the following block of code before the
</Context> tag, replacing
PASSWORD based on the information from above:
<Resource name="jdbc/heroku" auth="Container" type="javax.sql.DataSource" driverClassName="org.postgresql.Driver" url="jdbc:postgresql://HOST:PORT/DATABASE?ssl=true&sslfactory=org.postgresql.ssl.NonValidatingFactory" username="USER" password="PASSWORD" maxActive="20" maxIdle="10" maxWait="-1" />
Note that, with the
sslfactory=org.postgresql.ssl.NonValidatingFactory setting, the identity of the server will not be confirmed, which could compromise your security; if the host's certificate is certified by a trusted authority or you have imported the certificate into Java's keystore, then you should remove that connection parameter.
Update the GeoServer Configuration
The next step is to edit
/usr/share/opengeo/geoserver/WEB-INF and add the following just before the
</web-app> line at the bottom of the file.
<resource-ref> <description>Postgres Datasource</description> <res-ref-name>jdbc/heroku</res-ref-name> <res-type>javax.sql.DataSource</res-type> <res-auth>Container</res-auth> </resource-ref>
This gives GeoServer access to the JNDI resource. We can now restart the Tomcat application server.
Create the Secure Connection
Finally, add a new PostGIS JNDI store and set the
java:comp/env/jdbc/heroku (all other options are the same as a regular PostGIS store). Click Save and your secure connection is ready to use!
More information on JNDI connections with Tomcat is available in the GeoServer documentation.
Benjamin Trigona-Harany leads our global support team from our offices in Victoria, BC. Interested in support or training for your enterprise? Contact us to learn more.