Certificate validation fails during a VA scan against PostgreSQL

Issue:

When you run a VA scan or test VA credentials against a PostgreSQL instance, you see the following error:

Please Check Connection Parameters Cannot create PoolableConnectionFactory (The connection attempt failed.)

When you look at dbs.log, you also see the following:

org.apache.commons.dbcp.SQLNestedException: Cannot create PoolableConnectionFactory (The connection attempt failed.)

Caused by: org.postgresql.util.PSQLException: The connection attempt failed.
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Environment:

• PostgreSQL 11.x or later

Cause:

PostgreSQL 11 and later present the public key certificate in a format that is incompatible with the Database Security Server default settings.

Solution:

You have two options to fix the issue:

Option 1 (recommended):
Extract the public key certificate from PostgreSQL and import it to Database Security Server’s Java KeyStore file.

1. Obtain the certificate in X.509 format with DER encoding.
   To convert a certificate file to this encoding, use the following OpenSSL command (where server.crt is the public key certificate used with PostgreSQL):
   openssl x509 -in server.crt -out server.crt.der -outform der
    
2. Import the certificate to Database Security Server’s Java KeyStore file.
   NOTE: On both platforms, the keystore password is changeit.
   • On Windows:
     1. Open a command-line session.
     2. Type <DBSecInstallDir>\java\zulu_jre8_0_181\bin\keytool -import -alias postgres -file server.crt.der -keystore <DBSecInstallDir>\java\zulu_jre8_0_181\lib\security\cacerts and press Enter.
   • On Linux:
     1. Open a command-line session.
     2. Type <DBSecInstallDir>/jre/bin/keytool -import -alias postgres -file server.crt.der -keystore <DBSecInstallDir>/jre/lib/security/cacerts and press Enter.
         

3. Restart Database Security Server.

Option 2 (not recommended):
NOTE: This change disables public key certificate validation for this connection, which is a potential security risk.

1. Open the Database Security Server console.
2. For the appropriate DBMS, click DBMSs, Configuration.
3. Below the VA credentials, expand Advanced.
4. In Connection Properties, add the following strings on their own lines:
   ssl=true
   sslfactory=org.postgresql.ssl.NonValidatingFactory
   sslmode=required
    
5. Save the changes and test again.