Internode TLS secures communication between nodes within a cluster. It is important to secure communications between nodes if you do not trust the network between the nodes.
Before setting up internode TLS, check the current status of your configuration with SECURITY_CONFIG_CHECK.
=> SELECT SECURITY_CONFIG_CHECK('NETWORK');
Communication between the server nodes uses two channels: the control channel and data channel. To enable internode encryption, set the EncryptSpreadComm parameter (disabled by default) to encrypt Spread communication on the control channel and configure the data_channel TLS CONFIGURATION to encrypt the data channel:
Encrypt Spread communication on the control channel with EncryptSpreadComm. See Control channel spread TLS for details.
Encrypt the data channel with the data_channel TLS CONFIGURATION. See Data channel TLS for details.
If you enable internode encryption, some of your queries may run slower than expected. The performance you experience depends on the data sent and the network's quality.
Admintools generates or retrieves the spread key to encrypt all traffic on the control channel and ships the spread key to all nodes. Vertica uses TLS to encrypt all traffic on the data channel. TLS credentials are shared between nodes over the encrypted control channel.
The following graphic illustrates the internode encryption process.
The control channel allows nodes to exchange plan information with one another, and to distribute calls among nodes.
The control channel allows nodes to exchange plan information with one another, and to distribute calls among nodes. Enabling spread security secures this communication. See Internode TLS for more information.
Internode TLS uses the following channels. Both must be enabled, and in the following order, before setting other parameters:
Control Channel to exchange plan information and distribute calls. It is implemented using Spread. For more information, visit spread.org.
Data Channel to exchange table data. It is implemented using TCP.
Enabling EncryptSpreadComm
EncryptSpreadComm can be set with one of two values:
vertica. Vertica generates the spread encryption key for the cluster when the database starts up.
aws-kms|<key_name>. Vertica fetches the user-specified key from the AWS Key Management Service when the database starts up, rather than generating one itself.
In general, you should set the EncryptSpreadComm parameter to enable spread encryption before setting any other security parameters.
Set the EncryptSpreadComm parameter with ALTER DATABASE.
=> ALTER DATABASE DEFAULT SET PARAMETER EncryptSpreadComm = 'vertica';
Nodes use the data channel to exchange table data during operations such as queries.
Nodes use the data channel to exchange table data during operations such as queries.
Internode communication uses the following channels. Their associated components and parameters must be enabled, and in the following order, before enabling other components:
Control Channel to exchange plan information and distribute calls. It is implemented using Spread. For more information, visit spread.org.
Data Channel to exchange table data. It is implemented using TCP.
=> CREATE KEY internode_key TYPE 'RSA' LENGTH 2048;
The internode TLS certificate. This must have a full chain that ends in a CA, and must be either a x509v1 certificate or use the extendedKeyUsage extensions serverAuth and clientAuth.
For example, to generate internode_cert and sign it with SSCA_cert:
=> SELECT SECURITY_CONFIG_CHECK('NETWORK');
SECURITY_CONFIG_CHECK
---------------------------
Spread security details:
* EncryptSpreadComm = [vertica]
Spread encryption is enabled
It is now safe to set/change other security knobs
Data Channel security details:
TLS Configuration 'data_channel' TLSMODE is VERIFY_CA
TLS on the data channel is enabled
Privileges
Superuser
Restrictions
In general, you should set EncryptSpreadComm before configuring data_channel.
Changes to the data_channel take effect immediately and interrupt all ongoing queries in order to update the connections between your nodes.
