Data Channel TLS

Nodes use the data channel to exchange table data during operations such as queries.

Internode communication uses the following channels. Their associated components and parameters must be enabled, and in the following order, before enabling other components:

  1. Control Channel to exchange plan information and distribute calls. It is implemented using Spread. For more information, visit spread.org.
  2. Data Channel to exchange table data. It is implemented using TCP.

Configuring the data_channel TLS CONFIGURATION

  1. Enable TLS on the control channel.
  2. Generate or import the following:
    • A CA (Certificate Authority) certificate. For example, to create a self-signed CA certificate, generate a key and sign CA certificate with the key:
      • => CREATE KEY ca_key TYPE 'RSA' LENGTH 2048;
=> CREATE CA CERTIFICATE ca_cert
SUBJECT '/C=US/ST=MA/L=Cambridge/O=ExampleOrg/OU=ExampleOrgUnit/CN=Vertica Root CA'
VALID FOR 365
EXTENSIONS 'authorityKeyIdentifier' = 'keyid:always,issuer', 'nsComment' = 'Vertica-generated root CA cert'
KEY ca_key;
    • The TLS certificate's private key. For example, to generate the key with CREATE KEY: 
      • => CREATE KEY internode_key TYPE 'RSA' LENGTH 2048;
    • A TLS certificate must have a full chain that ends in a CA. This certificate must be either x509v1 or use the extendedKeyUsage extensions serverAuth and clientAuth. For example, to generate internode_cert and sign it with ca_cert:
      • => CREATE CERTIFICATE internode_cert
SUBJECT '/C=US/ST=Massachusetts/L=Cambridge/O=ExampleOrg/OU=ExampleOrgUnit/CN=example/emailAddress=example@example.com'
SIGNED BY ca_cert
EXTENSIONS 'authorityKeyIdentifier' = 'keyid,issuer:always', 'nsCertType' = 'server',
           'extendedKeyUsage' = 'serverAuth, clientAuth',
           'subjectAltName' = 'DNS.1:vnode1.example.com,IP:192.0.2.0'
KEY internode_key;
  3. Set the certificate in the data_channel TLS CONFIGURATION. The TLSMODE is automatically set to VERIFY_CA, and should not be changed.
    4. => ALTER TLS CONFIGURATION data_channel CERTIFICATE internode_cert;
  4. Verify that data channel encryption is enabled with SECURITY_CONFIG_CHECK('NETWORK'): 
    5. => SELECT SECURITY_CONFIG_CHECK('NETWORK');
   SECURITY_CONFIG_CHECK
---------------------------
 Spread security details:
* EncryptSpreadComm = [vertica]
Spread encryption is enabled
It is now safe to set/change other security knobs

Data Channel security details:
 TLS Configuration 'data_channel' TLSMODE is VERIFY_CA
TLS on the data channel is enabled

Privileges

Superuser

Restrictions

  • In general, you should set EncryptSpreadComm before configuring data_channel.
  • Changes to the data_channel take effect immediately and interrupt all ongoing queries in order to update the connections between your nodes.

See Also