Security Parameters

Enables encryption using SSL on the data channel. The value of this parameter is a comma-separated list of the following:

• An SSL certificate
• The corresponding SSL private key
• The SSL CA (Certificate Authority) certificate.

You cannot set this parameter if the EncryptSpreadComm parameter has not been set. Enabling this parameter requires a restart.

Example:

Indicates a default session timeout value for all users where IDLESESSIONTIMEOUT is not set.

Example:

ALTER DATABASE DEFAULT SET defaultidlesessiontimeout = '300 secs';

Specifies whether a non-superuser can view details of another user, one of the following:

• 0: Users can view details of other.
• 1: Users can only view details about themselves.

Automatically enables all roles granted to a user on login, one of the following:

• 0 (default): Do not automatically enable roles
• 1: Automatically enable roles. With this setting, users do not need to run SET ROLE

Specifies which SSL cipher suites to use for secure client-server communication.

Default Value: ALL:!ADH:!LOW:!EXP:!MD5:!RC4:@STRENGTH

This setting excludes weaker cipher suites.

For a complete mapping of cipher suite names from JSSE to OpenSSL, see openssl.org.

EnableSSL

Enables SSL for the server, set to one of the following: 

• 0 (default): Disable
• 1: Enable

For example:

ALTER DATABASE DEFAULT SET EnableSSL = '1';

For details, see Implementing SSL.

EncryptSpreadComm

Enables encryption on the control channel. The value of this parameter is a string set to one of the following:

• Empty
• The value vertica indicates that upon restarting the database, it generates the spread encryption key for the cluster.
• The value aws-kms|<key_name>, such as my_test_key indicates that upon restarting the database, it will fetch the named key from the KMS instead of generating its own.

Enabling this parameter requires a restart. If the parameter is empty, encryption will not occur.

Example:

SELECT SET_CONFIG_PARAMETER('EncryptSpreadComm', 'vertica');

A string that specifies which user inherits objects after their owners are dropped. This setting ensures preservation of data otherwise lost.

Set this parameter to one of the following string values:

• Empty string: Objects of dropped users are removed from the database.
• username: Reassigns objects of dropped users to username. If username does not exist, Vertica creates that user and sets GlobalHeirUserName to it.
• <auto> (default): Reassigns objects of dropped LDAP users to user dbadmin.

  Note: Be sure to include the angle brackets < >.

See below for an example.

Specifies whether the FIPS mode is enabled or disabled. You cannot modify this parameter. The value of this parameter matches the contents of the file crypto.fips_enabled. On startup, Vertica automatically sets this parameter to one of the following.

0 - Disabled FIPS

1 - Enabled FIPS

For details, see Implement FIPS on the Server.

Sets the algorithm for the function that hash authentication uses, one of the following:

• MD5
• SHA-512

For example:

ALTER DATABASE DEFAULT SET SecurityAlgorithm = 'SHA512';

Default Value:'NONE'

Sets the SSL certificate authority. Include the contents of the certificate authority root.crt file, but exclude the file name. For example:

ALTER DATABASE DEFAULT SET SSLCA = 'contents of root.crt file';

Sets the SSL certificate. Include the contents of the server.crt file, but exclude the file name. If your SSL certificate is a certificate chain, set this parameter to the contents of from the top-most certificate of the certificate chain.

For example:

ALTER DATABASE DEFAULT SET SSLCertificate = 'contents of server.crt file';

SSLPrivateKey

The server's private key, visible only to dbadmin users. This parameter is set to the contents of the server.key file; it excludes the file name. For example:

ALTER DATABASE DEFAULT SET SSLPrivateKey = 'contents of server.key file';