SSL and Security
Use this page when PostgreSQL requires TLS or custom certificate material. PGStyx exposes the standard TLS settings through write options.
Turning on TLS
Section titled “Turning on TLS”df.write .format("pgstyx") .option("url", "jdbc:postgresql://host:5432/warehouse") .option("dbtable", "events") .option("user", "postgres") .option("password", "secret") .option("ssl", "true") .option("sslMode", "verify-full") .save()df.write \ .format("pgstyx") \ .option("url", "jdbc:postgresql://host:5432/warehouse") \ .option("dbtable", "events") \ .option("user", "postgres") \ .option("password", "secret") \ .option("ssl", "true") \ .option("sslMode", "verify-full") \ .save()CREATE TABLE events_tls USING pgstyxOPTIONS ( url 'jdbc:postgresql://host:5432/warehouse', dbtable 'events', user 'postgres', password 'secret', ssl 'true', sslMode 'verify-full') AS SELECT * FROM incoming_events;ssl=true with an sslMode value is the minimum working TLS configuration.
SSL modes
Section titled “SSL modes”| Mode | Behavior |
|---|---|
disable | No TLS. Connection fails if the server requires it. |
allow | TLS only if the server insists. |
prefer | TLS preferred; falls back to plaintext if unavailable. |
require | TLS always. No server identity check. |
verify-ca | TLS plus certificate-chain validation. |
verify-full | verify-ca plus hostname validation. |
Use verify-full whenever traffic crosses an untrusted network.
Custom certificate material
Section titled “Custom certificate material”Use these options when the environment cannot rely on default trust stores.
df.write .format("pgstyx") .option("url", "jdbc:postgresql://host:5432/warehouse") .option("dbtable", "events") .option("user", "postgres") .option("password", "secret") .option("ssl", "true") .option("sslMode", "verify-full") .option("sslRootCert", "/etc/pgstyx/root.crt") .option("sslCert", "/etc/pgstyx/client.crt") .option("sslKey", "/etc/pgstyx/client.key") .save()df.write \ .format("pgstyx") \ .option("url", "jdbc:postgresql://host:5432/warehouse") \ .option("dbtable", "events") \ .option("user", "postgres") \ .option("password", "secret") \ .option("ssl", "true") \ .option("sslMode", "verify-full") \ .option("sslRootCert", "/etc/pgstyx/root.crt") \ .option("sslCert", "/etc/pgstyx/client.crt") \ .option("sslKey", "/etc/pgstyx/client.key") \ .save()CREATE TABLE events_custom_tls USING pgstyxOPTIONS ( url 'jdbc:postgresql://host:5432/warehouse', dbtable 'events', user 'postgres', password 'secret', ssl 'true', sslMode 'verify-full', sslRootCert '/etc/pgstyx/root.crt', sslCert '/etc/pgstyx/client.crt', sslKey '/etc/pgstyx/client.key') AS SELECT * FROM incoming_events;Certificate files must exist at the same path on every worker, not just on the machine that starts the job. On Databricks, use init scripts or a mounted volume. On EMR and Dataproc, stage the files through the cluster bootstrap path.
Key file format
Section titled “Key file format”sslKey expects a DER-encoded PKCS#8 private key. Convert PEM keys with:
openssl pkcs8 -topk8 -inform PEM -outform DER -in key.pem -out key.der -nocryptPasswords
Section titled “Passwords”PGStyx expects the resolved database password as the value of password. If your environment uses a secret manager, fetch the secret before you construct the write options:
val password = dbutils.secrets.get(scope = "warehouse", key = "pgstyx_password")
df.write .format("pgstyx") .option("password", password) // ... .save()Plan note
Section titled “Plan note”| Capability | Tier |
|---|---|
No TLS (ssl=false) | Community |
ssl=true with any sslMode | Pro |
sslCert, sslKey, or sslRootCert with ssl=true | Enterprise |
sslCert, sslKey, and sslRootCert are ignored when ssl=false.