Configuring TLS for JDBC Clients

Configuring SSL Authentication for JDBC clients involves the following tasks:

  • Set required properties
  • Optionally run the SSL Debug Utility
  • Configure TLS Mutual Mode (optional)

Set Required Properties

Set Properties When Location or the Keystore/Truststore Is Not the Default

If you are using a location or the keystore/truststore that is not the default, set the following system properties so that the JRE can find your keystore/truststore:

$ javax.net.ssl.keyStore
$ javax.net.ssl.trustStore

Set Properties When Keystore/Truststore Is Password Protected

If your keystore/truststore is password protected, set the following system properties so that the JRE has access to it:

$ javax.net.ssl.keyStorePassword
$ javax.net.ssl.trustStorePassword

Set the TLSmode Connection Property

You can set the TLSmode connection property to determine how certificates are handled. TLSmode is disabled by default.

TLSmode identifies the security level that Vertica applies to the JDBC connection. Vertica must be configured to handle TLS connections before you can establish an encrypted connection to it. See TLS Protocol for details. Valid values are:

  • disable: JDBC connects using plain text and implements no security measures.
  • require: JDBC connects using TLS without verifying the CA certificate.
  • verify-ca: JDBC connects using TLS and confirms that the server certificate has been signed by the certificate authority. This setting is equivalent to the deprecated ssl=true property.
  • verify-full: JDBC connects using TLS, confirms that the server certificate has been signed by the certificate authority, and verifies that the host name matches the name provided in the server certificate.

If this property and the SSL property are set, this property takes precedence.

For example, to configure JDBC to connect to the server with TLS without verifying the CA certificate, you can set the TLSmode property to 'require' with the method VerticaConnection.setProperty():

Properties props = new Properties();
    props.setProperty("TLSmode", "verify-full");

Run the SSL Debug Utility

After configuring TLS for JDBC, optionally run the following command to enable the debug utility for TLS:

$ -Djavax.net.debug=ssl

You can use several debug specifiers (options) with the debug utility. The specifiers help narrow the scope of the debugging information that is returned. For example, you could specify one of the options that prints handshake messages or session activity.

For information on the debug utility and its options, see Debugging Utilities in the Oracle document, JSSE Reference Guide.

For information on interpreting debug information, refer to the Oracle document, Debugging SSL/TLS Connections.