database build update with ssl cert and keys

2017-09-23 19:23:03 -06:00 · 2017-09-23 19:23:03 -06:00 · b5d9c5aedb
commit b5d9c5aedb
parent 0f67979609
10 changed files with 180 additions and 705 deletions
--- a/build/deploy.edex.awips2/esb/bin/setup.env
+++ b/build/deploy.edex.awips2/esb/bin/setup.env
@ -14,6 +14,8 @@ export DB_PORT=5432

 # pypies hdf5 connection
 export PYPIES_SERVER=http://${EDEX_SERVER}:9582
+
+# qpid connection
 export BROKER_ADDR=${EDEX_SERVER}

 # these values are returned to clients that contact the localization service
--- a/edexOsgi/build.edex/opt/db/replication/README
+++ b/edexOsgi/build.edex/opt/db/replication/README
@ -11,9 +11,9 @@ SETUP - ALL SERVERS
 On each server you must add lines to pg_hba.conf to allow remote replication
 connections:

-    host replication replication 127.12.34.0/24 md5
+    host replication replication 12.34.56.0/24 cert clientcert=1

-Replace "127.12.34.0/24" with the standby server IP address (or block).
+Replace "12.34.56.0/24" with the standby server IP address (or block).
 Every server should have one line for every server in the replication setup,
 including itself--thus all servers should have the same lines. This enables
 quickly changing which server is the master without extra configuration.
--- a/edexOsgi/build.edex/opt/db/replication/replication-config.sh
+++ b/edexOsgi/build.edex/opt/db/replication/replication-config.sh
@ -0,0 +1,48 @@
+#!/bin/bash
+
+# This script configures a server to allow Postgres replication:
+# - Creates replication user
+# - Adds lines to pg_hba.conf to allow replication
+#
+# This must run on all servers that will replicate or be replicated. You
+# only need to run this once per server.
+
+psql="/awips2/psql/bin/psql"
+db_superuser=awips
+postgres_data_dir=/awips2/data
+
+cleanup_exit () {
+    echo INFO: Cleaning up.
+    rm -f ${temp_hba_conf}
+    exit $1
+}
+
+temp_hba_conf=$(mktemp || cleanup_exit 1)
+
+if [[ "$(id -u)" -ne 0 ]]; then
+    echo ERROR: You need to be root.
+    cleanup_exit 1
+fi
+
+echo "INFO: Creating replication role"
+
+"${psql}" -v ON_ERROR_STOP=1 --user="${db_superuser}" --db=metadata << EOF || cleanup_exit 1
+    begin transaction;
+    drop role if exists replication;
+    create role replication with replication login password 'replication';
+    commit transaction;
+EOF
+
+grep -Ev "replication" "${postgres_data_dir}/pg_hba.conf" > ${temp_hba_conf}
+cat << EOF >> ${temp_hba_conf} || cleanup_exit 1
+
+# replication connections
+local      replication replication                  trust
+hostssl    replication replication 162.0.0.0/8      cert clientcert=1
+hostssl    replication replication ::1/128          cert clientcert=1
+EOF
+
+echo INFO: Updating pg_hba.conf
+install -T -m 600 -o awips -g fxalpha ${temp_hba_conf} "${postgres_data_dir}/pg_hba.conf" || cleanup_exit 1
+echo "INFO: Finished. No errors reported."
+cleanup_exit 0
--- a/edexOsgi/build.edex/opt/db/replication/setup-standby.sh
+++ b/edexOsgi/build.edex/opt/db/replication/setup-standby.sh
@ -22,9 +22,8 @@
 # Configuration ###############################################################

 # Credentials
-db_superuser=awips  # awipsadmin on 16.4.1 and later
+db_superuser=awips
 db_rep_user=replication # for connecting to master
-db_rep_password=replication

 # Master server info
 master_hostname="$1" # from command line
@ -34,6 +33,13 @@ master_port=5432
 this_host=$(hostname -s)
 local_port=5432
 data_dir=/awips2/data
+ssl_dir=/awips2/database/ssl
+
+# For logging the output of this script
+log_dir=/awips2/database/replication/logs
+# Keep this many logs, delete old ones
+keep_logs=5
+log_file="${log_dir}/setup-standby.$(date +%Y%m%d.%H%M%S).log"

 # Location of PostgreSQL install
 pg_dir=/awips2/postgresql
@ -43,11 +49,15 @@ pg_basebackup=${pg_dir}/bin/pg_basebackup
 pg_ctl=${pg_dir}/bin/pg_ctl
 psql=/awips2/psql/bin/psql

+log() {
+    echo $* | sudo -u awips tee -a "${log_file}"
+}
+
 ###############################################################################


 do_pg_ctl() {
-    "${pg_ctl}" -o \"--port=${local_port}\" -D "${data_dir}" $* >/dev/null 2>&1
+    sudo -u awips "${pg_ctl}" -o \"--port=${local_port}\" -D "${data_dir}" $* >/dev/null 2>&1
    return $?
 }

@ -61,21 +71,22 @@ stop_server() {


 cleanup_exit() {
-    echo "ERROR: There were one or more errors; see above."
-    echo "INFO: Cleaning up."
+    log "ERROR: There were one or more errors; see above."
+    log "INFO: Cleaning up."
    stop_server
    if [[ "$?" -eq 0 ]]; then
-        sleep 1
-        rm -rf "${data_dir}"/*
+        if [[ -d "${data_dir}" ]]; then
+            rm -rf "${data_dir}"/*
+        fi
    else
        # I don't know if this is possible, but if it is, we don't want to
        # delete data dir while server is running
-        echo -n "WARNING: Postgres is still running. "
-        echo "See ${data_dir}/pg_log/postgresql-$(date +%A).log for possible errors."
+        log -n "WARNING: Postgres is still running. "
+        log "See ${data_dir}/pg_log/postgresql-$(date +%A).log for possible errors."
    fi
    if [[ -d "${config_tmpdir}" ]]; then
        if [[ -f "${config_tmpdir}/pg_hba.conf" ]]; then
-            mv "${config_tmpdir}/pg_hba.conf" ${data_dir}
+            sudo -u awips mv "${config_tmpdir}/pg_hba.conf" ${data_dir}
        fi
        if [[ -d "${config_tmpdir}/pg_log" ]]; then
            if [[ -d "${data_dir}/pg_log" ]]; then
@ -83,8 +94,8 @@ cleanup_exit() {
            else
                logdir="${data_dir}/pg_log"
            fi
-            echo "INFO: Moving old logs to ${logdir}"
-            mv "${config_tmpdir}/pg_log" "${logdir}"
+            log "INFO: Moving old logs to ${logdir}"
+            sudo -u awips mv "${config_tmpdir}/pg_log" "${logdir}"
        fi
        rm -rf "${config_tmpdir}"
    fi
@ -101,8 +112,8 @@ if [[ -z "${master_hostname}" ]]; then
    exit 1
 fi

-if [[ "$(id -u)" -ne "$(id -u awips)" ]]; then
-    echo "$(basename $0): Must run as user 'awips'."
+if [[ "$(id -u)" -ne 0 ]]; then
+    echo "$(basename $0): Must run as root."
    exit 1
 fi

@ -115,7 +126,6 @@ if [[ "${master_hostname}" == "${this_host}" ||
    exit 1
 fi

-
 # Warning prompt
 echo "You are about to configure this server (${this_host}) as a PostgreSQL"
 echo "standby server."
@ -137,49 +147,83 @@ fi

 # Actually do it ##############################################################

+# Make log file for script output
+sudo -u awips mkdir -p "${log_dir}" || exit 1
+sudo -u awips touch "${log_file}" || exit 1
+# Purge old logs
+sudo -u awips find "${log_dir}"/*.log -xdev \
+    | sort \
+    | head -n -${keep_logs} \
+    | tr '\n' '\0' \
+    | sudo xargs -0r rm
+
+log "INFO: Starting replication setup on ${this_host}:${local_port}"
+log "INFO: Will replicate ${master_hostname}:${master_port}"
+
 stop_server || exit 1
 trap 'cleanup_exit' SIGINT

-# Backup pg_hba.conf and old logs
-config_tmpdir=$(mktemp -d --tmpdir=${data_dir} .tmp.XXXXXX || cleanup_exit)
+# Get certificates from master
+master_ssl_dir="${ssl_dir}/replication/${master_hostname}"
+sudo -u awips mkdir -p "${master_ssl_dir}"
+log "INFO: Downloading SSL certs and keyfile from ${master_hostname}"
+# must ssh as root to skip password prompt
+rsync --delete-before -av -e ssh \
+    "${master_hostname}":"${master_ssl_dir}"/{replication.crt,replication.key,root.crt} \
+    "${master_ssl_dir}" || exit 1
+chown -R awips:fxalpha "${ssl_dir}"/replication
+find "${ssl_dir}"/replication -xdev -type f -exec chmod 600 {} \;
+find "${ssl_dir}"/replication -xdev -type d -exec chmod 700 {} \;
+
+# Backup pg_hba.conf and old postgres logs
+config_tmpdir=$(sudo -u awips mktemp -d --tmpdir=${data_dir} .tmp.XXXXXX || cleanup_exit)
 if [[ -f "${data_dir}/pg_hba.conf" ]]; then
-    cp -a "${data_dir}/pg_hba.conf" "${config_tmpdir}" || cleanup_exit
+    sudo -u awips cp -a "${data_dir}/pg_hba.conf" "${config_tmpdir}" || cleanup_exit
 fi
 if [[ -d "${data_dir}/pg_log" ]]; then
-    cp -a "${data_dir}/pg_log" "${config_tmpdir}" || cleanup_exit
+    sudo -u awips cp -a "${data_dir}/pg_log" "${config_tmpdir}" || cleanup_exit
 fi

 # Prepare data directory
+log "INFO: Recreating ${data_dir}"
 if [[ -d "${data_dir}" ]]; then
    rm -rf "${data_dir}"/*
 else
-    mkdir -p "${data_dir}" || exit 1
-    chmod 700 "${data_dir}" || exit 1
+    sudo -u awips mkdir -p "${data_dir}" || exit 1
+    sudo -u awips chmod 700 "${data_dir}" || exit 1
 fi

+# SSL connection string parts
+# needed for basebackup and recovery.conf
+sslmode_part="sslmode=verify-ca"
+sslcert_part="sslcert=${master_ssl_dir}/replication.crt"
+sslkey_part="sslkey=${master_ssl_dir}/replication.key"
+sslrootcert_part="sslrootcert=${master_ssl_dir}/root.crt"
+ssl_part="${sslmode_part} ${sslcert_part} ${sslkey_part} ${sslrootcert_part}"

 # pg_basebackup will not write to a non-empty directory
 # so we have to make a temporary one
-data_tmpdir=$(mktemp -d --tmpdir=${data_dir} .tmp.XXXX || cleanup_exit)
+data_tmpdir=$(sudo -u awips mktemp -d --tmpdir=${data_dir} .tmp.XXXX || cleanup_exit)
 # Fetch and install base backup
-echo "INFO: Fetching base backup from ${master_hostname}"
-echo "Enter the password for the '${db_rep_user}' role now, if prompted."
-"${pg_basebackup}" \
+log "INFO: Fetching base backup from ${master_hostname}"
+log "Enter the password for the '${db_rep_user}' role now, if prompted."
+sudo -u awips "${pg_basebackup}" \
    --host="${master_hostname}" \
    --verbose --progress --xlog-method=fetch \
    --username="${db_rep_user}" --format=tar --gzip \
    --port=${master_port} \
+    --db="${ssl_part}" \
    -D "${data_tmpdir}" || cleanup_exit
-mv "${data_tmpdir}"/*.tar.gz "${data_dir}" || cleanup_exit
+sudo -u awips mv "${data_tmpdir}"/*.tar.gz "${data_dir}" || cleanup_exit

-echo "INFO: Installing base backup to ${data_dir}"
+log "INFO: Installing base backup to ${data_dir}"
 pushd "${data_dir}" > /dev/null || cleanup_exit
-tar xzf "${data_dir}/base.tar.gz" || cleanup_exit
+sudo -u awips tar xzf "${data_dir}/base.tar.gz" || cleanup_exit
 popd > /dev/null
 rm -f "${data_dir}/base.tar.gz"

 # Install tablespaces
-echo INFO: Unpacking tablespaces
+log INFO: Unpacking tablespaces
 # On Postgres 9.5 and later we need to read tablespace_map and create the
 # symlinks ourselves
 if [[ -f "${data_dir}/tablespace_map" ]]; then
@ -188,7 +232,7 @@ if [[ -f "${data_dir}/tablespace_map" ]]; then
        ts_path="$(echo "$line" | cut -d' ' -f2-)"
        if [[ -n "${ts_num}" && -n "${ts_path}" ]]; then
            rm -f "${data_dir}/pg_tblspc/${ts_num}"
-            ln -sf "${ts_path}" "${data_dir}/pg_tblspc/${ts_num}" || cleanup_exit
+            sudo -u awips ln -sf "${ts_path}" "${data_dir}/pg_tblspc/${ts_num}" || cleanup_exit
        fi
    done < "${data_dir}/tablespace_map"
    rm -f "${data_dir}/tablespace_map"
@ -197,25 +241,33 @@ fi
 # Now unpack each tar in the right place
 for ts_link in "${data_dir}/pg_tblspc"/*; do
    this_ts=$(readlink "${ts_link}")
-    echo -n "  ${this_ts}..."
+    log -n "  ${this_ts}..."
    tar_name=$(basename "${ts_link}")
    if [[ -d "${this_ts}" ]]; then
        rm -rf "${this_ts}"/*
    else
-        mkdir -p "${this_ts}" || cleanup_exit
+        sudo -u awips mkdir -p "${this_ts}" || cleanup_exit
    fi
    pushd "${this_ts}" > /dev/null
-    tar xzf "${data_dir}/${tar_name}.tar.gz" || cleanup_exit
+    sudo -u awips tar xzf "${data_dir}/${tar_name}.tar.gz" || cleanup_exit
    popd > /dev/null
    rm -f "${data_dir}/${tar_name}.tar.gz"
-    echo done.
+    log done.
 done

 # Write recovery.conf
-echo "INFO: Writing ${data_dir}/recovery.conf"
-cat > "${data_dir}/recovery.conf" << EOF || cleanup_exit
+
+host_part="host=${master_hostname}"
+port_part="port=${master_port}"
+user_part="user=${db_rep_user}"
+primary_conninfo="${host_part} ${port_part} ${user_part} ${ssl_part}"
+
+log "INFO: Writing ${data_dir}/recovery.conf"
+rm -f "${data_dir}/recovery.conf"
+sudo -u awips touch "${data_dir}"/recovery.conf
+cat >> "${data_dir}/recovery.conf" << EOF || cleanup_exit
 standby_mode='on'
-primary_conninfo='host=${master_hostname} port=${master_port} user=${db_rep_user} password=${db_rep_password}'
+primary_conninfo='${primary_conninfo}' 
 recovery_target_timeline='latest'
 trigger_file='${data_dir}/promote'
 EOF
@ -224,35 +276,35 @@ rm -f "${data_dir}/recovery.done"

 # Install pg_hba.conf
 if [[ -f "${config_tmpdir}/pg_hba.conf" ]]; then
-    echo "INFO: Installing ${data_dir}/pg_hba.conf"
-    mv "${config_tmpdir}/pg_hba.conf" "${data_dir}"
+    log "INFO: Installing ${data_dir}/pg_hba.conf"
+    sudo -u awips mv "${config_tmpdir}/pg_hba.conf" "${data_dir}"
 fi

 # Save old pg_logs
 if [[ -d "${config_tmpdir}/pg_log" ]]; then
    logdir_ts=$(date +%F_%H%M%S)
-    echo "INFO: Moving old logs to ${data_dir}/pg_log-${logdir_ts}"
-    mv "${config_tmpdir}/pg_log" "${data_dir}/pg_log-${logdir_ts}"
+    log "INFO: Moving old logs to ${data_dir}/pg_log-${logdir_ts}"
+    sudo -u awips mv "${config_tmpdir}/pg_log" "${data_dir}/pg_log-${logdir_ts}"
 fi

 # Start it up and run test query
-echo "INFO: Starting PostgreSQL"
+log "INFO: Starting PostgreSQL"
 do_pg_ctl start -w || cleanup_exit

-echo "INFO: Testing read-only connection to standby"
-is_recovery=$("${psql}" \
+log "INFO: Testing read-only connection to standby"
+is_recovery=$(sudo -u awips "${psql}" \
  -U "${db_superuser}" \
  --port=${local_port} \
  --db=metadata \
  -Aqtc "select pg_is_in_recovery();")

 if [[ "${is_recovery}" != "t" ]]; then
-    echo "ERROR: It looks like this server failed to start up properly, or is"
-    echo "ERROR: not in recovery mode."
+    log "ERROR: It looks like this server failed to start up properly, or is"
+    log "ERROR: not in recovery mode."
    cleanup_exit
 fi

 rm -rf ${config_tmpdir}
 rm -rf ${data_tmpdir}

-echo "INFO: Setup is complete. No errors reported."
+log "INFO: Setup is complete. No errors reported."
--- a/rpms/awips2.core/Installer.database-server-configuration/configuration/postgresql.conf.centralRegistry
+++ b/rpms/awips2.core/Installer.database-server-configuration/configuration/postgresql.conf.centralRegistry
@ -1,572 +0,0 @@
-# -----------------------------
-# PostgreSQL configuration file
-# -----------------------------
-#
-# This file consists of lines of the form:
-#
-#   name = value
-#
-# (The "=" is optional.)  Whitespace may be used.  Comments are introduced with
-# "#" anywhere on a line.  The complete list of parameter names and allowed
-# values can be found in the PostgreSQL documentation.
-#
-# The commented-out settings shown in this file represent the default values.
-# Re-commenting a setting is NOT sufficient to revert it to the default value;
-# you need to reload the server.
-#
-# This file is read on server startup and when the server receives a SIGHUP
-# signal.  If you edit the file on a running system, you have to SIGHUP the
-# server for the changes to take effect, or use "pg_ctl reload".  Some
-# parameters, which are marked below, require a server shutdown and restart to
-# take effect.
-#
-# Any parameter can also be given as a command-line option to the server, e.g.,
-# "postgres -c log_connections=on".  Some parameters can be changed at run time
-# with the "SET" SQL command.
-#
-# Memory units:  kB = kilobytes        Time units:  ms  = milliseconds
-#                MB = megabytes                     s   = seconds
-#                GB = gigabytes                     min = minutes
-#                                                   h   = hours
-#                                                   d   = days
-
-
-#------------------------------------------------------------------------------
-# FILE LOCATIONS
-#------------------------------------------------------------------------------
-
-# The default values of these variables are driven from the -D command-line
-# option or PGDATA environment variable, represented here as ConfigDir.
-
-#data_directory = 'ConfigDir'		# use data in another directory
-					# (change requires restart)
-#hba_file = 'ConfigDir/pg_hba.conf'	# host-based authentication file
-					# (change requires restart)
-#ident_file = 'ConfigDir/pg_ident.conf'	# ident configuration file
-					# (change requires restart)
-
-# If external_pid_file is not explicitly set, no extra PID file is written.
-#external_pid_file = ''			# write an extra PID file
-					# (change requires restart)
-
-
-#------------------------------------------------------------------------------
-# CONNECTIONS AND AUTHENTICATION
-#------------------------------------------------------------------------------
-
-# - Connection Settings -
-
-listen_addresses = '*'		# what IP address(es) to listen on;
-					# comma-separated list of addresses;
-					# defaults to 'localhost'; use '*' for all
-					# (change requires restart)
-port = 5432				# (change requires restart)
-max_connections = 400			# (change requires restart)
-# Note:  Increasing max_connections costs ~400 bytes of shared memory per
-# connection slot, plus lock space (see max_locks_per_transaction).
-#superuser_reserved_connections = 3	# (change requires restart)
-#unix_socket_directory = ''		# (change requires restart)
-#unix_socket_group = ''			# (change requires restart)
-#unix_socket_permissions = 0777		# begin with 0 to use octal notation
-					# (change requires restart)
-#bonjour = off				# advertise server via Bonjour
-					# (change requires restart)
-#bonjour_name = ''			# defaults to the computer name
-					# (change requires restart)
-
-# - Security and Authentication -
-
-#authentication_timeout = 1min		# 1s-600s
-#ssl = off				# (change requires restart)
-#ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH'	# allowed SSL ciphers
-					# (change requires restart)
-#ssl_renegotiation_limit = 512MB	# amount of data between renegotiations
-#ssl_cert_file = 'server.crt'		# (change requires restart)
-#ssl_key_file = 'server.key'		# (change requires restart)
-#ssl_ca_file = ''			# (change requires restart)
-#ssl_crl_file = ''			# (change requires restart)
-#password_encryption = on
-#db_user_namespace = off
-
-# Kerberos and GSSAPI
-#krb_server_keyfile = ''
-#krb_srvname = 'postgres'		# (Kerberos only)
-#krb_caseins_users = off
-
-# - TCP Keepalives -
-# see "man 7 tcp" for details
-
-#tcp_keepalives_idle = 0		# TCP_KEEPIDLE, in seconds;
-					# 0 selects the system default
-#tcp_keepalives_interval = 0		# TCP_KEEPINTVL, in seconds;
-					# 0 selects the system default
-#tcp_keepalives_count = 0		# TCP_KEEPCNT;
-					# 0 selects the system default
-
-
-#------------------------------------------------------------------------------
-# RESOURCE USAGE (except WAL)
-#------------------------------------------------------------------------------
-
-# - Memory -
-
-shared_buffers = 128MB			# min 128kB
-					# (change requires restart)
-temp_buffers = 16MB			# min 800kB
-#max_prepared_transactions = 0		# zero disables the feature
-					# (change requires restart)
-# Note:  Increasing max_prepared_transactions costs ~600 bytes of shared memory
-# per transaction slot, plus lock space (see max_locks_per_transaction).
-# It is not advisable to set max_prepared_transactions nonzero unless you
-# actively intend to use prepared transactions.
-work_mem = 32MB				# min 64kB
-maintenance_work_mem = 32MB		# min 1MB
-#max_stack_depth = 2MB			# min 100kB
-
-# - Disk -
-
-#temp_file_limit = -1			# limits per-session temp file space
-					# in kB, or -1 for no limit
-
-# - Kernel Resource Usage -
-
-#max_files_per_process = 1000		# min 25
-					# (change requires restart)
-#shared_preload_libraries = ''		# (change requires restart)
-
-# - Cost-Based Vacuum Delay -
-
-#vacuum_cost_delay = 0ms		# 0-100 milliseconds
-#vacuum_cost_page_hit = 1		# 0-10000 credits
-#vacuum_cost_page_miss = 10		# 0-10000 credits
-#vacuum_cost_page_dirty = 20		# 0-10000 credits
-#vacuum_cost_limit = 200		# 1-10000 credits
-
-# - Background Writer -
-
-#bgwriter_delay = 200ms			# 10-10000ms between rounds
-#bgwriter_lru_maxpages = 100		# 0-1000 max buffers written/round
-#bgwriter_lru_multiplier = 2.0		# 0-10.0 multipler on buffers scanned/round
-
-# - Asynchronous Behavior -
-
-#effective_io_concurrency = 1		# 1-1000; 0 disables prefetching
-
-
-#------------------------------------------------------------------------------
-# WRITE AHEAD LOG
-#------------------------------------------------------------------------------
-
-# - Settings -
-
-wal_level = hot_standby			# minimal, archive, or hot_standby
-					# (change requires restart)
-fsync = off				# turns forced synchronization on or off
-#synchronous_commit = on		# synchronization level;
-					# off, local, remote_write, or on
-#wal_sync_method = fsync		# the default is the first option
-					# supported by the operating system:
-					#   open_datasync
-					#   fdatasync (default on Linux)
-					#   fsync
-					#   fsync_writethrough
-					#   open_sync
-#full_page_writes = on			# recover from partial page writes
-#wal_buffers = -1			# min 32kB, -1 sets based on shared_buffers
-					# (change requires restart)
-#wal_writer_delay = 200ms		# 1-10000 milliseconds
-
-commit_delay = 50000			# range 0-100000, in microseconds
-commit_siblings = 5			# range 1-1000
-
-# - Checkpoints -
-
-checkpoint_segments = 10		# in logfile segments, min 1, 16MB each
-#checkpoint_timeout = 5min		# range 30s-1h
-#checkpoint_completion_target = 0.5	# checkpoint target duration, 0.0 - 1.0
-#checkpoint_warning = 30s		# 0 disables
-
-# - Archiving -
-
-#archive_mode = off		# allows archiving to be done
-				# (change requires restart)
-#archive_command = ''		# command to use to archive a logfile segment
-				# placeholders: %p = path of file to archive
-				#               %f = file name only
-				# e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f'
-#archive_timeout = 0		# force a logfile segment switch after this
-				# number of seconds; 0 disables
-
-#------------------------------------------------------------------------------
-# REPLICATION
-#------------------------------------------------------------------------------
-
-# - Sending Server(s) -
-
-# Set these on the master and on any standby that will send replication data.
-
-max_wal_senders = 5		# max number of walsender processes
-				# (change requires restart)
-
-wal_keep_segments = 64		# in logfile segments, 16MB each; 0 disables
-#replication_timeout = 60s	# in milliseconds; 0 disables
-
-# - Master Server -
-
-# These settings are ignored on a standby server.
-
-#synchronous_standby_names = ''	# standby servers that provide sync rep
-				# comma-separated list of application_name
-				# from standby(s); '*' = all
-#vacuum_defer_cleanup_age = 0	# number of xacts by which cleanup is delayed
-
-# - Standby Servers -
-
-# These settings are ignored on a master server.
-
-hot_standby = on			# "on" allows queries during recovery
-					# (change requires restart)
-#max_standby_archive_delay = 30s	# max delay before canceling queries
-					# when reading WAL from archive;
-					# -1 allows indefinite delay
-#max_standby_streaming_delay = 30s	# max delay before canceling queries
-					# when reading streaming WAL;
-					# -1 allows indefinite delay
-#wal_receiver_status_interval = 10s	# send replies at least this often
-					# 0 disables
-#hot_standby_feedback = off		# send info from standby to prevent
-					# query conflicts
-
-
-#------------------------------------------------------------------------------
-# QUERY TUNING
-#------------------------------------------------------------------------------
-
-# - Planner Method Configuration -
-
-#enable_bitmapscan = on
-#enable_hashagg = on
-#enable_hashjoin = on
-#enable_indexscan = on
-#enable_indexonlyscan = on
-#enable_material = on
-#enable_mergejoin = on
-#enable_nestloop = on
-#enable_seqscan = on
-#enable_sort = on
-#enable_tidscan = on
-
-# - Planner Cost Constants -
-
-#seq_page_cost = 1.0			# measured on an arbitrary scale
-#random_page_cost = 4.0			# same scale as above
-#cpu_tuple_cost = 0.01			# same scale as above
-#cpu_index_tuple_cost = 0.005		# same scale as above
-#cpu_operator_cost = 0.0025		# same scale as above
-effective_cache_size = 512MB
-
-# - Genetic Query Optimizer -
-
-#geqo = on
-#geqo_threshold = 12
-#geqo_effort = 5			# range 1-10
-#geqo_pool_size = 0			# selects default based on effort
-#geqo_generations = 0			# selects default based on effort
-#geqo_selection_bias = 2.0		# range 1.5-2.0
-#geqo_seed = 0.0			# range 0.0-1.0
-
-# - Other Planner Options -
-
-default_statistics_target = 100	        # range 1-10000
-#constraint_exclusion = partition	# on, off, or partition
-#cursor_tuple_fraction = 0.1		# range 0.0-1.0
-#from_collapse_limit = 8
-#join_collapse_limit = 8		# 1 disables collapsing of explicit
-					# JOIN clauses
-
-
-#------------------------------------------------------------------------------
-# ERROR REPORTING AND LOGGING
-#------------------------------------------------------------------------------
-
-# - Where to Log -
-
-#log_destination = 'stderr'		# Valid values are combinations of
-					# stderr, csvlog, syslog, and eventlog,
-					# depending on platform.  csvlog
-					# requires logging_collector to be on.
-
-# This is used when logging to stderr:
-logging_collector = on		        # Enable capturing of stderr and csvlog
-					# into log files. Required to be on for
-					# csvlogs.
-					# (change requires restart)
-
-# These are only used if logging_collector is on:
-log_directory = 'pg_log'		# directory where log files are written,
-					# can be absolute or relative to PGDATA
-log_filename = 'postgresql-%A.log'	# log file name pattern,
-					# can include strftime() escapes
-#log_file_mode = 0600			# creation mode for log files,
-					# begin with 0 to use octal notation
-log_truncate_on_rotation = on		# If on, an existing log file with the
-					# same name as the new log file will be
-					# truncated rather than appended to.
-					# But such truncation only occurs on
-					# time-driven rotation, not on restarts
-					# or size-driven rotation.  Default is
-					# off, meaning append to existing files
-					# in all cases.
-log_rotation_age = 1d			# Automatic rotation of logfiles will
-					# happen after that time.  0 disables.
-log_rotation_size = 0		        # Automatic rotation of logfiles will
-					# happen after that much log output.
-					# 0 disables.
-
-# These are relevant when logging to syslog:
-#syslog_facility = 'LOCAL0'
-#syslog_ident = 'postgres'
-
-# This is only relevant when logging to eventlog (win32):
-#event_source = 'PostgreSQL'
-
-# - When to Log -
-
-#client_min_messages = notice		# values in order of decreasing detail:
-					#   debug5
-					#   debug4
-					#   debug3
-					#   debug2
-					#   debug1
-					#   log
-					#   notice
-					#   warning
-					#   error
-
-#log_min_messages = warning		# values in order of decreasing detail:
-					#   debug5
-					#   debug4
-					#   debug3
-					#   debug2
-					#   debug1
-					#   info
-					#   notice
-					#   warning
-					#   error
-					#   log
-					#   fatal
-					#   panic
-
-#log_min_error_statement = error	# values in order of decreasing detail:
-				 	#   debug5
-					#   debug4
-					#   debug3
-					#   debug2
-					#   debug1
-				 	#   info
-					#   notice
-					#   warning
-					#   error
-					#   log
-					#   fatal
-					#   panic (effectively off)
-
-#log_min_duration_statement = -1	# -1 is disabled, 0 logs all statements
-					# and their durations, > 0 logs only
-					# statements running at least this number
-					# of milliseconds
-
-
-# - What to Log -
-
-#debug_print_parse = off
-#debug_print_rewritten = off
-#debug_print_plan = off
-#debug_pretty_print = on
-#log_checkpoints = off
-#log_connections = off
-#log_disconnections = off
-#log_duration = off
-#log_error_verbosity = default		# terse, default, or verbose messages
-#log_hostname = off
-log_line_prefix = '%t %x %d : %h : '	# special values:
-					#   %a = application name
-					#   %u = user name
-					#   %d = database name
-					#   %r = remote host and port
-					#   %h = remote host
-					#   %p = process ID
-					#   %t = timestamp without milliseconds
-					#   %m = timestamp with milliseconds
-					#   %i = command tag
-					#   %e = SQL state
-					#   %c = session ID
-					#   %l = session line number
-					#   %s = session start timestamp
-					#   %v = virtual transaction ID
-					#   %x = transaction ID (0 if none)
-					#   %q = stop here in non-session
-					#        processes
-					#   %% = '%'
-					# e.g. '<%u%%%d> '
-#log_lock_waits = off			# log lock waits >= deadlock_timeout
-#log_statement = 'none'			# none, ddl, mod, all
-#log_temp_files = -1			# log temporary files equal or larger
-					# than the specified size in kilobytes;
-					# -1 disables, 0 logs all temp files
-log_timezone = 'UTC'
-
-
-#------------------------------------------------------------------------------
-# RUNTIME STATISTICS
-#------------------------------------------------------------------------------
-
-# - Query/Index Statistics Collector -
-
-#track_activities = on
-track_counts = on
-#track_io_timing = off
-#track_functions = none			# none, pl, all
-#track_activity_query_size = 1024 	# (change requires restart)
-#update_process_title = on
-#stats_temp_directory = 'pg_stat_tmp'
-
-
-# - Statistics Monitoring -
-
-#log_parser_stats = off
-#log_planner_stats = off
-#log_executor_stats = off
-#log_statement_stats = off
-
-
-#------------------------------------------------------------------------------
-# AUTOVACUUM PARAMETERS
-#------------------------------------------------------------------------------
-
-autovacuum = on			        # Enable autovacuum subprocess?  'on'
-					# requires track_counts to also be on.
-log_autovacuum_min_duration = 120s	# -1 disables, 0 logs all actions and
-					# their durations, > 0 logs only
-					# actions running at least this number
-					# of milliseconds.
-autovacuum_max_workers = 6		# max number of autovacuum subprocesses
-					# (change requires restart)
-autovacuum_naptime = 30s		# time between autovacuum runs
-autovacuum_vacuum_threshold = 500	# min number of row updates before
-					# vacuum
-autovacuum_analyze_threshold = 250	# min number of row updates before
-					# analyze
-autovacuum_vacuum_scale_factor = 0.15	# fraction of table size before vacuum
-autovacuum_analyze_scale_factor = 0.075	# fraction of table size before analyze
-#autovacuum_freeze_max_age = 200000000	# maximum XID age before forced vacuum
-					# (change requires restart)
-autovacuum_vacuum_cost_delay = 10ms	# default vacuum cost delay for
-					# autovacuum, in milliseconds;
-					# -1 means use vacuum_cost_delay
-autovacuum_vacuum_cost_limit = 1000	# default vacuum cost limit for
-					# autovacuum, -1 means use vacuum_cost_limit
-
-
-#------------------------------------------------------------------------------
-# CLIENT CONNECTION DEFAULTS
-#------------------------------------------------------------------------------
-
-# - Statement Behavior -
-
-#search_path = '"$user",public'		# schema names
-#default_tablespace = ''		# a tablespace name, '' uses the default
-#temp_tablespaces = ''			# a list of tablespace names, '' uses
-					# only default tablespace
-#check_function_bodies = on
-#default_transaction_isolation = 'read committed'
-#default_transaction_read_only = off
-#default_transaction_deferrable = off
-#session_replication_role = 'origin'
-statement_timeout = 1800000		# in milliseconds, 0 is disabled
-#vacuum_freeze_min_age = 50000000
-#vacuum_freeze_table_age = 150000000
-bytea_output = 'escape'			# hex, escape
-#xmlbinary = 'base64'
-#xmloption = 'content'
-
-# - Locale and Formatting -
-
-datestyle = 'iso, mdy'
-#intervalstyle = 'postgres'
-timezone = 'GMT'
-#timezone_abbreviations = 'Default'     # Select the set of available time zone
-					# abbreviations.  Currently, there are
-					#   Default
-					#   Australia
-					#   India
-					# You can create your own file in
-					# share/timezonesets/.
-#extra_float_digits = 0			# min -15, max 3
-#client_encoding = sql_ascii		# actually, defaults to database
-					# encoding
-
-# These settings are initialized by initdb, but they can be changed.
-lc_messages = 'en_US.UTF-8'			# locale for system error message
-					# strings
-lc_monetary = 'en_US.UTF-8'			# locale for monetary formatting
-lc_numeric = 'en_US.UTF-8'			# locale for number formatting
-lc_time = 'en_US.UTF-8'				# locale for time formatting
-
-# default configuration for text search
-default_text_search_config = 'pg_catalog.english'
-
-# - Other Defaults -
-
-#dynamic_library_path = '$libdir'
-#local_preload_libraries = ''
-
-
-#------------------------------------------------------------------------------
-# LOCK MANAGEMENT
-#------------------------------------------------------------------------------
-
-#deadlock_timeout = 1s
-#max_locks_per_transaction = 64		# min 10
-					# (change requires restart)
-# Note:  Each lock table slot uses ~270 bytes of shared memory, and there are
-# max_locks_per_transaction * (max_connections + max_prepared_transactions)
-# lock table slots.
-#max_pred_locks_per_transaction = 64	# min 10
-					# (change requires restart)
-
-
-#------------------------------------------------------------------------------
-# VERSION/PLATFORM COMPATIBILITY
-#------------------------------------------------------------------------------
-
-# - Previous PostgreSQL Versions -
-
-#array_nulls = on
-#backslash_quote = safe_encoding	# on, off, or safe_encoding
-#default_with_oids = off
-#escape_string_warning = on
-#lo_compat_privileges = off
-#quote_all_identifiers = off
-#sql_inheritance = on
-#standard_conforming_strings = on
-#synchronize_seqscans = on
-
-# - Other Platforms and Clients -
-
-#transform_null_equals = off
-
-
-#------------------------------------------------------------------------------
-# ERROR HANDLING
-#------------------------------------------------------------------------------
-
-#exit_on_error = off			# terminate session on any error?
-#restart_after_crash = on		# reinitialize after backend crash?
-
-
-#------------------------------------------------------------------------------
-# CUSTOMIZED OPTIONS
-#------------------------------------------------------------------------------
-
-# Add settings for extensions here
--- a/rpms/awips2.core/Installer.database-server-configuration/configuration/root.crt
+++ b/rpms/awips2.core/Installer.database-server-configuration/configuration/root.crt
@ -1,20 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIDOTCCAiGgAwIBAgIJAIsJUossJEAhMA0GCSqGSIb3DQEBBQUAMDMxDjAMBgNV
-BAoMBUFXSVBTMRAwDgYDVQQLDAdUZXN0aW5nMQ8wDQYDVQQDDAZjYXJvb3QwHhcN
-MTYxMTIwMDAyNzQ0WhcNNDYxMTEzMDAyNzQ0WjAzMQ4wDAYDVQQKDAVBV0lQUzEQ
-MA4GA1UECwwHVGVzdGluZzEPMA0GA1UEAwwGY2Fyb290MIIBIjANBgkqhkiG9w0B
-AQEFAAOCAQ8AMIIBCgKCAQEA1aBCQLlOpbC7/ikudAmYdTgI16FecS8yItRzMMgX
-Po589JRydYe+3Wv4gaVZAktoCFCuoik9DRnewzqPxGzAOrq+QfPKRQhY0AdDZP4v
-c82r8C0ga/SZTImST/Y+WA7dJ6eRGfDiOIS/auQ0zcfrGFv4//I5+Sa+5dQNe0me
-pyAKaYTzrZWKrSsZbjxs1nHd+0ahIzgwWGb3UDY9MNMtP9/EvhRZkxgjeTnVZD8X
-aOLiwCIBALoGayId5wbXjyUIRzelPQPCXAADQcewlnlvbLadTXVCA3rP7TvNyx0W
-blpluNBg0o6sjlo2bzInBswHsFHUOZPcJT6pLhGRC52eNwIDAQABo1AwTjAdBgNV
-HQ4EFgQUjRTZ3Toe0L+XZodTnOTtpR39eJUwHwYDVR0jBBgwFoAUjRTZ3Toe0L+X
-ZodTnOTtpR39eJUwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAuvXD
-Hm5cJxtP3phZYAOdrSxJkJg/gMmRBLsS2GksPks07pelSxPySRjVZCJSDd8zbSc5
-DGdFBMI0Xdk7+V5KxP6ATfyc37GoxGG7ygbUjLvmlzsg2i+a0wIDjILyzisicA0q
-DyCLZGxNahFUrhci0mpKAr/RaGr4Hx4R+JMItP3sxysVbIhc4wdm4mRTA3n8Eru3
-hcPpLQlqLheVuCIECxMG+eVKVevZWN0gqiEA7C+pByMxASqeHc6SRCXHx8/GJPmw
-ocaHpJ7Iib2kMLeBT24R+RNHEpPknf/PkgwvM0BLPqlk8cNqAR7TZ/OtX1ffmPbv
-t+nP8jegKGo4lVr3Fg==
-----END CERTIFICATE-----
--- a/rpms/awips2.core/Installer.database-server-configuration/configuration/server.crt
+++ b/rpms/awips2.core/Installer.database-server-configuration/configuration/server.crt
@ -1,18 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIC5TCCAc0CCQDkIgVweT7S1zANBgkqhkiG9w0BAQUFADAzMQ4wDAYDVQQKDAVB
-V0lQUzEQMA4GA1UECwwHVGVzdGluZzEPMA0GA1UEAwwGY2Fyb290MB4XDTE2MTEy
-MDAwMjc0NVoXDTQ2MTExMzAwMjc0NVowNjEOMAwGA1UECgwFQVdJUFMxEDAOBgNV
-BAsMB1Rlc3RpbmcxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
-BQADggEPADCCAQoCggEBAMWhdkvvIyM+onkzDIrewNHZrqDhNi69xG1fl7+Jr0vf
-FQFJUXp5NzSBZvoRXRMXu+u2BVwlA0evuAOzQ7Ael+CA9/xfwc5C3hMp9go4V9TA
-0wrdJdrdUvdat3zTZNw8pn7hQIQp5pJLTTXHDwxa/WTsDpdnd9AqLOQgLYfTtfDy
-NYY+Q+BHUHaxT+VpB8Q4BvR0Kind1+L8MGv9D3dokB76+gSRMcLIwluCkSN/I6G4
-nWsPtgNNf38pmootuxoCjqzTjeRfTiTRJCOTM8iVdeWnidNyYn9j3tVNDazuKMB6
-wkKz/amuaPsmMex9LjQOYyt/3gKlMVQp1GHl7r/JXJ0CAwEAATANBgkqhkiG9w0B
-AQUFAAOCAQEAjkABv9kOD6hAOyUUMCnMUbOHbW0blenW7aDClFJH7UlC8XVHpSW1
-ZJlAjrXjBXwyV0imyEBBu9l03ej2p4+eCyMyuSUiUzVzDC9y3lKQo5tkPcmv/hid
-PsNWn2cKC4mRIoMzUypzZ2VdP4deaVGsTP9tclJOWb+osmvj4Fv/olXzz7/6WDdd
-idnAvLdk6x3MKZZxSTtqSUXiVdGWdwBmj8MKQs+wTuehc90qVwcVu3yuJU8vjeDC
-BqtptjGZBfN66FzV4sKOMLE7RVcdQvlMQ1UQrHvnQx2KHBUrZu3AEWNJQ8mvzADf
-PXp0rzotjHX+QKsaEtj3MTKzegfo5PE7zQ==
-----END CERTIFICATE-----
--- a/rpms/awips2.core/Installer.database-server-configuration/configuration/server.key
+++ b/rpms/awips2.core/Installer.database-server-configuration/configuration/server.key
@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
-MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDFoXZL7yMjPqJ5
-MwyK3sDR2a6g4TYuvcRtX5e/ia9L3xUBSVF6eTc0gWb6EV0TF7vrtgVcJQNHr7gD
-s0OwHpfggPf8X8HOQt4TKfYKOFfUwNMK3SXa3VL3Wrd802TcPKZ+4UCEKeaSS001
-xw8MWv1k7A6XZ3fQKizkIC2H07Xw8jWGPkPgR1B2sU/laQfEOAb0dCop3dfi/DBr
-/Q93aJAe+voEkTHCyMJbgpEjfyOhuJ1rD7YDTX9/KZqKLbsaAo6s043kX04k0SQj
-kzPIlXXlp4nTcmJ/Y97VTQ2s7ijAesJCs/2prmj7JjHsfS40DmMrf94CpTFUKdRh
-5e6/yVydAgMBAAECggEBAK1v10soYGPL0fYfMMCmX/1J1hDl1BENBNcfbyLuh+JD
-skFgwJqEykfP0DlhB5d72rUvFmEZMlm1Af5tUde74XlqdTcMKh8DW7ThvESX0ayq
-VAtSrKf4V5kwCZsIQZltuIfc0iuqQejdILMzMCedqobpCp0gdms+uAqzmoF68E60
-FQ2UEyOaiJLXxAV5ZqB/nRFAGhRGAYUKMAfljzo0xtGgrAvrbQcyQ5IAkYNM+dbc
-Mkdf9E8d5EQ0jIOoBhambX36IF6emSkVeLKqPOemE7MoxnGFdxdmZpAMziLPrMfq
-WX8oGB+hNuhdhI/3SMW3s8SejIjGmunDi7NQyQmLdoECgYEA8pBg0OVt4uNiTWPU
-M8BMMOl5rrZijjvqgJCiaxy8xBqaGjC/4CvWExcbPqRQR7ZD/jGG4nQQ8g8fhgNb
-H9/oiEsMg1VirHIZ6nD4H3y2bfBqQAfsNCdVx9Z1aucdebg+vdEv8XnCsCaZitJW
-T1T5vecgqXBHPpppYz1lx8PP160CgYEA0JPrEPfi6HbCARpfPtnQFwZjfIbOzxLn
-Cm1g3BCoiMAcH84ECgNqUU/5z05TYS+lZp4gybxTPzRxziCWcAobksI1Jpja5LKE
-XkIhp8wO6O/wxFLEN7SIfG8On690KAF2uJA9MseE2ts01B9ud7DQW/cQXxUpYdUC
-FspfbSHJ9rECgYEA1tTAqsNIu7agDeLowp0B3iAqwW6Pg2HVo+B1uWBOX3EgIyoi
-Bq1MgMPqQWTOJXVsaun6iP47M+fpB4xZXLW3AV9WycsKBalZAqbjWx/dgyl3MRbT
-QK3F76QlgnUHShLAnuVzDO/GWrUVMDpybvjX6DWYW/kxYGTqChcK2g63OlECgYA3
-+bp4D06B/H0MNrug7mt+AmToonUV9Yizr67y4DWanZPupSdIWKpLsB7ml6qgxlyp
-MX6zJStiJvzzyKMW5l+H/z6sYRE9lvsXIMBPe9/0e5At39hw6q5GVreh+0A9DEeE
-OJFz8z+gTHvdAaJv1K/WPnPSUKeObc/lteHuM8czwQKBgQDf+aHu4kC0szBq80YB
-mgw41kVMmlJRMlkPFaeldYUlAspoPfCY/10d0ch6nrd5SDnHB/TydndNeh6VHXqn
-5t1iieZp+lQVy6GVLxeneW/9R6GgznULnZc0C76+gMhaUN7gE6tAceOg+sR46AhN
-7kqJhJZZSGEYlySXi29d+RYQtQ==
-----END PRIVATE KEY-----
--- a/rpms/awips2.core/Installer.database/component.spec
+++ b/rpms/awips2.core/Installer.database/component.spec
@ -22,7 +22,7 @@ Packager: %{_build_site}
 AutoReq: no
 Provides: awips2-database
 Provides: awips2-static-user
-Requires: libpng
+Requires: libpng, awips2
 Requires: awips2-postgresql
 Requires: awips2-psql
 Requires: netcdf = 4.1.2
@ -50,18 +50,18 @@ if [ $? -ne 0 ]; then
   exit 1
 fi

-PROJECT_DIR="Installer.database"
-CONFIGURATION_DIR="rpms/awips2.core/${PROJECT_DIR}/configuration"
-CONF_FILE="postgresql.conf"
-
-cp %{_baseline_workspace}/${CONFIGURATION_DIR}/${CONF_FILE} \
-   ${RPM_BUILD_ROOT}/awips2/data
-
-
-mkdir -p ${RPM_BUILD_ROOT}/awips2/database
+mkdir -p ${RPM_BUILD_ROOT}/awips2/database/ssl
 if [ $? -ne 0 ]; then
   exit 1
 fi
+CONFIGURATION_DIR="rpms/awips2.core/Installer.database/configuration"
+CONF_FILE="postgresql.conf"
+
+cp -p %{_baseline_workspace}/${CONFIGURATION_DIR}/*.{key,crt} \
+   ${RPM_BUILD_ROOT}/awips2/database/ssl
+
+cp %{_baseline_workspace}/${CONFIGURATION_DIR}/${CONF_FILE} \
+   ${RPM_BUILD_ROOT}/awips2/data

 PATH_TO_DDL="build.edex/opt/db/ddl"
 PATH_TO_REPLICATION="build.edex/opt/db/replication"
@ -153,7 +153,6 @@ MAPS=${AWIPS2_DATA_DIRECTORY}/maps
 DAMCAT=${AWIPS2_DATA_DIRECTORY}/damcat
 HMDB=${AWIPS2_DATA_DIRECTORY}/hmdb
 EBXML=${AWIPS2_DATA_DIRECTORY}/ebxml
-
 # Add The PostgreSQL Libraries And The PSQL Libraries To LD_LIBRARY_PATH.
 export LD_LIBRARY_PATH=${POSTGRESQL_INSTALL}/lib:$LD_LIBRARY_PATH
 export LD_LIBRARY_PATH=${PSQL_INSTALL}/lib:$LD_LIBRARY_PATH
@ -189,6 +188,11 @@ function init_db()
   if [ -f /awips2/data/postgresql.conf ]; then
      mv /awips2/data/postgresql.conf /awips2/
   fi
+
+   # move certificates/keys in /awips2/data to a temporary location. (aren't they in /awips2/database/ssl ??)
+   rm -rf /awips2/.a2pgdbsec
+   mkdir -m 700 /awips2/.a2pgdbsec
+   mv /awips2/database/ssl/*.{crt,key} /awips2/.a2pgdbsec
   
   su - ${AWIPS_DEFAULT_USER} -c \
      "${POSTGRESQL_INSTALL}/bin/initdb --auth=trust --locale=en_US.UTF-8 --pgdata=${AWIPS2_DATA_DIRECTORY} --lc-collate=en_US.UTF-8 --lc-ctype=en_US.UTF-8"
@ -197,6 +201,9 @@ function init_db()
   if [ -f /awips2/postgresql.conf ]; then
      mv /awips2/postgresql.conf /awips2/data
   fi
+
+   mv /awips2/.a2pgdbsec/*.{crt,key} /awips2/database/ssl/
+   rm -rf /awips2/.a2pgdbsec
   
   return ${RC}
 }
@ -284,7 +291,7 @@ execute_initial_sql_script ${SQL_SHARE_DIR}/initial_setup_server.sql

 /awips2/psql/bin/psql -U awips -d metadata -c "CREATE EXTENSION postgis;"
 /awips2/psql/bin/psql -U awips -d metadata -c "CREATE EXTENSION postgis_topology;"
-execute_psql_sql_script /awips2/postgresql/share/contrib/postgis-2.0/legacy.sql metadata
+execute_psql_sql_script /awips2/postgresql/share/contrib/postgis-2.2/legacy.sql metadata
 execute_psql_sql_script ${SQL_SHARE_DIR}/permissions.sql metadata
 execute_psql_sql_script ${SQL_SHARE_DIR}/fxatext.sql metadata

@ -306,11 +313,14 @@ copy_addl_config
 rm -rf ${RPM_BUILD_ROOT}

 %files
+%defattr(600,awips,fxalpha,700)
+/awips2/database/ssl
+%config(noreplace) /awips2/database/ssl/server.crt
+%config(noreplace) /awips2/database/ssl/root.crt
+%config(noreplace) /awips2/database/ssl/server.key
 %defattr(644,awips,fxalpha,700)
 %dir /awips2/data
-
 %defattr(644,awips,fxalpha,755)
-%dir /awips2
 %dir /awips2/database
 %dir /awips2/database/sqlScripts
 %dir /awips2/database/replication
@ -325,3 +335,4 @@ rm -rf ${RPM_BUILD_ROOT}
 /awips2/database/sqlScripts/share/sql/*.sql
 /awips2/database/sqlScripts/share/sql/*.sh
 /awips2/database/replication/setup-standby.sh
+/awips2/database/replication/replication-config.sh
--- a/rpms/awips2.core/Installer.database/configuration/postgresql.conf
+++ b/rpms/awips2.core/Installer.database/configuration/postgresql.conf
@ -77,13 +77,13 @@ max_connections = 400			# (change requires restart)
 # - Security and Authentication -

 #authentication_timeout = 1min		# 1s-600s
-ssl = off				# (change requires restart)
+ssl = on				# (change requires restart)
 #ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH'	# allowed SSL ciphers
 					# (change requires restart)
 #ssl_renegotiation_limit = 512MB	# amount of data between renegotiations
-#ssl_cert_file = 'server.crt'		# (change requires restart)
-#ssl_key_file = 'server.key'		# (change requires restart)
-#ssl_ca_file = 'root.crt'		# (change requires restart)
+ssl_cert_file = '/awips2/database/ssl/server.crt'		# (change requires restart)
+ssl_key_file = '/awips2/database/ssl/server.key'		# (change requires restart)
+ssl_ca_file = '/awips2/database/ssl/root.crt'		# (change requires restart)
 #ssl_crl_file = ''			# (change requires restart)
 #password_encryption = on
 #db_user_namespace = off