Configure TLS in Azure Cosmos DB for PostgreSQL
APPLIES TO: Azure Cosmos DB for PostgreSQL (powered by the Citus database extension to PostgreSQL)
The coordinator node requires client applications to connect with Transport Layer Security (TLS). Enforcing TLS between the database server and client applications helps keep data confidential in transit. Extra verification settings described below also protect against "man-in-the-middle" attacks.
Enforcing TLS connections
Applications use a "connection string" to identify the destination database and settings for a connection. Different clients require different settings. To see a list of connection strings used by common clients, consult the Connection Strings section for your cluster in the Azure portal.
The TLS parameters
sslmode vary based on the capabilities of the connector, for example
Ensure your application or framework supports TLS connections
Some application frameworks don't enable TLS by default for PostgreSQL connections. However, without a secure connection, an application can't connect to the coordinator node. Consult your application's documentation to learn how to enable TLS connections.
Applications that require certificate verification for TLS connectivity
In some cases, applications require a local certificate file generated from a trusted Certificate Authority (CA) certificate file (.cer) to connect securely. The certificate to connect to an Azure Cosmos DB for PostgreSQL is located at https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem. Download the certificate file and save it to your preferred location.
To check the certificate's authenticity, you can verify its SHA-256 fingerprint using the OpenSSL command line tool:
openssl x509 -in DigiCertGlobalRootG2.crt.pem -noout -sha256 -fingerprint # should output: # CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F
Connect using psql
The following example shows how to connect to your coordinator node using the psql command-line utility. Use the
sslmode=verify-full connection string setting to enforce TLS certificate verification. Pass the local certificate file path to the
Below is an example of the psql connection string:
psql "sslmode=verify-full sslrootcert=DigiCertGlobalRootG2.crt.pem host=c-mydemocluster.12345678901234.postgres.cosmos.azure.com dbname=citus user=citus password=your_pass"
Confirm that the value passed to
sslrootcert matches the file path for the certificate you saved.
Increase security further with Firewall rules in Azure Cosmos DB for PostgreSQL.