Configuring TLS for ODBC Clients
Configuring TLS for ODBC clients requires that you configure Vertica for client-server TLS and set the SSLMode connection property.
You can configure TLS for ODBC clients by setting the DSN connection properties for the following. For details on these parameters, see Data source name (DSN) connection properties:
- SSLMode: Determines whether TLS is required and how the client should behave if the TLS connection attempt fails.
- SSLCertFile (SSL CA file in Windows): The absolute path of the client's public certificate file.
- SSLKeyFile (SSL cert file in Windows): The absolute path to the client's private key file.
SSLModes: Verify_ca and verify_full
You can use the SSLMode property values verify_ca
and verify_full
if you want the client to verify the server's information before establishing the connection. If any of these verifications fail, the connection fails:
verify_ca
: The client verifies that the server's certificate is from a trusted certificate authority (CA).verify_full
: The client verifies both that the server's certificate is from a trusted CA and that the server's hostname matches the hostname on the certificate.
If verify_ca
or verify_full
are specified, the client requires the following to establish the connection:
- The
root.crt
, which is the certificate of a CA trusted by both the server and the client. - The server must have:
server.crt
, a certificate signed by the trusted CA.server.key
, the server's private key.
- For
verify_full
, each server node must meet one of the following requirements:- Its hostname matches the common name specified in
server.crt
. - Its hostname or IP address appears in the Subject Alternative Name (SAN) field of
server.crt
.
- Its hostname matches the common name specified in
TLS behavior flowchart
The following diagram shows an example flowchart for a client connecting with TLS.
In this example:
- If SSLMode is set to
none
orallow
, the client connects without authentication. - If SSLMode is set to
verify_ca
orverify_full
and the client does not haveroot.crt
, the connection fails. - At the SSL authentication node, if the SSLMode connection is set to
verify_full
and the server hostname differs from the hostname specified by the client, authentication fails.