Using TLS Server Authentication with Vertica: Validating Your TLS Key and Certificate

Updated April 2021

Overview

To enable TLS server authentication with Vertica and a SQL client, you need to obtain two files:

  • server.key (private key)

  • server.crt (server certificate)

Your IT department might provide you with these files. Or, you can create a self-signed certificate on your own. In either case, it is important to validate your certificate before adding it to Vertica so you can uncover and fix any potential issues.

Note Using a commercially-signed key pair is more secure than using a self-signed certificate

Create a Self-signed Certificate

If you are preparing the private key and certificate yourself, follow these steps to create a self-signed certificate. Skip these steps if you are receiving a certificate from your IT department.

Vertica Versions 10.0.1 or Later

In versions 10.0.1 or later, Vertica provides In-Database Cryptographic Key and Certificate Management, which allows database administrators to manage keys and certificates in Vertica.

To create a self-signed key:

  1. Generate the server key (private key). The following example generates a 2048bit RSA private key.

    => CREATE KEY server_key TYPE 'RSA' LENGTH 2048;

    You can view the generated private key in the cryptographic_keys table.

    => SELECT name, type, length, key FROM cryptographic_keys WHERE name = 'server_key';
        name    | type | length |               key
    ------------+------+--------+---------------------------------
     server_key | RSA  |   2048 | -----BEGIN RSA PRIVATE KEY-----
    MIIEowIBAAKCAQEAtTQfGE8yXzz9vkz399oovOwOm2vq1iZlkbclJ7+/.,	xqdv0hCkU
    .....
    ip2TYY4qjRg7QE6Zzzv3eGauAIG0SxT19rfvUOnWlQ5/N/UceXC7
    -----END RSA PRIVATE KEY-----
  2. Create a self-signed certificate authority (CA) certificate.

    => CREATE CA CERTIFICATE ca_cert
    -> SUBJECT '/C=country_code/ST=state_or_province/L=locality/O=organization/OU=org_unit/CN=Vertica Root CA'
    -> VALID FOR 365
    -> EXTENSIONS 'authorityKeyIdentifier' = 'keyid:always,issuer', 'nsComment' = 'Vertica generated root CA cert'
    -> KEY server_key;

    You can also view the generated certificate in the certificates table.

    => SELECT name, expiration_date, subject, serial, certificate_text FROM certificates WHERE name = 'ca_cert';
    -[ RECORD 1 ]----+-------------------------------------------------------------------------------------
    name             | ca_cert
    expiration_date  | 2022-03-12 08:18:32+09
    subject          | C = country_code, ST = state_or_province, L = locality, O = organization, OU = org_unit, CN = Vertica Root CA
    serial           | 02:BB:83:5D:4A:90:02:E1:4C:A1:9E:C3:07:D3:55:EB:F2:C3:FF:69
    certificate_text | -----BEGIN CERTIFICATE-----
    MIIEFzCCAv+gAwIBAgIUAruDXUqQAuFMoZ7DB9NV6/LD/2kwDQYJKoZIhvcNAQEL
    .....
    UW6DAcSHlDpT4+5b6L/HznN/Y/SNxUiftWXS1cUaRKJmtMIkoGPo4bGVDQ==
    -----END CERTIFICATE-----
  3. Generate and sign the server certificate with the self-signed CA certificate.

    => CREATE CERTIFICATE server_crt
    -> SUBJECT '/C=country_code/ST=state_or_province/L=locality/O=organization/OU=org_unit/CN=common_name/emailAddress=email'
    -> SIGNED BY ca_cert
    -> EXTENSIONS 'authorityKeyIdentifier' = 'keyid:always,issuer', 'nsCertType' = 'server',
    ->            'extendedKeyUsage' = 'serverAuth',
    ->            'subjectAltName' = 'DNS.1:alt_hostname,IP:IP_address'
    -> KEY server_key;
    => SELECT name, expiration_date, subject, serial, certificate_text FROM certificates WHERE name = 'server_crt';
    -[ RECORD 1 ]-----+---------------------------------------------------------------------------------------------------------------------
    name              | server_crt
    expiration_date   | 2022-03-22 08:36:17+09
    subject           | C = country_code, ST = state_or_province, L = locality, O = organization, OU = org_unit,\ 
    CN = verticadb, emailAddress = verticadb@vertica.com
    serial            | 70:9B:BA:83:EE:8E:7F:DA:A3:F4:6C:E8:18:06:66:25:98:98:AB:17
    certificate_text  | -----BEGIN CERTIFICATE-----
    MIIENDCCAxygAwIBAgIUcJu6g+6Of9qj9GzoGAZmJZiYqxcwDQYJKoZIhvcNAQEL
    .....
    BtLYa+Dv8Fm2Eg68x+6iYT9usSVSWTQB
    -----END CERTIFICATE-----

Vertica Versions 10.0 and Earlier

In Vertica versions 10.0 and earlier, you need to use the OpenSSL command to create and manage your keys and certificates. You can follow this step in 10.0.1 or later if you don't want to use In-Database Cryptographic Key and Certificate Management.

To create a self-signed key:

  1. Generate the server key (private key). The following example generates a 2048bit RSA private key.

    $ openssl genrsa -out server.key 2048
  2. Generate a certificate signing request.

    $ openssl req -new -nodes -key ./server.key -out ./server.csr
     
    You are about to be asked to enter information that will be incorporated into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]: country_code
    State or Province Name (full name) []: state_or_province
    Locality Name (eg, city) [Default City]: locality
    Organization Name (eg, company) [Default Company Ltd]: organization
    Organizational Unit Name (eg, section) []: org_unit
    Common Name (eg, your name or your server's hostname) []: common_name
    Email Address []: email
     
    Please enter the following 'extra' attributes to be sent with your certificate request
    A challenge password []: (blank)
    An optional company name []: (optional)
  3. Create a self-signing certificate.

    $ openssl x509 -req -days 365 -in ./server.csr -signkey ./server.key -out ./server.crt
    Signature ok
    subject=/C=country_code/ST=state_or_province/L=locality/O=organization/OU=org_unit/CN=common_name/emailAddress=email
    Getting Private key

Validate Your Private Key and Certificate

If you have created a private key or certificate using In-Database Cryptographic Key and Certificate Management, you will need to export it to a file. You don't need to export a key or certificate that has been provided by another department.

Use the following operation to export your private key or certificate:

$ vsql -At -c "SELECT key FROM cryptographic_keys WHERE name = 'server_key';" -o server.key
$ vsql -At -c "SELECT certificate_text FROM certificates WHERE name = 'server_crt';" -o server.crt
$ vsql -At -c "SELECT certificate_text FROM certificates WHERE name = 'ca_cert';" -o ca.crt

Once your private key or certificate has been exported, you need to validate it using the OpenSSL command. Install the OpenSSL package on your server, or use the following steps to validate it on a server where the OpenSSL package has already been installed.

  1. Make sure the certificate and key match, as shown. The md5 numbers must match.

    $ openssl x509 -noout -modulus -in server.crt | openssl md5
    (stdin)= dc8f02021b33edd7001dff2ca6176b18
     
    $ openssl rsa -noout -modulus -in server.key | openssl md5
    (stdin)= dc8f02021b33edd7001dff2ca6176b18
  2. Make sure the certificate is not expired.

    $ openssl x509 -noout -text -in server.crt | grep -e "Before\|After"
                Not Before: Mar 15 04:21:42 2021 GMT
                Not After : Mar 15 04:21:42 2022 GMT
  3. Make sure that the certificate is valid.

    $ openssl verify -verbose -CAfile ca.crt server.crt
    server.crt: OK
  4. Check that the certificate is allowed on the SSL server.

    $ openssl x509 -noout -purpose -in server.crt | grep "SSL server" | grep -v CA
    SSL server : Yes
  5. Check that the root certificate authority (CA) is an SSL Server CA certificate.

    $ openssl x509 -noout -purpose -in ca.crt | grep "SSL server CA"
    SSL server CA : Yes
  6. Ensure that the keys are owned by the dbadmin and that only the dbadmin can read the keys. If you are following these steps on a non-Vertica node, replace dbadmin with your username. This is required by the ssh-keygen command in the next step.

    $ chown dbadmin:verticadba server.key server.crt
    $ chmod 600 server.key server.crt
  7. Make sure that the private key does not require a password.

    $ ssh-keygen -y -f server.key
    ssh-rsa .....

Important If you are prompted to input a password, do not proceed. Fix your server.key using the following command:

$ mv server.key bad.server.key
$ openssl rsa -in ~/bad.server.key -out ./server.key

Configure Vertica to Enable TLS Server Encryption

To enable TLS server encryption:

  1. Configure the database parameters. Set the server certificate and the private key using either admintools or vsql.

    1. Using admintools:

      $ admintools -t set_ssl_params -d database -k ./server.key -c ./server.crt
      SSL configuration parameters set successfully

      Check that the parameters were set correctly.

      $ vsql -x -c "SELECT parameter_name, current_value, default_value FROM configuration_parameters WHERE parameter_name \
      IN ('SSLCertificate', 'SSLPrivateKey');"
      -[ RECORD 1 ]--+-------------------------------------------------------------------
      parameter_name | SSLCertificate
      current_value  | -----BEGIN CERTIFICATE-----.....-----END CERTIFICATE-----
      default_value  |
      -[ RECORD 2 ]--+-------------------------------------------------------------------
      parameter_name | SSLPrivateKey
      current_value  | -----BEGIN RSA PRIVATE KEY-----.....-----END RSA PRIVATE KEY-----
      default_value  |
    2. Using vsql:

      => ALTER DATABASE DEFAULT SET SSLPrivateKey = '<key column value in cryptographic_keys table for server_key \
      OR the content of server.key>';
      => ALTER DATABASE DEFAULT SET SSLCertificate = '<certificate_text column value in certificates table for server_crt \
      OR the content of server.crt>';

      Note Ignore the following warning message when setting SSLPrivateKey configuration parameter:

      WARNING 9173: TLS cert is empty
      WARNING 9144: Could not create an SSL_CTX given the current values of SSLCertificate, SSLPrivateKey, and SSLCA

      Check that the parameters were set correctly.

      $ vsql -x -c "SELECT parameter_name, current_value, default_value FROM configuration_parameters \
      WHERE parameter_name IN ('SSLCertificate', 'SSLPrivateKey');"
      -[ RECORD 1 ]--+-------------------------------------------------------------------
      parameter_name | SSLCertificate
      current_value  | -----BEGIN CERTIFICATE-----.....-----END CERTIFICATE-----
      default_value  |
      -[ RECORD 2 ]--+-------------------------------------------------------------------
      parameter_name | SSLPrivateKey
      current_value  | -----BEGIN RSA PRIVATE KEY-----.....-----END RSA PRIVATE KEY-----
      default_value  |
  2. Enable the use of TLS on connections to the database.

    => ALTER DATABASE DEFAULT SET EnableSSL = 1;
  3. Verify TLS connection from vsql.

    $ vsql
    Welcome to vsql, the Vertica Analytic Database interactive terminal.
     
    Type:  \h or \? for help with vsql commands
           \g or terminate with semicolon to execute query
           \q to quit
     
    SSL connection (cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, protocol: TLSv1.2)
     
    dbadmin=>

Additional Resources

For more information about secure communications and TLS protocol on Vertica, see the Vertica documentation.