Security Parameters

Use these client authentication configuration parameters and general security parameters to configure TLS. For more information, see Configuring SSL. For Kerberos-related parameters, see Kerberos Authentication Parameters.

Query system table CONFIGURATION_PARAMETERS to determine what levels (node, session, user, database) are valid for a given parameter.

Parameter Description

Enables encryption using SSL on the data channel. The value of this parameter is a comma-separated list of the following:

  • An SSL certificate (chainable)
  • The corresponding SSL private key
  • The SSL CA (Certificate Authority) certificate.

The following requirements apply:

  • You cannot set this parameter if parameter EncryptSpreadComm is not set.
  • Enabling this parameter requires a restart.

In the following example, the SSL Certificate contains two certificates, where the certificate for the non-root CA verifies the certificate for the cluster. This is called an SSL Certificate Chain.

'----BEGIN CERTIFICATE-----<certificate for Cluster>-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----<certificate for non-root CA>-----END CERTIFICATE-----,
-----BEGIN RSA PRIVATE KEY-----<private key for Cluster>-----END RSA PRIVATE KEY-----,
-----BEGIN CERTIFICATE-----<certificate for public CA>-----END CERTIFICATE-----';

Indicates a default session timeout value for all users where IDLESESSIONTIMEOUT is not set. For example:

ALTER DATABASE DEFAULT SET defaultidlesessiontimeout = '300 secs';

Boolean, specifies whether a non-superuser can view details of another user:

  • 0: Users can view details of other.
  • 1: Users can only view details about themselves.

Default: 0


Boolean, specifies whether to automatically enable all roles granted to a user on login:

  • 0: Do not automatically enable roles
  • 1: Automatically enable roles. With this setting, users do not need to run SET ROLE

Default: 0 (disable)


Specifies which SSL cipher suites to use for secure client-server communication. Changes to this parameter apply only to new connections.

Default: Vertica uses the Microsoft Schannel default cipher suites. For more information, see the Schannel documentation.


Boolean, specifies whether to enable use of TLS/SSL on connections to the Vertica database: 

  • 0 (disable)
  • 1: (enable)

For example:


For details, see TLS Protocol.

Default: 0 (disable)


Enables encryption on the control channel, set to one of the following strings:

  • vertica: Specifies that Vertica generates the spread encryption key for the database cluster.
  • aws-kms|key‑name, where key‑name is a named key in the iAWS Key Management Service (KMS). On database restart, Vertica fetches the named key from the KMS instead of generating its own.

If the parameter is empty, encryption does not occur.

Enabling this parameter requires database restart.


A string that specifies which user inherits objects after their owners are dropped. This setting ensures preservation of data otherwise lost.

Set this parameter to one of the following string values:

  • Empty string: Objects of dropped users are removed from the database.
  • username: Reassigns objects of dropped users to username. If username does not exist, Vertica creates that user and sets GlobalHeirUsername to it.
  • <auto>: Reassigns objects of dropped LDAP users to user dbadmin.

    Be sure to include the angle brackets < >.

For more information about usage, see Examples.

Default: <auto>


When using CONNECT TO VERTICA to connect to another Vertica cluster for import or export, specifies the degree of stringency for using TLS. Possible values are:

  • PREFER: Try TLS but fall back to plaintext if TLS fails.
  • REQUIRE: Use TLS and fail if the server does not support TLS.
  • VERIFY_CA: Require TLS (as with REQUIRE), and also validate the other server's certificate using the CA specified by SSLCA.
  • VERIFY_FULL: Require TLS and validate the certificate (as with VERIFY_CA), and also validate the server certificate's hostname.
  • REQUIRE_FORCE, VERIFY_CA_FORCE, and VERIFY_FULL_FORCE: Same behavior as REQUIRE, VERIFY_CA, and VERIFY_FULL, respectively, and cannot be overridden by CONNECT TO VERTICA.

Default: PREFER


Boolean, specifies whether the FIPS mode is enabled:

  • 0 (disable)
  • 1: (enable)

On startup, Vertica automatically sets this parameter from the contents of the file crypto.fips_enabled. You cannot modify this parameter.

For details, see Implement FIPS on the Server.

Default: 0


Sets the algorithm for the function that hash authentication uses, one of the following:

  • MD5
  • SHA-512

For example:

ALTER DATABASE DEFAULT SET SecurityAlgorithm = 'SHA512';

Default: NONE


Sets the SSL certificate authority and enables Mutual Mode Authentication, which requires both the server and client to present a certificate and identify each other before opening a secure connection. Changes to this parameter apply only to new connections.

For example, to set this parameter, in the ALTER command below, include the contents of the certificate authority client trust store, but exclude the file name.

ALTER DATABASE DEFAULT SET SSLCA = 'contents of ClientTrustStore.crt file';

To trust more than one CA:



Sets the SSL certificate. Changes to this parameter apply only to new connections.

If TLS/SSL is enabled, this parameter contains the Vertica database server certificate, which the Vertica database server provides when asked by clients to verify itself. To set this parameter, in the ALTER command below, include the contents of the server.crt file, but exclude the file name. If your SSL certificate is a certificate chain, set this parameter to the contents of from the top-most certificate of the certificate chain.

For example:

ALTER DATABASE DEFAULT SET SSLCertificate = 'contents of server.crt file';


The private key for the Vertica database server certificate that was added in the SSLCertificate parameter. It is visible only to dbadmin users. Changes to this parameter apply only to new connections.

Set this parameter to the contents of the server.key file, but exclude the file name

For example:

ALTER DATABASE DEFAULT SET SSLPrivateKey = 'contents of server.key file';


Set security parameter value GlobalHeirUsername:

=> \du
      List of users
 User name | Is Superuser
 Joe       | f
 SuzyQ     | f
 dbadmin   | t
(3 rows)

=>  \c - Joe
You are now connected as user "Joe".
=> CREATE TABLE t1 (a int);

=> \c
You are now connected as user "dbadmin".
=> \dt t1
             List of tables
 Schema | Name | Kind  | Owner | Comment
 public | t1   | table | Joe   |
(1 row)

NOTICE 4927:  The Table t1 depends on User Joe
ROLLBACK 3128:  DROP failed due to dependencies
DETAIL:  Cannot drop User Joe because other objects depend on it
HINT:  Use DROP ... CASCADE to drop the dependent objects too
=> \dt t1
             List of tables
 Schema | Name | Kind  | Owner | Comment
 public | t1   | table | SuzyQ |
(1 row)