The driver supports certificate-based authentication for PostgreSQL 11.0 and later. The certificate-based authentication performs both TLS/SSL server authentication and TLS/SSL client authentication. It does not require the client to specify the password. It authenticates the client to the server if the TLS/SSL client certificate is issued by a trusted Certificate Authority (CA) and the Common Name (cn) attribute of the TLS/SSL client certificate matches the database user name.

To configure the driver to use certificate-based authentication:
  • Set the Host Name (HostName) option to specify the name or the IP address of the server to which you want to connect.
  • Set the Port Number (PortNumber) option to specify the port number of the server listener. The default is 5432.
  • Set the Database Name (Database) option to specify the name of the database to which you want to connect.
  • Set the User Name (LogonID) option to specify your user name.
  • Set the Authentication Method (AuthenticationMethod) option to either 17 (SSL Verify CA) or 18 (SSL Verify Full). When set to 17, the driver verifies just the TLS/SSL client certificate, but when set to 18, it verifies the host name along with the TLS/SSL client certificate.
    Note: When the Authentication Method option is set to either 17 or 18, the SSL encryption is automatically enabled (EncryptionMethod=1).
  • Set the Trust Store (TrustStore) option to specify the directory that contains the truststore file. The truststore file contains a list of the valid CAs that are trusted by the client machine for TLS/SSL server authentication.
  • Set the Trust Store Password (TrustStorePassword) option to specify the password that is used to access the truststore file.
  • Specify values for one of the following sets of options:
    • Client SSL Certificate and Client SSL Key:
      • Set the Client SSL Certificate (ClientSSLCertificate) option to specify the full path of the certificate required to authenticate the client to the server.
      • Set the Client SSL Key (ClientSSLKey) option to specify the key used to access the client SSL certificate.
    • Key Store and Key Store Password:
      • Set the Key Store (KeyStore) option to specify the full path of the client SSL certificate that is saved in PFX format.
      • Set the Key Store Password (KeyStorePassword) option to specify the password used to access the keystore file.
  • Set the Host Name In Certificate (HostNameInCertificate) to specify the name or the IP address of the server to which you want to connect. If it is not specified, the driver uses the value specified for the Host Name option.
    Note: Specify a value for this option only when Authentication Method is set to 18.

The following examples show the connection information required to establish a session using certificate-based authentication.

Connection string

DRIVER=DataDirect 8.0 PostgreSQL Wire Protocol;HostName=myserver;PortNumber=5432;
Database=Payroll;LogonID=jsmith;AuthenticationMethod=18;
Truststore=TrustStoreName;TruststorePassword=TSXYZZY;
ClientSSLCertificate=C:\abc\odbc0123.crt;ClientSSLKey=C:\abc\odbc0123.key;
HostNameInCertificate=MySubjectAltName;

odbc.ini

[PostgreSQL Wire Protocol]
Driver=ODBCHOME/lib/xxpsql28.yy
...
AuthenticationMethod=18
...
ClientSSLCertificate=C:\abc\odbc0123.crt
...
ClientSSLKey=C:\abc\odbc0123.key
...
Database=Payroll
...
HostName=myserver
...
HostNameInCertificate=MySubjectAltName
...
LogonID=jsmith
...
PortNumber=5432
...
Truststore=TrustStoreName
...
TruststorePassword=TSXYZZY
...