Data Channel TLS
Nodes use the data channel to exchange table data during operations such as queries.
Internode communication uses the following channels. Their associated components and parameters must be enabled, and in the following order, before enabling other components:
- Control Channel to exchange plan information and distribute calls. It is implemented using Spread. For more information, visit spread.org.
- Data Channel to exchange table data. It is implemented using TCP.
Setting DataSSLParams
- Obtain the following. The DataSSLParams parameter takes these in a comma-separated list. To generate your own, see Generating TLS Certificates and Keys.
- a TLS certificate
- the corresponding TLS private key
- the CA (Certificate Authority) certificate
- Set the DataSSLParams parameter using ALTER DATABASE. To chain certificates, you should put in the first "section" of the statement (before the first comma). Here, the public CA verifies the non-root CA, and the non-root CA verifies the Cluster.
- Restart the database.
- Verify your settings with SECURITY_CONFIG_CHECK.
=> ALTER DATABASE DEFAULT SET PARAMETER DataSSLParams = '-----BEGIN CERTIFICATE-----<certificate for Cluster>-----END CERTIFICATE----- -----BEGIN CERTIFICATE-----<certificate for non-root CA>-----END CERTIFICATE-----, -----BEGIN RSA PRIVATE KEY-----<private key for Cluster A>-----END RSA PRIVATE KEY-----, -----BEGIN CERTIFICATE-----<certificate for public CA>-----END CERTIFICATE-----';
=> SELECT SECURITY_CONFIG_CHECK('NETWORK');
Privileges
Superuser
Restrictions
- Before setting this parameter, you must enable EncryptSpreadComm.
- After setting this parameter, you must restart your database.