Vertica Analytics Platform Version 9.2.x Documentation

Connecting Securely from MC to a Vertica Database

When you use MC to monitor and manage a Vertica database, MC (running in a browser) connects as the client to the Vertica database server.

MC Uses JDBC for Most Database Connections

MC uses Java Database Connectivity (JDBC) for most connections to a Vertica database, including:

  • Retrieving database information to display in charts
  • Running SQL queries through JDBC
  • Configuring and updating database properties
  • Configuring the database for extended monitoring

Exception

When MC uses Agents to perform AdminTools tasks, MC does not use JDBC to connect to the database.

Vertica Software Supports TLS

Vertica databases and Vertica MC support TLS up to version 1.2. This topic and its subtopics describe configuring TLS in MC for JDBC connections to a Vertica database.

Vertica Database Security Dictates How MC Connects

The TLS/SSL security you configure for a database in MC must be consistent with the security configured on the database itself.

Whether the Vertica database has TLS/SSL configured in server mode or mutual mode, you should configure TLS/SSL for that database in MC to match.

To find out how a Vertica database is configured, see Determining the TLS/SSL Mode of a Vertica Database.

You can configure TLS/SSL in either server mode or mutual mode in MC.

The rest of this topic and related topics use the term TLS, TLS/SSL, and SSL interchangeably.

TLS Server Mode

When the MC client connects to a Vertica database configured in server mode:

  • The client requests and verifies the server's credentials.
  • The client does not need to present a client certificate and private key file to the server.
  • The MC administrator must configure the CA certificate that can verify server's certificate on MC when MC connects to the database over JDBC.

TLS Mutual Mode

When the MC client connects to a Vertica database configured in mutual mode:

  • The MC client requests and verifies the database server's credentials.
  • The server also requests and verifies the MC client's credentials.
  • Each MC user is a separate client, and must present a valid client certificate file and private key file pair (keypair), namely a certificate signed by a CA recognized by the Vertica database server as valid.
  • The MC administrator must configure:
    • The CA certificate to verify the Vertica database server certificate.
    • A client certificate and private key file (keypair) for each MC user. The keypair can be unique for each user, or shared by multiple users, depending on how client authentication is configured on the Vertica database. See Implementing Client Authentication.
  • Each MC user must be configured to map correctly to a user who is configured on the Vertica database server.

For more information on how Vertica supports TLS/SSL security, see TLS Protocol.

MC Administrator Configures MC Security

Only MC users having Admin, Super, or IT privileges on a database are able to configure TLS certificates and keys on MC for database connections. This topic uses "MC administrator" to refer to these roles. For more information about MC user roles and privileges, see About MC Users.

As the MC administrator, when you first configure security in MC for a Vertica database that requires mutual mode, you configure these certificates for the Vertica database:

  • The server certificate and public key of the database.
  • Your own client certificate and private key, as the first configured MC user mapped to a Vertica database user.

Configuring TLS/SSL on MC

MC provides the Certificates wizard for configuring TLS certificates for all JDBC connections to the database, to ensure those connections are secure.

In MC, there are three scenarios in which you need to configure TLS security for a Vertica database:

To Connect Successfully,MC and Database Security Must Match

MC Security Vertica Database Security Does the connection succeed?
None None Connection succeeds, and it is open and therefore unsecured.
TLS server mode TLS server mode Connection succeeds provided MC can verify the server's certificate using the CA certificate configured on MC.
TLS mutual mode TLS mutual mode

Connection succeeds provided:

  • MC can verify the server's certificate using the CA certificate configured on MC.
  • The server can verify the client certificate and private key that MC presents as belonging to a mapped user on the Vertica database.
None TLS server mode

MC attempts to establish an open connection. The connection fails if the Vertica database requires TLS for client connections. For more information, see:

None TLS mutual mode

MC attempts to establish an open connection. The connection fails if the Vertica database requires TLS for client connections. The connection fails because MC does not present what the database requires: a valid client certificate and private key that the database can verify as belonging to a mapped database user.

TLS server mode None MC attempts to connect to the database securely, however the connection fails as the database is not configured with TLS certificates.
TLS mutual mode None MC attempts to connect to the database securely, however the connection fails as the database is not configured with TLS certificates.

In This Section