Copying Certificates and Keys to Configuration Files
Before using TLS, all hosts in the cluster must copy the contents of their certificates and keys to parameters in vertica.conf. These parameters determine the connection mode, which then determines how hosts and clients verify each other before opening a secure connection.
Vertica offers two connection modes for TLS:
- In Server Mode, only the client must verify the host's certificate. Hosts must have
server.crtandserver.key. - In Mutual Mode, the client and host must each verify the other’s certificates. Hosts must have
server.crt,server.key, androot.crt.
The database does not need to be running when you copy the contents of the certificates and key files to other hosts.
- Enable TLS.
- Generate TLS Certificates and Keys.
- Log on to a host that contains the certificates and keys you want to copy.
- Run the following commands for your desired configuration. The effects of these parameters only take effect for new connections.
- To use Server Mode, set the SSLCertificate and SSLPrivateKey parameters.
- To use Mutual Mode, in addition to setting the above parameters for Server Mode, set the SSLCA parameter.
=> ALTER DATABASE DEFAULT SET SSLCA = '<content of root.crt>';To trust more than one CA:
ALTER DATABASE DEFAULT SET SSLCA = '-----BEGIN CERTIFICATE-----first CA-----END CERTIFICATE----- -----BEGIN CERTIFICATE-----second CA-----END CERTIFICATE-----';
=> ALTER DATABASE DEFAULT SSLCertificate = '<content of server.crt>';=> ALTER DATABASE DEFAULT SSLPrivateKey = '<content of server.key>';
To clear any of these parameters, run:
ALTER DATABASE dbname CLEAR parameter