Control Channel Spread TLS
The control channel allows nodes to exchange plan information with one another, and to distribute calls among nodes. Enabling spread security secures this communication. See Internode TLS for more information.
Internode TLS uses the following channels. Both must be enabled, and in the following order, before setting other parameters:
- Control Channel to exchange plan information and distribute calls. It is implemented using Spread. For more information, visit spread.org.
- Data Channel TLS to exchange table data. It is implemented using TCP.
Enabling EncryptSpreadComm
EncryptSpreadComm can be set with one of two values:
- vertica. Vertica generates the spread encryption key for the cluster when the database starts up.
aws-kms|
<key_name>. Vertica fetches the user-specified key from the AWS Key Management Service when the database starts up, rather than generating one itself.
Setting the EncryptSpreadComm parameter is a prerequisite for enabling all other TLS-related parameters.
- Set the
EncryptSpreadComm
parameter with ALTER DATABASE. - Restart the database.
- Verify your settings with SECURITY_CONFIG_CHECK.
=> ALTER DATABASE DEFAULT SET PARAMETER EncryptSpreadComm = 'vertica';
=> SELECT SECURITY_CONFIG_CHECK('NETWORK');
Privileges
Superuser
Restrictions
After setting this parameter, you must restart your database.
Example
This enables the EncryptSpreadComm
parameter and tells Vertica to generate a spread encryption key the next time the database starts up.
=> ALTER DATABASE DEFAULT SET PARAMETER EncryptSpreadComm = 'vertica';
For more information on this and other security parameters, see Security Parameters.