Security and Authentication

TLS CONFIGURATION

TLS management has been simplified and centralized in the new TLS CONFIGURATION object and can be managed with ALTER TLS CONFIGURATION. Vertica includes the following TLS CONFIGURATION objects by default, each of which manages the certificates, cipher suites, and TLSMODE for a particular TLS context:

  • server: Client-server TLS.
  • LDAPLink: Using the LDAPLink service or its dry run functions to synchronize users and groups between Vertica and the LDAP server.
  • LDAPAuth: When a user with an ldap authentication method attempts to log into Vertica, Vertica attempts to bind the user to a matching user in the LDAP server. If the bind succeeds, Vertica allows the user to log in.

These TLS CONFIGURATIONs cannot be dropped.

Existing configurations that use the following parameters will be automatically ported to their equivalents in the TLS CONFIGURATION scheme on upgrade.

  • Security parameters:
    • SSLCertificate
    • SSLPrivateKey
    • SSLCA
    • EnableSSL
  • LDAP Authentication parameters:
    • tls_key
    • tls_cert
    • tls_cacert
    • starttls (now set automatically based on the TLSMODE of the LDAPAuth TLS CONFIGURATION)
    • tls_reqcert
  • LDAPLink and LDAP Link dry-run parameters:
    • LDAPLinkTLSCACert
    • LDAPLinkTLSCADir
    • LDAPLinkStartTLS (now set automatically based on the TLSMODE of the LDAPLink TLS CONFIGURATION)
    • LDAPLinkTLSReqCert

Mutual TLS for LDAPLink and LDAPAuth

You can now use mutual TLS for connections between Vertica and your LDAP server by providing a client certificate for the LDAPLink and LDAPAuth TLS CONFIGURATIONS.

New LDAP Link Function: LDAP_LINK_SYNC_CANCEL

You can now cancel in-progress synchronizations between Vertica and your LDAP server with LDAP_LINK_SYNC_CANCEL.

New Security Parameter: SystemCABundlePath

SystemCABundlePath lets you specify a CA bundle for Vertica to use to establish TLS connections with external services.

New Security Parameter: DHParams

DHParams lets you specify an alternate Diffie-Hellman MODP group of at least 2048 bits to use during key exchange.

Unified Access Policies for External File Systems

By default, Vertica uses user-supplied credentials to access HDFS and cloud file systems and does not require USER storage locations. A new configuration parameter, UseServerIdentityOverUserIdentity, allows you to override this behavior and require USER storage locations. For more information about file-system credentials, see File Systems and Object Stores.