Configuring SSL

Configure SSL for each server in the cluster.

  1. Verify that you have performed at least the minimum steps required in SSL Overview for server authentication and encryption and, optionally, for mutual authentication.
  2. Verify that you have performed the steps in Distributing Certificates and Keys.

    Important: Before you set the Security Parameters SSLCertificate and SSLPrivateKey, you must first set the EnableSSL parameter. Admintools sets these parameters for you when you perform the procedure steps listed in Distributing Certificates and Keys. Alternatively, you can use vsql to set the parameters using the ALTER DATABASE statement. For more information on setting configuration parameters see ALTER DATABASE.

    These parameters are also automatically set during upgrade to 7.1 if you set EnableSSL=1 in the previous version.

  3. Set the EnableSSL parameter to 1. By default, EnableSSL is set to 0 (disabled).

    => ALTER DATABASE mydb SET EnableSSL = 1;
  4. Restart the database.
  5. If you are using either ODBC or JDBC, configure SSL for the appropriate client:

    vsql automatically tries to connect using SSL. If a connection fails, and your server is started in SSL Server Mode, vsql attempts to make a second connection over clear text. If you start the server in SSL Mutual Mode, the connection fails without vsql attempting to connect over clear text.

    Configure JDBC for SSL Mutual Mode

    In addition to the procedure above, you need to perform the following to configure SSL in Mutual Mode:

    1. Edit openssl_req_server.conf as follows:
      [req]
      prompt = no
      distinguished_name = CStore4Ever
      req_extensions = v3_req [CStore4Ever] C = US ST = Massachussetts O = Corp Server CN = engXXX emailAddress = foo@bar.com [v3_req] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = engXXX.corp.com DNS.2 = engXXX DNS.3 = *.corp.com IP = 10.20.40.XX
    1. Create the server private key (server.crt) and public key (server.key):
      $ openssl genrsa -out server.key
      $ openssl req -config openssl_req_server.conf -new -key server.key -out server_reqout.txt
      $ openssl x509 -req -in server_reqout.txt -days 3650 -sha1 -CAcreateserial -CA serverca.crt 
      -CAkey servercakey.pem -extensions v3_req -extfile openssl_req_server.conf -out server.crt

    Note: If you are using SSL mutual mode with JDBC, copy the root.crt file to a location on any one of the clients. After you copy the file to the client, root.crt is incorporated into the truststore. For more information, see Generating SSL Certificates and Keys.