TLS configurations

A TLS Configuration is a database object that encapsulates all settings and certificates needed to configure TLS.

A TLS Configuration is a database object that encapsulates all settings and certificates needed to configure TLS. After setting up a TLS Configuration, you can use it by setting it as the value for one or more of the following database parameters, each of which controls TLS for a certain type of connection between the Vertica database and a client or server:

  • ServerTLSConfig

  • LDAPLinkTLSConfig

  • LDAPAuthTLSConfig

  • InternodeTLSConfig

These parameters are set to predefined TLS Configurations by default so if you just want to configure TLS, you should use ALTER TLS CONFIGURATION to modify a predefined TLS Configuration. Otherwise, you can use CREATE TLS CONFIGURATION to create a custom TLS Configuration.

Reusing an existing TLS configurations

To reuse an existing TLS Configuration, use ALTER TLS CONFIGURATION.

The following table lists each TLS connection type parameter with its associated connection type and predefined TLS Configuration:

Connection Type Parameter Default TLS Configuration Example
Client-server where Vertica is the server ServerTLSConfig server Configuring client-server TLS
Connections for the LDAP Link service LDAPLinkTLSConfig LDAPLink TLS for LDAP link
Connections between Vertica and an LDAP server to authenticate users LDAPAuthTLSConfig LDAPAuth TLS for LDAP authentication
Connections between Vertica nodes InternodeTLSConfig data_channel Internode TLS

Creating custom TLS configurations

You can create TLS Configurations with CREATE TLS CONFIGURATION.

The following example creates a TLS Configuration and enables it for client-server TLS by setting it in ServerTLSConfig:

  1. Create the keys and certificates:

    -- create CA certificate
    => CREATE KEY k_ca TYPE 'RSA' LENGTH 4096;
       SUBJECT '/C=US/ST=Massachusetts/L=Cambridge/O=Micro Focus/OU=Vertica/CN=Vertica Root CA'
       VALID FOR 3650
       EXTENSIONS 'nsComment' = 'Vertica generated root CA cert'
       KEY k_ca;
    -- create server certificate
    => CREATE KEY k_server TYPE 'RSA' LENGTH 2048;
        SUBJECT '/C=US/ST=Massachusetts/L=Cambridge/O=Micro Focus/OU=Vertica/CN=Vertica Cluster/'
        SIGNED BY ca
        KEY k_server;
  2. Create the TLS Configuration with the server's certificate:

  3. Set the ServerTLSConfig parameter to use the new TLS Configuration for client-server TLS:

    => ALTER DATABASE DEFAULT SET ServerTLSConfig = 'new_tls_config';