ALTER TLS CONFIGURATION

Alters a specified TLS CONFIGURATION object. For information on existing TLS CONFIGURATION objects, query TLS_CONFIGURATIONS.

Syntax

ALTER TLS CONFIGURATION tls_config_name {
    [ CERTIFICATE { NULL | cert_name } 
    [ ADD CA CERTIFICATES ca_cert_name [,...] ]
    [ REMOVE CA CERTIFICATES ca_cert_name [,...] ]
    [ CIPHER SUITES { '' | 'openssl_cipher [,...]' } ]
    [ TLSMODE '{ DISABLE | ENABLE | TRY_VERIFY | VERIFY_CA | VERIFY_FULL }' ]
}

Parameters

tls_config_name

The TLS CONFIGURATION object to alter.
NULL

Removes the non-CA certificate from the TLS CONFIGURATION.
cert_name

A certificate created with CREATE CERTIFICATE.
ca_cert_name

A CA certificate created with CREATE CERTIFICATE.
openssl_cipher

A comma-separated list of cipher suites to use instead of the default set of cipher suites. Providing an empty string for this parameter clears the alternate cipher suite list and instructs the specified TLS CONFIGURATION to use the default set of cipher suites.

To view enabled cipher suites, use LIST_ENABLED_CIPHERS.
TLSMODE
'{ DISABLE
| ENABLE
| TRY_VERIFY
| VERIFY_CA
| VERIFY_FULL }'

How Vertica establishes TLS connections and handles client certificates, one of the following, in order of ascending security:

  • DISABLE: Disables TLS. All other options for this parameter enable TLS.
  • ENABLE: Enables TLS. Vertica does not check client certificates.

  • TRY_VERIFY: Establishes a TLS connection if one of the following is true:

    • the client presents a valid certificate
    • the client doesn't present a certificate

    If the client presents an invalid certificate, the connection will use plaintext.

  • VERIFY_CA: Connection succeeds if Vertica verifies that the client certificate is from a trusted CA. Using this TLSMODE forces connections without a client certificate to use plaintext.
  • VERIFY_FULL: Connection succeeds if Vertica verifies that the certificate is from a trusted CA and the certificate's cn (Common Name) or subjectAltName attribute matches the hostname or IP address of the client.

    Note that for client certificates, cn is used for the username, so subjectAltName must match the hostname or IP address of the client.

VERIFY_FULL is unsupported for client-server TLS (the server TLS CONFIGURATION context) and behaves as VERIFY_CA.

Privileges

Superuser

Examples

To configure client-server TLS, see Configuring Client-server TLS.

To configure TLS for the LDAP Link service and its dry run functions, see TLS for LDAP Link.

To configure TLS for LDAP authentication records, see TLS for LDAP Authentication.

To remove all certificates and CA certificates from the LDAPLink TLS CONFIGURATION:

=>  SELECT * FROM tls_configurations WHERE name='LDAPLink';
   name   |  owner  | certificate | ca_certificate | cipher_suites |  mode
----------+---------+-------------+----------------+---------------+---------
 LDAPLink | dbadmin | server_cert | ca             |               | DISABLE
 LDAPLink | dbadmin | server_cert | ica            |               | DISABLE
(2 rows)
            
=> ALTER TLS CONFIGURATION LDAPLink CERTIFICATE NULL REMOVE CA CERTIFICATES ca, ica;
ALTER TLS CONFIGURATION

=> SELECT * FROM tls_configurations WHERE name='LDAPLink';
   name   |  owner  | certificate | ca_certificate | cipher_suites |  mode
----------+---------+-------------+----------------+---------------+---------
 LDAPLink | dbadmin |             |                |               | DISABLE
(3 rows)

To use an alternate set of cipher suites for client-server TLS:

 => ALTER TLS CONFIGURATION server CIPHER SUITES 
    'DHE-PSK-AES256-CBC-SHA384,
     DHE-PSK-AES128-GCM-SHA256,
     PSK-AES128-CBC-SHA256';
ALTER TLS CONFIGURATION

 => SELECT name, cipher_suites FROM tls_configurations WHERE name='server';
   name   |                               cipher_suites 
 server   | DHE-PSK-AES256-CBC-SHA384,DHE-PSK-AES128-GCM-SHA256,PSK-AES128-CBC-SHA256
(1 row)