# Configure SSL/TLS connection to databases Enforcing SSL/TLS on the connection to the databases ensures the communication between the database server and the clients is encrypted, which is a recommended practice. ## Database infrastructure configuration The specific database server configuration is out of scope of the ESS configuration. Depending on the database infrastructure you chose to support your ESS deployment, configuration details may vary. Once SSL/TLS is enabled, obtain the Certificate Authority (CA) public root certificate bundle in PEM format. Clients need this certificate bundle to encrypt traffic to the database server. ## Mounting the database CA bundle on the containers The ESS kustomizer includes a component that consumes the CA certificate bundle and mounts it on the containers that need to access the database. Here is how to enable it: 1. Defined a `Secret` in your kustomization named `database-ca-bundle`, with an item named `database-ca-bundle.pem` that contains the CA certificate bundle from your database server. ```yaml secretGenerator: - name: database-ca-bundle files: - database-ca-bundle.pem ``` 2. Include `../release/ess/deployment/kubernetes/components/add-databases-ca/` in your root `kustomization.yaml` file This will result in the database bundle being mounted on the path `/opt/cacerts/db/database-ca-bundle.pem`. ## Configuring the JDBC URL In order for your client to enforce SSL/TLS, the following parameters need to be added to the JDBC URLs that are configured as part of the Postgres credentials: `ssl=true&sslmode=verify-full&sslrootcert=/opt/cacerts/db/database-ca-bundle.pem`. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.inrupt.com/ess/latest/installation/customize-configurations/customization-security/configure-database-ssl.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.