Preparing the PEM database server v9
You must configure dedicated users and create an SSL key and certificate on the PEM database server to enable connection pooling for PEM with PgBouncer.
This example shows how to prepare the PEM database server with the enterprisedb
user on a RHEL-based operating system with EDB Postgres Advanced Server version 16. The location of your data, the configuration and key files, and the user you employ to perform the configuration may differ depending on your OS and Postgres distribution.
Prerequisites
You are connected to the
pem
database of the PEM database server.You are connected as
enterprisedb
orpostgres
user. The user depends on your Postgres distribution.Postgres distribution User EDB Postgres Advanced Server enterprisedb EDB Postgres Extended Server postgres PostgreSQL postgres
Creating users and roles for PgBouncer-PEM connections
Create a dedicated user named pgbouncer with
pem_agent_pool
membership. This user will serve connections from PgBouncer to the PEM database by forwarding all agent database queries.Create a user named pem_admin1 (not a superuser) with
pem_admin
andpem_agent_pool
role membership. This user is used to register the agent to the PEM server and manage access to the PEM database.Grant CONNECT privileges to the pgbouncer user:
Grant USAGE privileges to the pgbouncer user for the
pem
schema:Grant EXECUTE privileges to the pgbouncer user on the
pem.get_agent_pool_auth(text)
function. For example:Use the
pem.create_proxy_agent_user(varchar)
function to create a user named pem_agent_user1. This proxy user will serve connections between all Agents and PgBouncer.The function creates a user with the same name and a random password and grants pem_agent and pem_agent_pool roles to the user. This approach allows PgBouncer to use a proxy user on behalf of the agent.
Updating the configuration files to allow PgBouncer-PEM connections
Allow the pgbouncer user to connect to the
pem
database using the SSL authentication method by adding thehostssl pem
entry in thepg_hba.conf
file of the PEM database server.In the list of rules, ensure you place the
hostssl pem
entry before any other rules assigned to the+pem_agent
user.Allow the PEM server to map all users involved in PgBouncer-PEM connections by adding these lines to the
$PGDATA/pg_ident.conf
user mapping file:Restart the Postgres service. Replace the
<postgres_service>
placeholder with the name of the Postgres instance systemd service name:
Creating the SSL key and certificate for PgBouncer-PEM authentication
Create a key and certificate for the pem_agent_pool
group role. Then, move the files to the PgBouncer instance to allow authentication between the PEM database server and PgBouncer.
This example runs EDB Postgres Advanced Server on RHEL. When setting your environment variables, choose the correct directories according to your operating system and Postgres distribution.
Set the
$DATA_DIR
environment variable to your data directory:Data directories per OS and Postgres version
Here are some examples of other default data directories per operating system and Postgres version.Postgres version RHEL/Rocky Linux/AlmaLinux/SLES Debian/Ubuntu EDB Postgres
Advanced Server 16/var/lib/edb/as16/data /var/lib/edb-as/16/main EDB Postgres
Extended Server 16/var/lib/edb/edb-pge/16/data /var/lib/edb-pge/16/main PostgreSQL 16 /var/lib/edb/pgsql/16/data /etc/postgresql/16/main Set the
$USER_HOME
environment variable to the home directory accesible to the user:User home directories per OS and Postgres version
Here are some examples of other default home directories per operating system and Postgres version.Postgres version RHEL/Rocky Linux/AlmaLinux/SLES Debian/Ubuntu EDB Postgres
Advanced Server 16/var/lib/edb /var/lib/edb-as EDB Postgres
Extended Server 16/var/lib/pgsql /var/lib/postgresql PostgreSQL 16 /var/lib/pgsql /var/lib/postgresql Create the signing key with openssl:
Create a certificate-signing request (CSR). Replace the
-subj
attributes in<...>
as required. Ensure the Common Name (CN) is set to thepem_agent_pool
group role name:Use the PEM CA and key to sign the CSR:
Move the created key and certificate to a path the
enterprisedb
user can access.In this example, create a folder called
~/.postgresql
in the home directory of theenterprisedb
user and ensure it has permissions: