Connecting securely from MC to a Vertica database
When you use MC to monitor and manage a Vertica database, MC (running in a browser) connects as the client to the Vertica database server.
MC uses JDBC for most database connections
MC uses Java Database Connectivity (JDBC) for most connections to a Vertica database, including:
-
Retrieving database information to display in charts
-
Running SQL queries through JDBC
-
Configuring and updating database properties
-
Configuring the database for extended monitoring
Exception
When MC uses Agents to perform AdminTools tasks, MC does not use JDBC to connect to the database.
Vertica software supports TLS
Vertica databases and Vertica MC support TLS up to version 1.2. This topic and its subtopics describe configuring TLS in MC for JDBC connections to a Vertica database.
About certificate file formats
MC requires that all certificate and key files for upload to MC must be in PEM (Privacy-enhanced Electronic Mail) format.
Vertica database security dictates how MC connects
The TLS/SSL security you configure for a database in MC must be consistent with the security configured on the database itself.
Whether the Vertica database has TLS/SSL configured in server mode or mutual mode, you should configure TLS/SSL for that database in MC to match.
To find out how a Vertica database is configured, see Determining the TLS mode of a Vertica database.
You can configure TLS/SSL in either server mode or mutual mode in MC.
The rest of this topic and related topics use the term TLS, TLS/SSL, and SSL interchangeably.
TLS server mode
When the MC client connects to a Vertica database configured in server mode:
-
The client requests and verifies the server's credentials.
-
The client does not need to present a client certificate and private key file to the server.
-
The MC administrator must configure the CA certificate that can verify server's certificate on MC when MC connects to the database over JDBC.
TLS mutual mode
When the MC client connects to a Vertica database configured in mutual mode:
-
The MC client requests and verifies the database server's credentials.
-
The server also requests and verifies the MC client's credentials.
-
Each MC user is a separate client, and must present a valid client certificate file and private key file pair (keypair), namely a certificate signed by a CA recognized by the Vertica database server as valid.
-
The MC administrator must configure:
-
The CA certificate to verify the Vertica database server certificate.
-
A client certificate and private key file (keypair) for each MC user. The keypair can be unique for each user, or shared by multiple users, depending on how client authentication is configured on the Vertica database. See Configuring client authentication.
-
-
Each MC user must be configured to map correctly to a user who is configured on the Vertica database server.
For more information on how Vertica supports TLS/SSL security, see TLS protocol.
MC administrator configures MC security
Only MC users having Admin or Super privileges on a database are able to configure TLS certificates and keys on MC for database connections. The topics in this section use "MC administrator" to refer to both of these roles. For more information about MC user roles and privileges, see Users in Management Console.
As the MC administrator, when you first configure security in MC for a Vertica database that requires mutual mode, you configure these certificates for the Vertica database:
-
The server certificate and public key of the database.
-
Your own client certificate and private key, as the first configured MC user mapped to a Vertica database user.
Configuring TLS/SSL on MC
MC provides the Certificates wizard for configuring TLS certificates for all JDBC connections to the database, to ensure those connections are secure.
In MC, there are three scenarios in which you need to configure TLS security for a Vertica database:
-
While you are importing a database to monitor in MC. See Configuring TLS while importing a database on MC.
-
When you want to add security for a database that is already monitored by MC. See Configuring TLS for a monitored database in MC.
-
When you need to configure client security for an individual MC user who is mapped to a user who has privileges on the Vertica database server, because the database requires mutual authentication. See Configuring mutual TLS for MC users.
Adding certificates to MC for later use
You may want to add multiple CA certificates or client certificates to MC all at one time, to streamline the configuration of security when you are importing databases to MC or creating MC users. For details, see and .
To connect successfully, MC and database security must match
MC Security | Vertica Database Security | Does the connection succeed? |
---|---|---|
None | None | Connection succeeds, and it is open and therefore unsecured. |
TLS server mode | TLS server mode | Connection succeeds provided MC can verify the server's certificate using the CA certificate configured on MC. |
TLS mutual mode | TLS mutual mode |
Connection succeeds provided:
|
None | TLS server mode |
MC attempts to establish an open connection. The connection fails if the Vertica database requires TLS for client connections. For more information, see: |
None | TLS mutual mode | MC attempts to establish an open connection. The connection fails if the Vertica database requires TLS for client connections. The connection fails because MC does not present what the database requires: a valid client certificate and private key that the database can verify as belonging to a mapped database user. |
TLS server mode | None | MC attempts to connect to the database securely, however the connection fails as the database is not configured with TLS certificates. |
TLS mutual mode | None | MC attempts to connect to the database securely, however the connection fails as the database is not configured with TLS certificates. |
In this section
- Management Console security
- Determining the TLS mode of a Vertica database
- Configuring TLS while importing a database on MC
- MC certificates wizard
- Configuring TLS for a monitored database in MC
- Configuring mutual TLS for MC users
- Updating TLS security for MC connections
- Enabling or disabling TLS for a database in MC
- Adding TLS certificates in MC
- Managing TLS certificates in MC
- Updating a TLS certificate in MC
- Removing TLS certificates from MC
- MC icons display database TLS status
- Bulk-configure a group of MC users for TLS