Connect an External PostgreSQL Server

You must configure an external PostgreSQL database if your Tenable Security Center Director installation meets any of the following criteria:

  • Your Tenable Security Center Director instance has over 100,000 assets.

  • Your Tenable Security Center Director instance is a non-rpm installation.

  • You are migrating from a Tenable Security Center Director on-prem installation to a Security Center on Tenable Enclave Security installation. You must configure the external PostgreSQL server for your on-prem Tenable Security Center Director before migration, and the Tenable Enclave Security installation must use the same external PostgreSQL server.

Note: Tenable Security Center Director does not support multiple Tenable Security Center Director instances using the same database name in the same PostgreSQL server. The database name should be unique in the PostgreSQL instance.

Note: Tenable Security Center Director supports PostgreSQL versions 13.x through 17.x.

For information about how to configure a PostgreSQL server, see the PostgreSQL documentation.

For sizing recommendations, see the Hardware Requirements and Cloud Requirements.

To connect your Tenable Security Center Director instance to your PostgreSQL server:

  1. Before you install or upgrade Tenable Security Center Director, populate the following environment variables:

    Note: For a fresh install, you must set the environment variables with a root user account. If you are upgrading a previous installation with new PostgreSQL values, you must modify the values in the /opt/sc/.pgvars file. The values in the .pgvars file will be the source for connecting to the defined PostgreSQL server.

    • SC_PG_HOST (required)- The IP address or hostname of the external PostgreSQL server.

    • SC_PG_USER (required) - The PostgreSQL username.

      Note: The PostgreSQL user account must have CREATEDB and read/write permissions.

    • SC_PG_PORT (required) - The port number. The default port is 5432.

    • SC_PG_PASSWORD - The password for the PostgreSQL user. If you do not provide a password, Tenable Security Center Director will assume an empty password for the external PostgreSQL user.

    • SC_PG_DATABASE (required) - The database name for the Tenable Security Center Director data. The default database name is SecurityCenter.

    • SC_PG_CA_PATH - The absolute path to the cert file. When you specify the location of the root certificate, Tenable Security Center Director verifies the root certificate used by PostgreSQL.

    • SC_PG_REQUIRE_TLS - Whether PostgreSQL will use SSL. Available options are NULL, require, and prefer. If this variable is not set, then the Tenable Security Center Director client ssl_mode will be set to prefer.

    After you install or upgrade to Tenable Security Center Director 6.5.0 or later, then Tenable Security Center Director will attempt to connect to the PostgreSQL instance using the values provided and create a database with the specified database name.