Client authentication with TLS

Database users or roles granted a tls authentication record can authenticate to Vertica with a TLS certificate.

Database users or roles granted a tls authentication record can authenticate to Vertica with a TLS certificate.

Prerequisites

You must configure Vertica for mutual mode client-server TLS.

In mutual mode, the client and server must verify each other's identity before connecting. This mode allows Vertica to verify the identity of the client and allow them to authenticate the client through their certificate.

Configuring TLS authentication

The following section generates a private key and certificate for the client. For simplicity, the example signs the client certificate with the following self-signed CA certificate SSCA_cert (which has also, in the context of the example, signed the Vertica database's server certificate).

=> CREATE KEY SSCA_key TYPE 'RSA' LENGTH 2048;
=> CREATE CA CERTIFICATE SSCA_cert
SUBJECT '/C=US/ST=Massachusetts/L=Cambridge/O=Micro Focus/OU=Vertica/CN=Vertica Root CA'
VALID FOR 3650
EXTENSIONS 'nsComment' = 'Self-signed root CA cert'
KEY SSCA_key;

In a production environment, you should instead use a CA certificate from a trusted certificate authority.

The following example configures Vertica to use an authentication record with the method tls to authenticate the database user Bob:

  1. Generate the client's private key:

    => CREATE KEY client_key_bob TYPE 'RSA' LENGTH 2048;

  2. Generate the client's certificate, specifying a database user for the Common Name (CN) field. This example creates a certificate for the database user Bob:

    => CREATE CERTIFICATE client_cert_bob
SUBJECT '/C=US/ST=Massachusetts/L=Cambridge/O=Micro Focus/OU=Vertica/CN=Bob/emailAddress=bob@example.com'
SIGNED BY SSCA_cert
EXTENSIONS 'nsComment' = 'Vertica client cert', 'extendedKeyUsage' = 'clientAuth'
KEY client_key_bob;

  3. Export the client's private key and certificate:

    $ vsql -At -c "SELECT key FROM cryptographic_keys WHERE name = 'client_key_bob';" -o client_key_bob.key
$ vsql -At -c "SELECT certificate_text FROM certificates WHERE name = 'client_cert_bob';" -o client_cert_bob.crt

  4. Copy or move the certificates to a location recognized by your client. This example applies to vsql:

    $ mkdir -p ~/.vsql
$ cp client_cert_bob.crt ~/.vsql/client.crt
$ cp client_key_bob.key ~/.vsql/client.key
$ chmod 600 ~/.vsql/client.key ~/.vsql/client.crt
$ chown -R bob ~/.vsql ~/.vsql/client.key ~/.vsql/client.crt

  5. Create the tls authentication record:

    => CREATE AUTHENTICATION v_tls_auth METHOD 'tls' HOST TLS '0.0.0.0/0';

  6. Grant the authentication record to Bob or one of his default roles:

    => GRANT AUTHENTICATION v_tls_auth TO Bob;

Reject plaintext connections

You can create an authentication record that rejects remote connections from a specified IP range.

For example, to reject all plaintext client connections, specify the reject authentication method and the HOST NO TLS access method as follows:

=> CREATE AUTHENTICATION RejectNoSSL METHOD 'reject' HOST NO TLS '0.0.0.0/0';  --IPv4
=> CREATE AUTHENTICATION RejectNoSSL METHOD 'reject' HOST NO TLS '::/0';       --IPv6