Security Parameters
Use these client authentication configuration parameters and general security parameters to configure TLS/SSL security. For more information, see Configuring SSL. For Kerberos-related parameters, see Kerberos Authentication Parameters.
Parameter | Description |
---|---|
DataSSLParams |
Enables encryption using SSL on the data channel. The value of this parameter is a comma-separated list of the following:
You cannot set this parameter if parameter For example: => ALTER DATABASE DEFAULT SET PARAMETER DataSSLParams = '-----BEGIN CERTIFICATE-----<certificate for Cluster>-----END CERTIFICATE----- -----BEGIN CERTIFICATE-----<certificate for non-root CA>-----END CERTIFICATE-----, -----BEGIN RSA PRIVATE KEY-----<private key for Cluster A>-----END RSA PRIVATE KEY-----, -----BEGIN CERTIFICATE-----<certificate for public CA>-----END CERTIFICATE-----'; |
DefaultIdleSessionTimeout |
Specifies a default session timeout value for all users whose Example: ALTER DATABASE DEFAULT SET defaultidlesessiontimeout = '300 secs'; |
DoUserSpecificFilteringInSysTables |
Specifies whether a non-superuser can view details of another user. This parameter must be set to one of the following:
|
EnableAllRolesOnLogin |
Automatically enables all roles granted to a user on login. This parameter must be set to one of the following:
|
EnabledCipherSuites |
Specifies the SSL cipher suites to use for secure client-server communication. Default: This setting excludes weaker cipher suites. For a complete mapping of cipher suite names from JSSE to OpenSSL, see openssl.org. |
EnableSSL |
Indicates whether to enable the use of TLS/SSL for connections to the Vertica database. This parameter must be set to one of the following:
For example:
ALTER DATABASE DEFAULT SET EnableSSL = '1'; For details, see TLS Protocol. |
EncryptSpreadComm |
Specifies a key generation or retrieval method for enablign encryption on the control channel. The value of this parameter is a string set to one of the following:
You must restart the database for changes to this parameter to take effect. For example:
SELECT SET_CONFIG_PARAMETER('EncryptSpreadComm', 'vertica'); |
GlobalHeirUsername |
Specifies a user that inherits objects if their owners are dropped. This parameter must be set to one of the following:
See below for an example. |
ImportExportTLSMode |
Specifies how to handle connections with TLS when using CONNECT to connect to another Vertica cluster for import or export. This parameter must be set to one of the following:
Default: |
PasswordMinLifeTime |
Specifies the number of days that must pass before the password can be changed. Value range: 0 to 365, inclusive Default: 0 |
PasswordMinCharChange |
Specifies the minimum number of characters that must be different from the previous password. If this value exceeds the Value range: 0 to 512, inclusive Default: 0 |
RequireFIPS |
Specifies whether to enable FIPS mode. You cannot modify this parameter. The value of this parameter matches the contents of the file
For details, see Implement FIPS on the Server. |
SecurityAlgorithm |
Specifies the hashing algorithm for hash authentication. This parameter must be set to one of the following:
For example: ALTER DATABASE DEFAULT SET SecurityAlgorithm = 'SHA512'; Default: |
SSLCA |
Specifies an SSL certificate authority (CA) certificate. For example:
ALTER DATABASE DEFAULT SET SSLCA = 'contents of root.crt file';
|
SSLCertificate |
Specifies an SSL certificate. If TLS/SSL is enabled, this parameter contains the Vertica database server certificate, which the Vertica database server provides to verify itself to clients. If your SSL certificate is a certificate chain, set this parameter to the contents from the top-most certificate of the chain. For example:
ALTER DATABASE DEFAULT SET SSLCertificate = 'contents of server.crt file';
|
SSLPrivateKey |
Specifies the corresponding private key for the
ALTER DATABASE DEFAULT SET SSLPrivateKey = 'contents of server.key file';
|
Examples
Set security parameter value GlobalHeirUsername
:
=> \du List of users User name | Is Superuser -----------+-------------- Joe | f SuzyQ | f dbadmin | t (3 rows) => ALTER DATABASE DEFAULT SET PARAMETER GlobalHeirUsername='SuzyQ'; ALTER DATABASE => \c - Joe You are now connected as user "Joe". => CREATE TABLE t1 (a int); CREATE TABLE => \c You are now connected as user "dbadmin". => \dt t1 List of tables Schema | Name | Kind | Owner | Comment --------+------+-------+-------+--------- public | t1 | table | Joe | (1 row) => DROP USER Joe; NOTICE 4927: The Table t1 depends on User Joe ROLLBACK 3128: DROP failed due to dependencies DETAIL: Cannot drop User Joe because other objects depend on it HINT: Use DROP ... CASCADE to drop the dependent objects too => DROP USER Joe CASCADE; DROP USER => \dt t1 List of tables Schema | Name | Kind | Owner | Comment --------+------+-------+-------+--------- public | t1 | table | SuzyQ | (1 row)