Control Channel Spread TLS

The control channel allows nodes to exchange plan information with one another, and to distribute calls among nodes. Enabling spread security secures this communication. See Internode TLS for more information.

Internode TLS uses the following channels. Both must be enabled, and in the following order, before setting other parameters:

  1. Control Channel to exchange plan information and distribute calls. It is implemented using Spread. For more information, visit spread.org.
  2. Data Channel TLS to exchange table data. It is implemented using TCP.

Enabling EncryptSpreadComm

EncryptSpreadComm can be set with one of two values:

  • vertica. Vertica generates the spread encryption key for the cluster when the database starts up.
  • aws-kms|<key_name>. Vertica fetches the user-specified key from the AWS Key Management Service when the database starts up, rather than generating one itself.

Setting the EncryptSpreadComm parameter is a prerequisite for enabling all other TLS-related parameters.

  1. Set the EncryptSpreadComm parameter with ALTER DATABASE.
  2. => ALTER DATABASE DEFAULT SET PARAMETER EncryptSpreadComm = 'vertica';
  3. Restart the database.
  4. Verify your settings with SECURITY_CONFIG_CHECK.
  5. => SELECT SECURITY_CONFIG_CHECK('NETWORK');

Privileges

Superuser

Restrictions

After setting this parameter, you must restart your database.

Example

This enables the EncryptSpreadComm parameter and tells Vertica to generate a spread encryption key the next time the database starts up.

=> ALTER DATABASE DEFAULT SET PARAMETER EncryptSpreadComm = 'vertica';

For more information on this and other security parameters, see Security Parameters.