Configuring TLS

The procedures below describe configuring TLS directly on the Vertica database. To configure TLS on MC for MC connections, see Connecting Securely from MC to a Vertica Database.

Configure TLS for each server in the cluster.

1. Verify that you have performed at least the minimum steps required in TLS Overview for server authentication and encryption and, optionally, for mutual authentication.

2. Verify that you have performed the steps in Copying Certificates and Keys to Configuration Files.

3. Set EnableSSL parameter to 1. By default, EnableSSL is set to 0 (disabled).

   => ALTER DATABASE database SET EnableSSL = 1;

4. If you are using either ODBC or JDBC, configure TLS for the appropriate client:

   • Configuring SSL for ODBC Clients
   • Configuring SSL for JDBC Clients

   vsql automatically tries to connect using TLS. If a connection fails on a server using Server Mode, vsql attempts to create an unencrypted followup connection. Vsql will not attempt an unencrypted followup connection in Mutual Mode.

   Configure JDBC for TLS Mutual Mode

   In addition to the procedure above, you need to perform the following to configure TLS in Mutual Mode:

   1. Edit openssl_req_server.conf as follows:
      

      [req]
      prompt                  = no
      distinguished_name      = CStore4Ever
      req_extensions          = v3_req
      
      [CStore4Ever]
      C                       = US
      ST                      = Massachussetts
      O                       = Corp Server
      CN                      = engXXX
      emailAddress            = foo@bar.com
      
      [v3_req]
      basicConstraints        = CA:FALSE
      keyUsage                = nonRepudiation, digitalSignature, keyEncipherment
      subjectAltName          = @alt_names
      
      [alt_names]
      DNS.1 = engXXX.corp.com
      DNS.2 = engXXX
      DNS.3 = *.corp.com
      IP = 10.20.40.XX

   2. Create the server private key (server.crt) and public key (server.key):
      

      $ openssl genrsa -out server.key
      $ openssl req -config openssl_req_server.conf -new -key server.key -out server_reqout.txt

   3. Get your Certificate Signing Request (CSR) verified by your CA to receive a certificate. The exact steps depend on your CA. Check your CA's documentation for more information.

   If you are using mutual mode with JDBC, copy the root.crt file to a location on any one of the clients. After you copy the file to the client, root.crt is incorporated into the truststore. For more information, see Generating TLS Certificates and Keys.