Data channel TLS

Nodes use the data channel to exchange table data during operations such as queries.

Internode communication uses the following channels. Their associated components and parameters must be enabled, and in the following order, before enabling other components:

1. Control Channel to exchange plan information and distribute calls. It is implemented using Spread. For more information, visit spread.org.

2. Data Channel to exchange table data. It is implemented using TCP.

Configuring the data_channel TLS CONFIGURATION

1. Enable TLS on the control channel.

2. Generate or import the following:

   • A CA (Certificate Authority) certificate.

     For example, to create a self-signed CA certificate, generate a key and sign CA certificate with the key:

     => CREATE KEY SSCA_key TYPE 'RSA' LENGTH 2048;
     

     => CREATE CA CERTIFICATE SSCA_cert
     SUBJECT '/C=US/ST=Massachusetts/L=Cambridge/O=Micro Focus/OU=Vertica/CN=Vertica Root CA'
     VALID FOR 3650
     EXTENSIONS 'nsComment' = 'Self-signed root CA cert'
     KEY SSCA_key;
     

   • The internode TLS certificate's private key.

     For example, to generate the key with CREATE KEY:

     => CREATE KEY internode_key TYPE 'RSA' LENGTH 2048;
     

   • The internode TLS certificate. This must have a full chain that ends in a CA, and must be either a x509v1 certificate or use the extendedKeyUsage extensions serverAuth and clientAuth.

     For example, to generate internode_cert and sign it with SSCA_cert:

     => CREATE CERTIFICATE internode_cert
     SUBJECT '/C=US/ST=Massachusetts/L=Cambridge/O=Micro Focus/OU=Vertica/CN=data channel'
     SIGNED BY SSCA_cert
     EXTENSIONS 'nsComment' = 'Vertica internode cert', 'extendedKeyUsage' = 'serverAuth, clientAuth'
     KEY internode_key;
     

3. Set the certificate in the data_channel TLS CONFIGURATION. The TLSMODE is automatically set to VERIFY_CA, and should not be changed.

   => ALTER TLS CONFIGURATION data_channel CERTIFICATE internode_cert;
   

4. Verify that data channel encryption is enabled with SECURITY_CONFIG_CHECK('NETWORK'):

   => SELECT SECURITY_CONFIG_CHECK('NETWORK');
      SECURITY_CONFIG_CHECK
   ---------------------------
    Spread security details:
   * EncryptSpreadComm = [vertica]
   Spread encryption is enabled
   It is now safe to set/change other security knobs
   
   Data Channel security details:
    TLS Configuration 'data_channel' TLSMODE is VERIFY_CA
   TLS on the data channel is enabled
   

Privileges

Superuser

Restrictions

• In general, you should set EncryptSpreadComm before configuring data_channel.

• Changes to the data_channel take effect immediately and interrupt all ongoing queries in order to update the connections between your nodes.

See also

• Internode TLS
• Control channel spread TLS
• TLS overview