Appearance
Connecting
OpenDB is exposed to Enterprise customers at opendb.cademi.cloud:5432 over the public internet. Authentication is mutual TLS: you present a client certificate signed by our CA, and the server validates against our certificate authority. There is no password.
Getting your access kit
Your access kit is sent by our customer success team as a single tarball named <tenant>_user-YYYYMMDD.tar.gz containing three files:
| File | Purpose |
|---|---|
<tenant>_user.crt | Your client certificate (public) |
<tenant>_user.key | Your client private key (keep secret) |
ca.crt | Our CA's public certificate (optional, for minimal containers) |
Each kit is bound to one tenant and one role. If you need separate access for additional team members or environments, request additional kits — do not share the same certificate across users.
Connecting with psql
Extract the tarball, restrict the private key permissions, and connect:
bash
tar -xzf <tenant>_user-YYYYMMDD.tar.gz
chmod 0600 <tenant>_user.key
psql "host=opendb.cademi.cloud \
port=5432 \
dbname=<tenant> \
user=<tenant>_user \
sslmode=verify-full \
sslrootcert=system \
sslcert=<tenant>_user.crt \
sslkey=<tenant>_user.key"Replace <tenant> with the database name supplied by customer success. The dbname and the user always follow the pattern <tenant> and <tenant>_user.
To confirm the connection landed correctly:
sql
SELECT current_user, current_database();Connection parameters explained
sslmode=verify-full— required. Validates that the server's certificate is trusted and matches the hostname. Lower modes (require,prefer) leave you vulnerable to MITM and will not be supported in the future.sslrootcert=system— uses your OS trust store to validate our server certificate (Let's Encrypt). Works out of the box on macOS, modern Linux distributions, and Windows.- In a minimal container without a CA bundle, install
ca-certificates(e.g.apt-get install ca-certificateson Debian/Ubuntu,apk add ca-certificateson Alpine) or pointsslrootcertat theca.crtfrom your tarball.
- In a minimal container without a CA bundle, install
sslcert/sslkey— your client certificate and key from the tarball. The key must be readable only by your user (chmod 0600) or libpq will refuse to use it.
Connecting from other clients
Any client built on libpq or supporting the PostgreSQL TLS protocol works the same way. Common patterns:
DBeaver / DataGrip
- Driver properties → enable SSL.
- Set SSL mode to verify-full.
- Provide the paths to
<tenant>_user.crt,<tenant>_user.key, and (optionally)ca.crt.
Python (psycopg)
python
import psycopg
conn = psycopg.connect(
host="opendb.cademi.cloud",
port=5432,
dbname="<tenant>",
user="<tenant>_user",
sslmode="verify-full",
sslrootcert="system",
sslcert="<tenant>_user.crt",
sslkey="<tenant>_user.key",
)Node.js (pg)
js
import fs from 'node:fs'
import { Client } from 'pg'
const client = new Client({
host: 'opendb.cademi.cloud',
port: 5432,
database: '<tenant>',
user: '<tenant>_user',
ssl: {
cert: fs.readFileSync('<tenant>_user.crt').toString(),
key: fs.readFileSync('<tenant>_user.key').toString(),
rejectUnauthorized: true
}
})
await client.connect()What you can do
Your role (<tenant>_user) has read-only access to the lms and metrics schemas of your tenant database. You can:
SELECTfrom every table inlms.*andmetrics.*.- Read system catalogs needed for tooling (
information_schema,pg_catalog).
You cannot:
- Write, update, or delete data.
- Access other tenants' databases.
- Create or modify schemas, tables, or roles.
Rotation and revocation
- Certificates are issued with a default validity of 365 days. Customer success will reach out ahead of expiry to deliver a new kit.
- If you suspect your key has been exposed, contact customer success immediately. We will issue a replacement and disable the compromised role.
Troubleshooting
| Symptom | Likely cause |
|---|---|
FATAL: role "..." is not permitted to log in | Wrong user in the DSN — must be <tenant>_user, not <tenant> or <tenant>_ro. |
FATAL: role "..." does not exist | The CN of your client cert does not match a role on the server. Confirm you are using the cert your kit shipped with. |
connection requires a valid client certificate | sslcert/sslkey paths are wrong, or the key permissions are too open. Run chmod 0600 on the key. |
SSL error: certificate verify failed | Your CA bundle does not trust Let's Encrypt. Install ca-certificates or point sslrootcert at the ca.crt from the tarball. |
| Connection hangs or times out | Your network blocks outbound TCP/5432. Open the port to opendb.cademi.cloud in your firewall. |
For anything not covered here, contact customer success.