TLS_CONFIGURATIONS

Lists settings for TLS CONFIGURATION objects for the server, LDAP, etc.

Column Name Data Type Description

NAME

VARCHAR

Name of the TLS CONFIGURATION object. Vertica includes the following TLS CONFIGURATIONs by default:

  • server: Client-server TLS.
  • LDAPLink: TLS when Vertica connects to the LDAP server for LDAP Link and its dry run functions.
  • LDAPAuth: TLS when a user granted an ldap authentication record attempts to log in and Vertica connects to the LDAP server to attempt a bind.
  • data_channel: Internode TLS between Vertica nodes.

OWNER

VARCHAR

Owner of the TLS CONFIGURATION object.

CERTIFICATE

VARCHAR

The certificate associated with the TLS CONFIGURATION object.

CA_CERTIFICATES

VARCHAR

The CA certificate(s) used to verify client certificates.

In cases where a TLS CONFIGURATION uses more than one CA, each CA will have its own row in the table.

CIPHER_SUITES

VARCHAR

The cipher suites to used to secure the connection.

MODE

VARCHAR

How Vertica establishes TLS connections and handles client certificates, one of the following, in order of ascending security:

  • DISABLE: Disables TLS. All other options for this parameter enable TLS.
  • ENABLE: Enables TLS. Vertica does not check client certificates.

  • TRY_VERIFY: Establishes a TLS connection if one of the following is true:

    • the client presents a valid certificate
    • the client doesn't present a certificate

    If the client presents an invalid certificate, the connection will use plaintext.

  • VERIFY_CA: Connection succeeds if Vertica verifies that the client certificate is from a trusted CA. Using this TLSMODE forces connections without a client certificate to use plaintext.
  • VERIFY_FULL: Connection succeeds if Vertica verifies that the certificate is from a trusted CA and the certificate's cn (Common Name) or subjectAltName attribute matches the hostname or IP address of the client.

    Note that for client certificates, cn is used for the username, so subjectAltName must match the hostname or IP address of the client.

VERIFY_FULL is unsupported for client-server TLS (the server TLS CONFIGURATION context) and behaves as VERIFY_CA.

Examples

In this example, the LDAPAuth TLS CONFIGURATION uses two CA certificates:

=> SELECT * FROM tls_configurations WHERE name='LDAPAuth';
    name   |  owner  | certificate | ca_certificate | cipher_suites |  mode
----------+---------+-------------+----------------+---------------+---------
 LDAPAuth | dbadmin | server_cert | ca             |               | DISABLE
 LDAPAuth | dbadmin | server_cert | ica            |               | DISABLE
(2 rows)

To make more clear the relationship between a TLS CONFIGURATION and its CA certificates, you can format the query with LISTAGG:

=> SELECT name, owner, certificate, LISTAGG(ca_certificate) AS ca_certificates, cipher_suites, mode 
FROM tls_configurations 
WHERE name='LDAPAuth' 
GROUP BY name, owner, certificate, cipher_suites, mode 
ORDER BY 1;
   name   |  owner  | certificate | ca_certificates | cipher_suites |  mode
----------+---------+-------------+-----------------+---------------+---------
 LDAPAuth | dbadmin | server_cert | ca,ica          |               | DISABLE
(1 row)