ALTER TLS CONFIGURATION
Alters a specified TLS CONFIGURATION object. For information on existing TLS CONFIGURATION objects, query TLS_CONFIGURATIONS.
Syntax
ALTER TLS CONFIGURATION tls_config_name { [ CERTIFICATE { NULL | cert_name } [ ADD CA CERTIFICATES ca_cert_name [,...] ] [ REMOVE CA CERTIFICATES ca_cert_name [,...] ] [ CIPHER SUITES { '' | 'openssl_cipher [,...]' } ] [ TLSMODE '{ DISABLE | ENABLE | TRY_VERIFY | VERIFY_CA | VERIFY_FULL }' ] }
Parameters
tls_config_name
|
The TLS CONFIGURATION object to alter. |
NULL
|
Removes the non-CA certificate from the TLS CONFIGURATION. |
cert_name
|
A certificate created with CREATE CERTIFICATE. |
ca_cert_name
|
A CA certificate created with CREATE CERTIFICATE. |
openssl_cipher
|
A comma-separated list of cipher suites to use instead of the default set of cipher suites. Providing an empty string for this parameter clears the alternate cipher suite list and instructs the specified TLS CONFIGURATION to use the default set of cipher suites. To view enabled cipher suites, use LIST_ENABLED_CIPHERS. |
TLSMODE
|
How Vertica establishes TLS connections and handles client certificates, one of the following, in order of ascending security:
|
Privileges
Superuser
Examples
To configure client-server TLS, see Configuring Client-server TLS.
To configure TLS for the LDAP Link service and its dry run functions, see TLS for LDAP Link.
To configure TLS for LDAP authentication records, see TLS for LDAP Authentication.
To remove all certificates and CA certificates from the LDAPLink TLS CONFIGURATION:
=> SELECT * FROM tls_configurations WHERE name='LDAPLink'; name | owner | certificate | ca_certificate | cipher_suites | mode ----------+---------+-------------+----------------+---------------+--------- LDAPLink | dbadmin | server_cert | ca | | DISABLE LDAPLink | dbadmin | server_cert | ica | | DISABLE (2 rows) => ALTER TLS CONFIGURATION LDAPLink CERTIFICATE NULL REMOVE CA CERTIFICATES ca, ica; ALTER TLS CONFIGURATION => SELECT * FROM tls_configurations WHERE name='LDAPLink'; name | owner | certificate | ca_certificate | cipher_suites | mode ----------+---------+-------------+----------------+---------------+--------- LDAPLink | dbadmin | | | | DISABLE (3 rows)
To use an alternate set of cipher suites for client-server TLS:
=> ALTER TLS CONFIGURATION server CIPHER SUITES 'DHE-PSK-AES256-CBC-SHA384, DHE-PSK-AES128-GCM-SHA256, PSK-AES128-CBC-SHA256'; ALTER TLS CONFIGURATION => SELECT name, cipher_suites FROM tls_configurations WHERE name='server'; name | cipher_suites server | DHE-PSK-AES256-CBC-SHA384,DHE-PSK-AES128-GCM-SHA256,PSK-AES128-CBC-SHA256 (1 row)