Copying Certificates and Keys to Configuration Files

Before using TLS, you must set the appropriate certificate and key parameters. When the database starts up, all hosts in the cluster copy the contents of these parameters to vertica.conf. These parameters determine the connection mode, which determine how hosts and clients verify each other before opening a secure connection.

Vertica offers two connection modes for TLS:

  • In Server Mode, only the client must verify the host's certificate. Hosts must have a server private key and certificate.
  • In Mutual Mode, the client and host must each verify the other’s certificates. Hosts must have a server private key, certificate, and root CA certificate.

The database does not need to be running when you copy the contents of the certificates and key files to other hosts.

  1. Generate TLS Certificates and Keys according to your use case:
    • Server Mode: private key, server certificate
    • Mutual Mode: private key, server certificate, root CA certificate
  2. Set the EnableSSL parameter to 1 to enable TLS authentication. By default, EnableSSL is set to 0 (disabled).

    => ALTER DATABASE database SET EnableSSL=1;
  3. Query the CRYPTOGRAPHIC_KEYS and CERTIFICATES system tables to view your existing keys and certificates.
  4. To clear any of these parameters, run:

    => ALTER DATABASE dbname CLEAR parameter

  5. Run the following commands for your desired configuration. The effects of these parameters take effect for new connections.
    • To use Server Mode, set the SSLPrivateKey and SSLCertificate parameters.
    • => ALTER DATABASE DEFAULT SET SSLPrivateKey = 'private_key';		
      => ALTER DATABASE DEFAULT SET SSLCertificate = 'certificate';				
    • To use Mutual Mode, in addition to setting the above parameters for Server Mode, set the SSLCA parameter.
      => ALTER DATABASE DEFAULT SET SSLCA = 'CA_certificate';

      To trust more than one CA:

      '-----BEGIN CERTIFICATE-----first CA-----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----second CA-----END CERTIFICATE-----';