SSL/TLS Configuration
Overview
Enov8 TDM supports SSL/TLS encryption to secure database connections, ensuring confidentiality, integrity, and protection against eavesdropping and man-in-the-middle (MITM) attacks. This guide explains how to configure SSL/TLS settings using the Enov8 TDM UI.
Supported Databases for SSL/TLS Connectivity
Enov8 TDM supports SSL/TLS authentication for the following databases:
- MySQL/MariaDB
- MSSQL
- Oracle
- PostgreSQL
Each database requires specific SSL configurations to enable encrypted connections.
Configuring SSL/TLS in the Enov8 TDM UI
The SSL/TLS settings can be configured through the database connection setup page in Enov8 TDM.
UI Field Mapping for SSL/TLS Authentication
| UI Field | Description & How to Determine the Value |
|---|---|
| Server * | The hostname or IP address of the database server (e.g., dbserver.example.com). |
| Username * | The database username used for authentication. |
| Password * | The database password for authentication. |
| Database * | The name of the database you are connecting to. |
| Port * | The database port (default: 3306 for MySQL/MariaDB, 1433 for MSSQL, 5432 for PostgreSQL). |
| Certificate Authentication File Path | The path to the CA certificate file (optional). If left blank, the connection may still be encrypted but without CA verification. |
| Client Certificate File Path | The path to the client certificate file used for authentication. |
| Certificate Key File Path | The path to the client private key file required for authentication. |
Database-Specific SSL/TLS Configurations
Each supported database has specific requirements for setting up SSL/TLS. Below are the details for configuring each database type in the UI.
1. MySQL/MariaDB SSL Configuration
MySQL and MariaDB use certificate-based authentication to secure connections.
Example UI Configuration for MySQL/MariaDB
| UI Field | Example Value |
|---|---|
| Server | mysql.example.com |
| Username | db_user |
| Password | securepassword |
| Database | sales_db |
| Port | 3306 (default) |
| Certificate Authentication File Path | /var/tmp/mysql/ca-cert.pem |
| Client Certificate File Path | /var/tmp/mysql/client-cert.pem |
| Certificate Key File Path | /var/tmp/mysql/client-key.pem |
✅ Note: If the CA certificate is not required, leave Certificate Authentication File Path blank.
2. MSSQL SSL Configuration
MSSQL connections use default system-wide certificate stores to establish secure connections.
Default Certificate Store Locations
| OS Version | Certificate Store Path |
|---|---|
| RHEL 7-9 | /etc/pki/tls/cert.pem |
| Ubuntu 18-24 | /etc/ssl/certs |
Example UI Configuration for MSSQL
| UI Field | Example Value |
|---|---|
| Server | mssql.example.com |
| Username | mssql_admin |
| Password | StrongPass123 |
| Database | corporate_db |
| Port | 1433 (default) |
| Certificate Authentication File Path | /etc/pki/tls/cert.pem |
| Client Certificate File Path | (Leave blank if not required) |
| Certificate Key File Path | (Leave blank if not required) |
✅ Note: Ensure MSSQL is configured to require SSL connections.
3. Oracle SSL Configuration
Oracle databases use a combination of DSN (tnsnames.ora) and Wallet-based authentication to enable SSL.
Example UI Configuration for Oracle
| UI Field | Example Value |
|---|---|
| Server | oracle.example.com |
| Username | oracle_user |
| Password | SecureOraclePass |
| Database | finance_db |
| Port | 1521 (default) |
| DSN | net_service_name |
✅ Note: Ensure tnsnames.ora and sqlnet.ora are configured for SSL. The user should enter the alias from the tnsnames.ora file (which is configured with a wallet) into the DSN field.
4. PostgreSQL SSL Configuration
PostgreSQL allows multiple SSL modes, which determine encryption security levels.
Supported SSL Modes
| SSL Mode | Eavesdropping Protection | MITM Protection | Use Case |
|---|---|---|---|
| disable | ❌ No | ❌ No | No encryption, minimal overhead. |
| allow | ✅ Maybe | ❌ No | Encrypt if the server insists. |
| prefer | ✅ Maybe | ❌ No | Encrypt if supported, but not required. |
| require | ✅ Yes | ❌ No | Always encrypt, trust network. |
| verify-ca | ✅ Yes | 🔄 Depends on CA policy | Encrypted + trusted CA certificate. |
| verify-full | ✅ Yes | ✅ Yes | Encrypted + strict server verification. |
Example UI Configuration for PostgreSQL
| UI Field | Example Value |
|---|---|
| Server | pg.example.com |
| Username | pg_admin |
| Password | SecurePostgresPass |
| Database | analytics_db |
| Port | 5432 (default) |
| Certificate Authentication File Path | /etc/postgres/ssl/ca-cert.pem |
| Client Certificate File Path | /etc/postgres/ssl/client-cert.pem |
| Certificate Key File Path | /etc/postgres/ssl/client-key.pem |
✅ Recommended: Set SSL Mode to verify-full for the highest security.
Best Practices for SSL/TLS Configuration
- Use the highest security mode possible
- For PostgreSQL, use verify-full.
- For MSSQL, verify certificate trust.
- Ensure certificates are stored in a secure location
- Store certificates in restricted-access directories (
/etc/security/ssl/). - Limit permissions to root or the database user.
- Store certificates in restricted-access directories (
- Keep certificates updated
- Regularly rotate TLS certificates.
- Check for certificate expiration.
Final Notes
- If client certificates are not required, leave those fields blank.
- Ensure the database server supports SSL/TLS and is configured accordingly.
- Use trusted certificate authorities (CAs) to avoid untrusted connection errors.