Configuring Client-server TLS

Vertica offers two connection modes for client-server TLS:

  • In Server Mode, the client must verify the host's certificate. Hosts must have a server private key and certificate.
  • In Mutual Mode, the client and host must each verify the other’s certificate. Hosts must have a server private key, server certificate, and CA certificate(s).

Keep in mind that this page covers the connection step between Vertica and clients, not the following authentication step for Vertica users to the database. To configure authentication for TLS connections, see TLS Authentication.

Setting Certificates with TLS CONFIGURATION

  1. Generate or import the following according to your use case:
    • Server Mode: server certificate private key, server certificate
    • Mutual Mode: server certificate private key, server certificate, CA certificate(s)
  2. Run the following commands according to your desired configuration. New connections will use TLS.
    • To use Server Mode, set the server certificate for the server's TLS CONFIGURATION.
    • => ALTER TLS CONFIGURATION server CERTIFICATE server_cert;
    • To use Mutual Mode, set a server and CA certificate. This CA certificate is used to verify client certificates.
      => ALTER TLS CONFIGURATION server CERTIFICATE server_cert ADD CA CERTIFICATES ca_cert;
    • To use multiple CA certificates, separate them with commas:
    • => ALTER TLS CONFIGURATION server CERTIFICATE server_cert
         ADD CA CERTIFICATES intermediate_ca_cert, ca_cert;
  3. Enable TLS (disabled by default). Choose one of the following TLSMODEs, listed in ascending security. For Server Mode, choose ENABLE. For Mutual Mode, choose TRY_VERIFY or higher.

    • DISABLE: Disables TLS. All other options for this parameter enable TLS.
    • ENABLE: Enables TLS. Vertica does not check client certificates.
    • TRY_VERIFY: Establishes a TLS connection if one of the following is true:

      • the client presents a valid certificate
      • the client doesn't present a certificate

      If the client presents an invalid certificate, the connection will use plaintext.

    • VERIFY_CA: Connection succeeds if Vertica verifies that the client certificate is from a trusted CA. Using this TLSMODE forces connections without a client certificate to use plaintext.

    For example, for Server Mode:

    => ALTER TLS CONFIGURATION server TLSMODE 'ENABLE';

    For example, for Mutual Mode:

    => ALTER TLS CONFIGURATION server TLSMODE 'TRY_VERIFY';