SSL Overview
Before you implement SSL security, including mutual mode, obtain the appropriate certificate signed by a certificate authority (CA) and private key files. Copy the certificate file to the database catalog directory. These files must use the Privacy-Enhanced Mail (PEM) format. PEM is the standard file format for Certificates and can be included in ascii or rich text documents. For reference information on SSL use the following links:
Use the following files for SSL authentication:
- root.crt - contains the top-level Certificate Authorities that are trusted for signing server certificates (server.crt).
- server.crt - must reside in the server's data directory and contains the trusted server certificate. This file gets sent to the client where root.crt identifies the server.
- server.key - must reside in the server's data directory and proves the server certificate was sent by the certificate owner. It does not indicate the certificate owner is trustworthy.
If you make changes to any of these files you must restart the server.
You can also implement SSL with LDAP authentication. For more information see Using LDAP Over SSL/TLS.
Using wildcards
You can enter wildcard characters as part of the server names in root.crt. For example, server.crt contains server names called eng001.corptech.com, eng002.corptech.com, and eng003.corptech.com. You can enter *.corptech.com in root.crt and it locates the required server.
The wildcard must be the first character of the hostname followed by a period, for example:
*.hostname.com
Set Up SSL Server Authentication and SSL Encryption
Follow these steps to set up server SSL authentication:
Important: If you do not perform these steps, database operation may be compromised. If the client cannot authenticate the server, the database does not start.
- Enable SSL authentication in one of the following ways:
SetEnableSSL=1
in vertica.conf
EnterALTER DATABASE mydb SET EnableSSL = 1;
in vsql. -
Copy the server certificate file (
server.crt
) and private key (server.key
) to one of your server hosts in the cluster, as follows: - Distribute these files to all server hosts using the instruction in Distributing Certificates and Keys.
The public key contained in the certificate and the corresponding private key allow the SSL connection to encrypt the data to protect data integrity - SSL Server mode requires that the client verify the server's certificate. The client must be able to access certificate authority file (root.crt), and the server must be set with server certificate and private key. Also, SSL Mutual mode requires that the server verify the client’s certificate. The server should be set with CA file and the client must have the client certificate and its private key.
For vsql:
If the VSQL_HOME environment variable is not set, copy theroot.crt
file to the .vsql subdir of the login user's home directory (for example,~/.vsql/root.crt
).
If the VSQL_HOME environment variable is set, copy theroot.crt
file to the .vsql subdir of the target directory (for example,$vsql_home/.vsql/root.crt
)
Theroot.crt
file contains the Certificate Authority that issued the server certificate.
Set SSL Server for Mutual Mode Authentication
Use SSL Mutual Mode to have both server and client mutually authenticate themselves with SSL keys. With SSL Mutual Mode the server requests a certificate from the client and the client requests a certificate from the server. Set up SSL Mutual Mode as follows:
- Enable SSL authentication in one of the following ways:
SetEnableSSL=1
in vertica.conf
EnterALTER DATABASE mydb SET EnableSSL = 1;
in vsql. -
Copy the
root.crt
file to one server host in the cluster. This file is distributed to all server hosts when you distribute certificates and keys. See Distributing Certificates and Keys.The
root.crt
file has the same name on the client and server though the file contents can differ. The contents are identical only if the client and server certificates were used by the same root certificate authority (CA). -
Copy the client certificate file (
client.crt
) and private key (client.key
) to each client. For vsql:- If the VSQL_HOME environment variable is set, copy the file to the .vsql subdirectory of the target directory set up in the environment variable (e.g.,
$vsql_home/.vsql/client.crt
). - If the VSQL_HOME environment variable is not set, copy the two files to the .vsql subdir of the login user's home directory. (e.g.,
~/.vsql/client.crt
).
If you are using either ODBC or JDBC, you can place the files anywhere on your system. Then, provide the location in the connection string (ODBC/JDBC) or ODBCINI (ODBC only). See Configuring SSL for ODBC Clients and Configuring SSL for JDBC Clients.
Important: If you're using ODBC, the private key file (
client.key
) must have read and write permissions only for the dbadmin user. For example:chmod 600 client.key
Do not provide any additional permissions or extend them to any other users. - If the VSQL_HOME environment variable is set, copy the file to the .vsql subdirectory of the target directory set up in the environment variable (e.g.,