SSL Overview

Before you implement SSL security, including mutual mode, obtain the appropriate certificate signed by a certificate authority (CA) and private key files. Copy the certificate file to the database catalog directory. These files must use the Privacy-Enhanced Mail (PEM) format. PEM is the standard file format for Certificates and can be included in ascii or rich text documents. For reference information on SSL use the following links:

Use the following files for SSL authentication:

If you make changes to any of these files you must restart the server.

You can also implement SSL with LDAP authentication. For more information see Using LDAP Over SSL/TLS.

Using wildcards

You can enter wildcard characters as part of the server names in root.crt. For example, server.crt contains server names called eng001.corptech.com, eng002.corptech.com, and eng003.corptech.com. You can enter *.corptech.com in root.crt and it locates the required server.

The wildcard must be the first character of the hostname followed by a period, for example:

*.hostname.com

Set Up SSL Server Authentication and SSL Encryption

Follow these steps to set up server SSL authentication:

Important: If you do not perform these steps, database operation may be compromised. If the client cannot authenticate the server, the database does not start.

  1. Enable SSL authentication in one of the following ways:

    Set EnableSSL=1 in vertica.conf

    Enter ALTER DATABASE mydb SET EnableSSL = 1; in vsql.
  2. Copy the server certificate file (server.crt) and private key (server.key) to one of your server hosts in the cluster, as follows:

  3. Distribute these files to all server hosts using the instruction in Distributing Certificates and Keys.

    The public key contained in the certificate and the corresponding private key allow the SSL connection to encrypt the data to protect data integrity
  4. SSL Server mode requires that the client verify the server's certificate. The client must be able to access certificate authority file (root.crt), and the server must be set with server certificate and private key. Also, SSL Mutual mode requires that the server verify the client’s certificate. The server should be set with CA file and the client must have the client certificate and its private key.

    For vsql:

    If the VSQL_HOME environment variable is not set, copy the root.crt file to the .vsql subdir of the login user's home directory (for example, ~/.vsql/root.crt).

    If the VSQL_HOME environment variable is set, copy the root.crt file to the .vsql subdir of the target directory (for example, $vsql_home/.vsql/root.crt)

    The root.crt file contains the Certificate Authority that issued the server certificate.

Set SSL Server for Mutual Mode Authentication

Use SSL Mutual Mode to have both server and client mutually authenticate themselves with SSL keys. With SSL Mutual Mode the server requests a certificate from the client and the client requests a certificate from the server. Set up SSL Mutual Mode as follows:

  1. Enable SSL authentication in one of the following ways:

    Set EnableSSL=1 in vertica.conf

    Enter ALTER DATABASE mydb SET EnableSSL = 1; in vsql.
  2. Copy the root.crt file to one server host in the cluster. This file is distributed to all server hosts when you distribute certificates and keys. See Distributing Certificates and Keys.

    The root.crt file has the same name on the client and server though the file contents can differ. The contents are identical only if the client and server certificates were used by the same root certificate authority (CA).

  3. Copy the client certificate file (client.crt) and private key (client.key) to each client. For vsql:

    • If the VSQL_HOME environment variable is set, copy the file to the .vsql subdirectory of the target directory set up in the environment variable (e.g., $vsql_home/.vsql/client.crt).
    • If the VSQL_HOME environment variable is not set, copy the two files to the .vsql subdir of the login user's home directory. (e.g., ~/.vsql/client.crt).

    If you are using either ODBC or JDBC, you can place the files anywhere on your system. Then, provide the location in the connection string (ODBC/JDBC) or ODBCINI (ODBC only). See Configuring SSL for ODBC Clients and Configuring SSL for JDBC Clients.

    Important: If you're using ODBC, the private key file (client.key) must have read and write permissions only for the dbadmin user. For example:

    chmod 600 client.key

    Do not provide any additional permissions or extend them to any other users.