TLS authentication

This section contains information about the tls authentication method, which is one of several authentication methods used to manage client connections.

1: Implementing client self-authentication

This section contains information about the tls authentication method, which is one of several authentication methods used to manage client connections.

Before creating a tls authentication method, you must configure your server to use TLS (TLS is disabled by default). The supported modes are:

Server Mode: In server mode, the client must confirm the server's identity before connecting. The client verifies that the server's certificate and public key are valid and were issued by a certificate authority (CA) listed in the client's list of trusted CAs. This helps prevent man-in-the-middle attacks.
Mutual Mode: In mutual mode, the client and server must verify each other's identity before connecting. Client authentication is optional because Vertica can authenticate the client at the application protocol level with the client's username and password.

You can use the tls authentication method with either Server Mode or Mutual Mode. However, to use client self-authentication, your server must use Mutual Mode.

Before you create a tls authentication method, perform the pre-requisite tasks necessary for your environment (for example, certificate creation). Refer to TLS protocol and all subsections applicable to your environment.

To create a tls authentication method, see Creating authentication records.

1 - Implementing client self-authentication

To use a client self-authentication method, your server must be in SSL Mutual Mode.

To create an authentication method for client self-authentication, use the CREATE AUTHENTICATION statement. Specify the auth_type 'tls' and with HOST TLS.

Important

You use the 'tls'auth_type only when you want to create an authentication method for client self-authentication. You must use the 'tls'auth_type with the HOST TLS syntax.

Create an authentication method with client self-authentication method

This section provides sample chronological steps for setting up a client for self-authentication, creating an authentication method, and associating the method with a user through a grant statement.

Follow all applicable procedures for implementing SSL and distributing certificates and keys. Refer to TLS protocol as it applies to your environment.

When you create a client key, make sure to include a Common Name (CN) that is the database user name you want to use with the target database.
```
$ Common Name <server hostname> []:<database username>
```
Create the authentication method with CREATE AUTHENTICATION. Authentication methods are automatically enabled when you create them.
```
=> CREATE AUTHENTICATION myssltest METHOD 'tls' HOST TLS '10.0.0.0/23;
```
Associate the method with the user through a grant statement.
```
=> GRANT AUTHENTICATION myssltest TO mydatabaseusername;
```

Your client can now log on and be recognized.

Specify TLS for client connections

You can require clients to use TLS when connecting to Vertica. To do so, create a client authentication method for them that uses the HOST TLS syntax with CREATE AUTHENTICATION.

Specific clients might connect through a network connection known to be insecure. In such cases, you can choose to limit specific users to connecting through TLS. You can also require all clients to use TLS.

Create authentication method RejectNoSSL that rejects users from any IP address that are trying to authenticate without TLS:

=> CREATE AUTHENTICATION RejectNoSSL METHOD 'reject' HOST NO TLS '0.0.0.0/0';  --IPv4
=> CREATE AUTHENTICATION RejectNoSSL METHOD 'reject' HOST NO TLS '::/0';       --IPv6

See Creating authentication records for more information about creating client authentication methods.