Security Parameters
Use these client authentication configuration parameters and general security parameters to configure TLS. For more information, see Configuring SSL. For Kerberos-related parameters, see Kerberos Authentication Parameters.
Query the CONFIGURATION_PARAMETERS system table to determine what levels (node, session, user, database) are valid for a given parameter.
Parameter | Description |
---|---|
DataSSLParams |
Enables encryption using SSL on the data channel. The value of this parameter is a comma-separated list of the following:
The following requirements apply:
In the following example, the SSL Certificate contains two certificates, where the certificate for the non-root CA verifies the certificate for the cluster. This is called an SSL Certificate Chain. => ALTER DATABASE DEFAULT SET PARAMETER DataSSLParams = '----BEGIN CERTIFICATE-----<certificate for Cluster>-----END CERTIFICATE----- -----BEGIN CERTIFICATE-----<certificate for non-root CA>-----END CERTIFICATE-----, -----BEGIN RSA PRIVATE KEY-----<private key for Cluster>-----END RSA PRIVATE KEY-----, -----BEGIN CERTIFICATE-----<certificate for public CA>-----END CERTIFICATE-----'; |
DefaultIdleSessionTimeout |
Indicates a default session timeout value for all users where ALTER DATABASE DEFAULT SET defaultidlesessiontimeout = '300 secs'; |
DoUserSpecificFilteringInSysTables |
Boolean, specifies whether a non-superuser can view details of another user:
Default: 0 |
EnableAllRolesOnLogin |
Boolean, specifies whether to automatically enable all roles granted to a user on login:
Default: 0 (disable) |
EnabledCipherSuites |
Specifies which SSL cipher suites to use for secure client-server communication. Changes to this parameter apply only to new connections. Default: Vertica uses the Microsoft Schannel default cipher suites. For more information, see the Schannel documentation. |
EnableSSL |
Boolean, specifies whether to enable use of TLS/SSL on connections to the Vertica database:
For example:
ALTER DATABASE DEFAULT SET EnableSSL = '1'; For details, see TLS Protocol. Default: 0 (disable) |
EncryptSpreadComm |
Enables encryption on the control channel, set to one of the following strings:
If the parameter is empty, encryption does not occur. Enabling this parameter requires database restart. |
GlobalHeirUsername |
A string that specifies which user inherits objects after their owners are dropped. This setting ensures preservation of data otherwise lost. Set this parameter to one of the following string values:
For more information about usage, see Examples. Default: |
ImportExportTLSMode |
When using CONNECT TO VERTICA to connect to another Vertica cluster for import or export, specifies the degree of stringency for using TLS. Possible values are:
Default: |
RequireFIPS |
Boolean, specifies whether the FIPS mode is enabled:
On startup, Vertica automatically sets this parameter from the contents of the file For details, see Implement FIPS on the Server. Default: 0 |
SecurityAlgorithm |
Sets the algorithm for the function that hash authentication uses, one of the following:
For example: ALTER DATABASE DEFAULT SET SecurityAlgorithm = 'SHA512'; Default: |
SSLCA |
Sets the SSL certificate authority and enables Mutual Mode Authentication, which requires both the server and client to present a certificate and identify each other before opening a secure connection. Changes to this parameter apply only to new connections. For example, to set this parameter, in the ALTER command below, include the contents of the certificate authority
ALTER DATABASE DEFAULT SET SSLCA = 'contents of ClientTrustStore.crt file';
To trust more than one CA:
ALTER DATABASE DEFAULT SET SSLCA = '-----BEGIN CERTIFICATE-----first CA-----END CERTIFICATE----- -----BEGIN CERTIFICATE-----second CA-----END CERTIFICATE-----'; |
SSLCertificate |
Sets the SSL certificate. Changes to this parameter apply only to new connections. If TLS/SSL is enabled, this parameter contains the Vertica database server certificate, which the Vertica database server provides when asked by clients to verify itself. To set this parameter, in the ALTER command below, include the contents of the For example:
ALTER DATABASE DEFAULT SET SSLCertificate = 'contents of server.crt file';
|
SSLPrivateKey |
The private key for the Vertica database server certificate that was added in the SSLCertificate parameter. It is visible only to dbadmin users. Changes to this parameter apply only to new connections. Set this parameter to the contents of the For example:
ALTER DATABASE DEFAULT SET SSLPrivateKey = 'contents of server.key file';
|
Examples
Set security parameter value GlobalHeirUsername
:
=> \du List of users User name | Is Superuser -----------+-------------- Joe | f SuzyQ | f dbadmin | t (3 rows) => ALTER DATABASE DEFAULT SET PARAMETER GlobalHeirUsername='SuzyQ'; ALTER DATABASE => \c - Joe You are now connected as user "Joe". => CREATE TABLE t1 (a int); CREATE TABLE => \c You are now connected as user "dbadmin". => \dt t1 List of tables Schema | Name | Kind | Owner | Comment --------+------+-------+-------+--------- public | t1 | table | Joe | (1 row) => DROP USER Joe; NOTICE 4927: The Table t1 depends on User Joe ROLLBACK 3128: DROP failed due to dependencies DETAIL: Cannot drop User Joe because other objects depend on it HINT: Use DROP ... CASCADE to drop the dependent objects too => DROP USER Joe CASCADE; DROP USER => \dt t1 List of tables Schema | Name | Kind | Owner | Comment --------+------+-------+-------+--------- public | t1 | table | SuzyQ | (1 row)