Enables encryption using SSL on the data channel. The value of this parameter is a comma-separated list of the following:

• An SSL certificate
• The corresponding SSL private key
• The SSL CA (Certificate Authority) certificate

You cannot set this parameter if parameter EncryptSpreadComm is not set. Enabling this parameter requires a restart.

For example:

=> ALTER DATABASE DEFAULT SET PARAMETER DataSSLParams =
'-----BEGIN CERTIFICATE-----<certificate for Cluster>-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----<certificate for non-root CA>-----END CERTIFICATE-----,
-----BEGIN RSA PRIVATE KEY-----<private key for Cluster A>-----END RSA PRIVATE KEY-----,
-----BEGIN CERTIFICATE-----<certificate for public CA>-----END CERTIFICATE-----';

Specifies a default session timeout value for all users whose IDLESESSIONTIMEOUT parameter is not set.

Example:

ALTER DATABASE DEFAULT SET defaultidlesessiontimeout = '300 secs';

Specifies whether a non-superuser can view details of another user. This parameter must be set to one of the following:

• 0: Users can view the details of other users.
• 1: Users can only view details about themselves.

Automatically enables all roles granted to a user on login. This parameter must be set to one of the following:

• 0 (default): Roles are not automatically enabled.
• 1: Automatically enables roles (users do not need to run SET ROLE).

Specifies the SSL cipher suites to use for secure client-server communication.

Default: ALL:!ADH:!LOW:!EXP:!MD5:!RC4:@STRENGTH

This setting excludes weaker cipher suites.

For a complete mapping of cipher suite names from JSSE to OpenSSL, see openssl.org.

Indicates whether to enable the use of TLS/SSL for connections to the Vertica database. This parameter must be set to one of the following:

• 0 (default): Disable
• 1: Enable

For example:

ALTER DATABASE DEFAULT SET EnableSSL = '1';

For details, see TLS Protocol.

Specifies a key generation or retrieval method for enablign encryption on the control channel. The value of this parameter is a string set to one of the following:

• Empty: Encryption is disabled
• vertica: Vertica generates a spread encryption key on database startup
• aws-kms|key_name: Vertica fetches the specified key from the AWS key management service (KMS) on database startup

You must restart the database for changes to this parameter to take effect.

For example:

SELECT SET_CONFIG_PARAMETER('EncryptSpreadComm', 'vertica');

Specifies a user that inherits objects if their owners are dropped. This parameter must be set to one of the following:

• An empty string: Objects of dropped users are removed from the database.
• username: Reassigns objects of dropped users to username. If username does not exist, Vertica creates that user and sets GlobalHeirUsername to it.
• <auto> (default): Reassigns objects of dropped LDAP users to user dbadmin.

  Be sure to include the angle brackets < >.

See below for an example.

Specifies how to handle connections with TLS when using CONNECT to connect to another Vertica cluster for import or export. This parameter must be set to one of the following:

• PREFER: Try TLS but fall back to plaintext if TLS fails.
• REQUIRE: Use TLS and fail if the server does not support TLS.
• VERIFY_CA: Require TLS (as with REQUIRE), and also validate the other server's certificate using the CA specified by SSLCA.
• VERIFY_FULL: Require TLS and validate the certificate (as with VERIFY_CA), and also validate the server certificate's hostname.
• REQUIRE_FORCE, VERIFY_CA_FORCE, and VERIFY_FULL_FORCE: Same behavior as REQUIRE, VERIFY_CA, and VERIFY_FULL, respectively, and cannot be overridden by CONNECT.

Default: PREFER

Specifies the number of days that must pass before the password can be changed.

Value range: 0 to 365, inclusive

Default: 0

Specifies the minimum number of characters that must be different from the previous password.

If this value exceeds the PASSWORD_MAX_LENGTH parameter for a user's profile, the user will be able to set a password with a length equal to PasswordMinCharChange. This will not change the PASSWORD_MAX_LENGTH parameter for that profile.

Value range: 0 to 512, inclusive

Default: 0

Specifies whether to enable FIPS mode. You cannot modify this parameter. The value of this parameter matches the contents of the file crypto.fips_enabled. On startup, Vertica automatically sets this parameter to one of the following.

• 0: Disable
• 1: Enable

For details, see Implement FIPS on the Server.

Specifies the hashing algorithm for hash authentication. This parameter must be set to one of the following:

• MD5
• SHA-512

For example:

ALTER DATABASE DEFAULT SET SecurityAlgorithm = 'SHA512';

Default: NONE

Specifies an SSL certificate authority (CA) certificate. For example:

ALTER DATABASE DEFAULT SET SSLCA = 'contents of root.crt file';

Specifies an SSL certificate. If TLS/SSL is enabled, this parameter contains the Vertica database server certificate, which the Vertica database server provides to verify itself to clients. If your SSL certificate is a certificate chain, set this parameter to the contents from the top-most certificate of the chain.

For example:

ALTER DATABASE DEFAULT SET SSLCertificate = 'contents of server.crt file';

Specifies the corresponding private key for the SSLCertificate. This parameter is visible only to dbadmin. For example:

ALTER DATABASE DEFAULT SET SSLPrivateKey = 'contents of server.key file';