Configuring TLS Server and Mutual Modes

Before setting up TLS, check the status of your current configuration with SECURITY_CONFIG_CHECK.

=> SELECT SECURITY_CONFIG_CHECK('NETWORK');

For reference information on TLS, review the following:

Use the following files for TLS authentication. If you make changes to any of these files, you must restart the server:

  • root.crt - contains the Certificate Authorities that are trusted for signing server certificates.
  • server.crt - must reside in the server's catalog directory and contains the trusted server certificate. This file gets sent to the client where root.crt identifies the server.
  • server.key - must reside in the server's catalog directory and proves the server certificate was sent by the certificate owner. It does not indicate the certificate owner is trustworthy.

You can also implement TLS with LDAP authentication. For more information see Using LDAP Over SSL/TLS.

Using wildcards

You can enter wildcard characters as part of the server names in root.crt. For example, server.crt contains server names called eng001.corptech.com, eng002.corptech.com, and eng003.corptech.com. You can enter *.corptech.com in root.crt and it locates the required server.

The wildcard must be the first character of the hostname followed by a period, for example:

*.hostname.com

Set Up TLS Server Mode Authentication

In TLS Server mode, clients must verify the server's certificate. The client must be able to access the certificate authority file, and the SSLCertificate and SSLPrivateKey parameters must be set on the server.

In TLS Mutual mode, servers must also verify the client's certificate. The server must have a certificate authority file and the client must have a client certificate and a private key.

Follow these steps to set up server SSL authentication:

If you do not perform these steps, database operation may be compromised. If the client cannot authenticate the server, the database does not start.

  1. Set the EnableSSL parameter to 1 to enable TLS authentication. By default, EnableSSL is set to 0 (disabled).

    => ALTER DATABASE database SET EnableSSL=1;

  2. Copy the server certificate file (server.crt) and private key (server.key) to one of your server hosts in the cluster.

  3. Distribute these files to all server hosts using the instruction in Copying Certificates and Keys to Configuration Files. The public key contained in the certificate and the corresponding private key allow the TLS/SSL connection to encrypt the data to protect data integrity.
  4. If the VSQL_HOME environment variable is not set, copy the root.crt file to the .vsql directory of the login user's home directory (for example, ~/.vsql/root.crt).
  5. If the VSQL_HOME environment variable is set, copy the root.crt file to the .vsql directory of the target directory (for example, $vsql_home/.vsql/root.crt)
  6. The root.crt file contains the Certificate Authority that issued the server certificate.

Set Up TLS Server for Mutual Mode Authentication

Use Mutual Mode to have both server and client mutually authenticate themselves with TLS keys. With TLS Mutual Mode the server requests a certificate from the client and the client requests a certificate from the server. Set up TLS Mutual Mode as follows:

  1. Set the EnableSSL parameter to 1 to enable TLS authentication. By default, EnableSSL is set to 0 (disabled).

    => ALTER DATABASE database SET EnableSSL=1;
  2. Copy the root.crt file to one server host in the cluster. This file is distributed to all server hosts when you distribute certificates and keys. See Copying Certificates and Keys to Configuration Files.
  3. The root.crt file has the same name on the client and server though the file contents can differ. The contents are identical only if the client and server certificates were used by the same root certificate authority (CA).

  4. Copy the client certificate file (client.crt) and private key (client.key) to each client. For vsql:

    • If the VSQL_HOME environment variable is set, copy the file to the .vsql directory of the target directory set up in the environment variable (e.g., $vsql_home/.vsql/client.crt).
    • If the VSQL_HOME environment variable is not set, copy the two files to the .vsql directory of the login user's home directory. (e.g., ~/.vsql/client.crt).

    If you are using either ODBC or JDBC, you can place the files anywhere on your system. Then, provide the location in the connection string (ODBC/JDBC) or ODBCINI (ODBC only). See Configuring SSL for JDBC Clients and Configuring SSL for ODBC Clients.

    If you're using ODBC, only the should have read and write permissions for the private key file (client.key). Do not provide any additional permissions or extend them to any other users. To set these permissions, you can use this command:

    $ chmod 600 client.key

See Also