Configuring Connection Security Between Clusters
When copying data between clusters, Vertica can encrypt both data and plan metadata.
Data is encrypted if you configure internode encryption (see Internode TLS).
For metadata, by default Vertica tries TLS first and falls back to plaintext. You can configure Vertica to require TLS and to fail if the connection cannot be made. You can also have Vertica verify the certificate and hostname before connecting.
Enabling TLS Between Clusters
To use TLS between clusters, you must first configure TLS between nodes:
- Set the EncryptSpreadComms parameter.
- Set the DataSSLParams parameter.
- Set the ImportExportTLSMode parameter.
To specify the level of strictness when connecting to another cluster, set the ImportExportTLSMode configuration parameter. This parameter applies for both importing and exporting data. The possible values are:
PREFER: Try TLS but fall back to plaintext if TLS fails.REQUIRE: Use TLS and fail if the server does not support TLS.VERIFY_CA: Require TLS (as with REQUIRE), and also validate the other server's certificate using the CA specified bySSLCA.VERIFY_FULL: Require TLS and validate the certificate (as with VERIFY_CA), and also validate the server certificate's hostname.REQUIRE_FORCE,VERIFY_CA_FORCE, andVERIFY_FULL_FORCE: Same behavior asREQUIRE,VERIFY_CA, andVERIFY_FULL, respectively, and cannot be overridden by CONNECT.
ImportExportTLSMode is a global parameter that applies to all import and export connections you make using CONNECT. You can override it for an individual connection.
For more information about these and other configuration parameters, see Security Parameters.