> For the complete documentation index, see [llms.txt](https://docs.inrupt.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.inrupt.com/ess/latest/installation/customize-configurations/customization-security/configure-database-ssl.md).

# Configure SSL/TLS connection to databases

Enforcing SSL/TLS on the connection to the databases ensures the communication between the database server and the clients is encrypted, which is a recommended practice.

## Database infrastructure configuration

The specific database server configuration is out of scope of the ESS configuration. Depending on the database infrastructure you chose to support your ESS deployment, configuration details may vary.

Once SSL/TLS is enabled, obtain the Certificate Authority (CA) public root certificate bundle in PEM format. Clients need this certificate bundle to encrypt traffic to the database server.

## Mounting the database CA bundle on the containers

The ESS kustomizer includes a component that consumes the CA certificate bundle and mounts it on the containers that need to access the database. Here is how to enable it:

1. Defined a `Secret` in your kustomization named `database-ca-bundle`, with an item named `database-ca-bundle.pem` that contains the CA certificate bundle from your database server.

```yaml
secretGenerator:
  - name: database-ca-bundle
    files:
      - database-ca-bundle.pem
```

2. Include `../release/ess/deployment/kubernetes/components/add-databases-ca/` in your root `kustomization.yaml` file

This will result in the database bundle being mounted on the path `/opt/cacerts/db/database-ca-bundle.pem`.

## Configuring the JDBC URL

In order for your client to enforce SSL/TLS, the following parameters need to be added to the JDBC URLs that are configured as part of the Postgres credentials: `ssl=true&sslmode=verify-full&sslrootcert=/opt/cacerts/db/database-ca-bundle.pem`.
