Vertica Analytics Platform Version 9.2.x Documentation

Security Parameters

Use these client authentication configuration parameters and general security parameters to configure TLS/SSL security. For more information, see Configuring SSL. For Kerberos-related parameters, see Kerberos Authentication Parameters.

Parameter Description
DataSSLParams

Enables encryption using SSL on the data channel. The value of this parameter is a comma-separated list of the following:

  • An SSL certificate
  • The corresponding SSL private key
  • The SSL CA (Certificate Authority) certificate

You cannot set this parameter if parameter EncryptSpreadComm is not set. Enabling this parameter requires a restart.

For example:

=> ALTER DATABASE DEFAULT SET PARAMETER DataSSLParams =
'-----BEGIN CERTIFICATE-----<certificate for Cluster>-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----<certificate for non-root CA>-----END CERTIFICATE-----,
-----BEGIN RSA PRIVATE KEY-----<private key for Cluster A>-----END RSA PRIVATE KEY-----,
-----BEGIN CERTIFICATE-----<certificate for public CA>-----END CERTIFICATE-----';
DefaultIdleSessionTimeout

Specifies a default session timeout value for all users whose IDLESESSIONTIMEOUT parameter is not set.

Example:

ALTER DATABASE DEFAULT SET defaultidlesessiontimeout = '300 secs';
DoUserSpecificFilteringInSysTables

Specifies whether a non-superuser can view details of another user. This parameter must be set to one of the following:

  • 0: Users can view the details of other users.
  • 1: Users can only view details about themselves.
EnableAllRolesOnLogin

Automatically enables all roles granted to a user on login. This parameter must be set to one of the following:

  • 0 (default): Roles are not automatically enabled.
  • 1: Automatically enables roles (users do not need to run SET ROLE).
EnabledCipherSuites

Specifies the SSL cipher suites to use for secure client-server communication.

Default: ALL:!ADH:!LOW:!EXP:!MD5:!RC4:@STRENGTH

This setting excludes weaker cipher suites.

For a complete mapping of cipher suite names from JSSE to OpenSSL, see openssl.org.

EnableSSL

Indicates whether to enable the use of TLS/SSL for connections to the Vertica database. This parameter must be set to one of the following:

  • 0 (default): Disable
  • 1: Enable

For example:

ALTER DATABASE DEFAULT SET EnableSSL = '1';

For details, see TLS Protocol.

EncryptSpreadComm

Specifies a key generation or retrieval method for enablign encryption on the control channel. The value of this parameter is a string set to one of the following:

  • Empty: Encryption is disabled
  • vertica: Vertica generates a spread encryption key on database startup
  • aws-kms|key_name: Vertica fetches the specified key from the AWS key management service (KMS) on database startup

You must restart the database for changes to this parameter to take effect.

For example:

SELECT SET_CONFIG_PARAMETER('EncryptSpreadComm', 'vertica');

GlobalHeirUsername

Specifies a user that inherits objects if their owners are dropped. This parameter must be set to one of the following:

  • An empty string: Objects of dropped users are removed from the database.
  • username: Reassigns objects of dropped users to username. If username does not exist, Vertica creates that user and sets GlobalHeirUsername to it.
  • <auto> (default): Reassigns objects of dropped LDAP users to user dbadmin.

    Be sure to include the angle brackets < >.

See below for an example.

ImportExportTLSMode

Specifies how to handle connections with TLS when using CONNECT to connect to another Vertica cluster for import or export. This parameter must be set to one of the following:

  • PREFER: Try TLS but fall back to plaintext if TLS fails.
  • REQUIRE: Use TLS and fail if the server does not support TLS.
  • VERIFY_CA: Require TLS (as with REQUIRE), and also validate the other server's certificate using the CA specified by SSLCA.
  • VERIFY_FULL: Require TLS and validate the certificate (as with VERIFY_CA), and also validate the server certificate's hostname.
  • REQUIRE_FORCE, VERIFY_CA_FORCE, and VERIFY_FULL_FORCE: Same behavior as REQUIRE, VERIFY_CA, and VERIFY_FULL, respectively, and cannot be overridden by CONNECT.

Default: PREFER

PasswordMinLifeTime

Specifies the number of days that must pass before the password can be changed.

Value range: 0 to 365, inclusive

Default: 0

PasswordMinCharChange

Specifies the minimum number of characters that must be different from the previous password.

If this value exceeds the PASSWORD_MAX_LENGTH parameter for a user's profile, the user will be able to set a password with a length equal to PasswordMinCharChange. This will not change the PASSWORD_MAX_LENGTH parameter for that profile.

Value range: 0 to 512, inclusive

Default: 0

RequireFIPS

Specifies whether to enable FIPS mode. You cannot modify this parameter. The value of this parameter matches the contents of the file crypto.fips_enabled. On startup, Vertica automatically sets this parameter to one of the following.

  • 0: Disable
  • 1: Enable

For details, see Implement FIPS on the Server.

SecurityAlgorithm

Specifies the hashing algorithm for hash authentication. This parameter must be set to one of the following:

  • MD5
  • SHA-512

For example:

ALTER DATABASE DEFAULT SET SecurityAlgorithm = 'SHA512';

Default: NONE

SSLCA

Specifies an SSL certificate authority (CA) certificate. For example:

ALTER DATABASE DEFAULT SET SSLCA = 'contents of root.crt file';

SSLCertificate

Specifies an SSL certificate. If TLS/SSL is enabled, this parameter contains the Vertica database server certificate, which the Vertica database server provides to verify itself to clients. If your SSL certificate is a certificate chain, set this parameter to the contents from the top-most certificate of the chain.

For example:

ALTER DATABASE DEFAULT SET SSLCertificate = 'contents of server.crt file';

SSLPrivateKey

Specifies the corresponding private key for the SSLCertificate. This parameter is visible only to dbadmin. For example:

ALTER DATABASE DEFAULT SET SSLPrivateKey = 'contents of server.key file';

Examples

Set security parameter value GlobalHeirUsername:

=> \du
      List of users
 User name | Is Superuser
-----------+--------------
 Joe       | f
 SuzyQ     | f
 dbadmin   | t
(3 rows)

=> ALTER DATABASE DEFAULT SET PARAMETER GlobalHeirUsername='SuzyQ';
ALTER DATABASE
=>  \c - Joe
You are now connected as user "Joe".
=> CREATE TABLE t1 (a int);
CREATE TABLE

=> \c
You are now connected as user "dbadmin".
=> \dt t1
             List of tables
 Schema | Name | Kind  | Owner | Comment
--------+------+-------+-------+---------
 public | t1   | table | Joe   |
(1 row)

=> DROP USER Joe;
NOTICE 4927:  The Table t1 depends on User Joe
ROLLBACK 3128:  DROP failed due to dependencies
DETAIL:  Cannot drop User Joe because other objects depend on it
HINT:  Use DROP ... CASCADE to drop the dependent objects too
=> DROP USER Joe CASCADE;
DROP USER
=> \dt t1
             List of tables
 Schema | Name | Kind  | Owner | Comment
--------+------+-------+-------+---------
 public | t1   | table | SuzyQ |
(1 row)