Configuring TLS for JDBC Clients
Configuring SSL Authentication for JDBC clients involves the following tasks:
- Set required properties
- Optionally run the SSL Debug Utility
- Configure TLS Mutual Mode (optional)
Set Required Properties
Set Properties When Location or the Keystore/Truststore Is Not the Default
If you are using a location or the keystore/truststore that is not the default, set the following system properties so that the JRE can find your keystore/truststore:
$ javax.net.ssl.keyStore
$ javax.net.ssl.trustStore
Set Properties When Keystore/Truststore Is Password Protected
If your keystore/truststore is password protected, set the following system properties so that the JRE has access to it:
$ javax.net.ssl.keyStorePassword $ javax.net.ssl.trustStorePassword
Set the TLSmode Connection Property
You can set the TLSmode connection property to determine how certificates are handled. TLSmode is disabled by default.
TLSmode identifies the security level that Vertica applies to the JDBC connection. Vertica must be configured to handle TLS connections before you can establish an encrypted connection to it. See TLS Protocol for details. Valid values are:
disable
: JDBC connects using plain text and implements no security measures.require
: JDBC connects using TLS without verifying the CA certificate.verify-ca
: JDBC connects using TLS and confirms that the server certificate has been signed by the certificate authority. This setting is equivalent to the deprecatedssl=true
property.verify-full
: JDBC connects using TLS, confirms that the server certificate has been signed by the certificate authority, and verifies that the host name matches the name provided in the server certificate.
If this property and the SSL property are set, this property takes precedence.
For example, to configure JDBC to connect to the server with TLS without verifying the CA certificate, you
can set the
TLSmode
property to 'require' with the method VerticaConnection.setProperty()
:
Properties props = new Properties(); props.setProperty("TLSmode", "verify-full");
Run the SSL Debug Utility
After configuring TLS for JDBC, optionally run the following command to enable the debug utility for TLS:
$ -Djavax.net.debug=ssl
You can use several debug specifiers (options) with the debug utility. The specifiers help narrow the scope of the debugging information that is returned. For example, you could specify one of the options that prints handshake messages or session activity.
For information on the debug utility and its options, see Debugging Utilities in the Oracle document, JSSE Reference Guide.
For information on interpreting debug information, refer to the Oracle document, Debugging SSL/TLS Connections.