Implementing Client Self-Authentication

To use a client self-authentication method, your server must be in SSL Mutual Mode.

To create an authentication method for client self-authentication, use the CREATE AUTHENTICATION statement. Specify the auth_type 'tls' and with HOST TLS.

You use the 'tls'auth_type only when you want to create an authentication method for client self-authentication. You must use the 'tls'auth_type with the HOST TLS syntax.

Create an Authentication Method with Client Self-Authentication Method

This section provides sample chronological steps for setting up a client for self-authentication, creating an authentication method, and associating the method with a user through a grant statement.

  1. Follow all applicable procedures for implementing SSL and distributing certificates and keys. Refer to TLS Protocol as it applies to your environment.

    When you create a client key, make sure to include a Common Name (CN) that is the database user name you want to use with the target database.
    $ Common Name <server hostname> []:<database username>
  2. Create the authentication method. Authentication methods are automatically enabled when you create them.

    => CREATE AUTHENTICATION myssltest METHOD 'tls' HOST TLS '10.0.0.0/23;
  1. Associate the method with the user through a grant statement.

    => GRANT AUTHENTICATION myssltest TO mydatabaseusername;

Your client can now log on and be recognized.

For information on creating authentication methods, refer to the SQL Reference Manual topic, CREATE AUTHENTICATION.

Specify TLS for Client Connections

You can require clients to use TLS when connecting to Vertica. To do so, create a client authentication method for them that uses the HOST TLS syntax with the CREATE AUTHENTICATION statement.

Specific clients might connect through a network connection known to be insecure. In such cases, you can choose to limit specific users to connecting through TLS. You can also require all clients to use TLS.

Create authentication method RejectNoSSL that rejects users from any IP address that are trying to authenticate without TLS:

=> CREATE AUTHENTICATION RejectNoSSL METHOD 'reject' HOST NO TLS '0.0.0.0/0';  --IPv4
=> CREATE AUTHENTICATION RejectNoSSL METHOD 'reject' HOST NO TLS '::/0';       --IPv6

See Creating Authentication Records for more information about creating client authentication methods.