Internode TLS
Internode TLS secures communication between nodes within a cluster. It is important to secure communications between nodes if you do not trust the network between the nodes.
Before setting up internode TLS, check the current status of your configuration with SECURITY_CONFIG_CHECK.
=> SELECT SECURITY_CONFIG_CHECK('NETWORK');
Communication between the server nodes uses two channels: the control channel and data channel. To enable internode encryption, set the EncryptSpreadComm parameter (disabled by default) to encrypt Spread communication on the control channel and configure the data_channel TLS CONFIGURATION to encrypt the data channel:
-
Encrypt Spread communication on the control channel with
EncryptSpreadComm
. See Control Channel Spread TLS for details. -
Encrypt the data channel with the
data_channel
TLS CONFIGURATION. See Data Channel TLS for details.
If you enable internode encryption, some of your queries may run slower than expected. The performance you experience depends on the data sent and the network's quality.
Admintools generates or retrieves the spread key to encrypt all traffic on the control channel and ships the spread key to all nodes. Vertica uses TLS to encrypt all traffic on the data channel. TLS credentials are shared between nodes over the encrypted control channel.
The following graphic illustrates the internode encryption process.