TLS_CONFIGURATIONS

Lists settings for TLS Configuration objects for the server, LDAP, etc.

Lists settings for TLS Configuration objects for the server, LDAP, etc.

Column Name Data Type Description
NAME VARCHAR

Name of the TLS Configuration. Vertica includes the following TLS Configurations by default:

  • server

  • LDAPLink

  • LDAPAuth

  • data_channel

OWNER VARCHAR Owner of the TLS Configuration object.
CERTIFICATE VARCHAR The certificate associated with the TLS Configuration object.
CA_CERTIFICATES VARCHAR

The CA certificate(s) used to verify client certificates.

In cases where a TLS Configuration uses more than one CA, each CA will have its own row in the table.

CIPHER_SUITES VARCHAR The cipher suites to used to secure the connection.
MODE VARCHAR

How Vertica establishes TLS connections with another host, one of the following, in order of ascending security:

  • DISABLE: Disables TLS. All other options for this parameter enable TLS.

  • ENABLE: Enables TLS. Vertica does not check client certificates.

  • TRY_VERIFY: Establishes a TLS connection if one of the following is true:

    • the other host presents a valid certificate

    • the other host doesn't present a certificate

    If the other host presents an invalid certificate, the connection will use plaintext.

  • VERIFY_CA: Connection succeeds if Vertica verifies that the other host's certificate is from a trusted CA. If the other host does not present a certificate, the connection uses plaintext.

  • VERIFY_FULL: Connection succeeds if Vertica verifies that the other host's certificate is from a trusted CA and the certificate's cn (Common Name) or subjectAltName attribute matches the hostname or IP address of the other host.

    Note that for client certificates, cn is used for the username, so subjectAltName must match the hostname or IP address of the other host.

VERIFY_FULL is unsupported for client-server TLS (the connection type handled by ServerTLSConfig) and behaves as VERIFY_CA.

Examples

In this example, the LDAPAuth TLS Configuration uses two CA certificates:

=> SELECT * FROM tls_configurations WHERE name='LDAPAuth';
    name   |  owner  | certificate | ca_certificate | cipher_suites |  mode
----------+---------+-------------+----------------+---------------+---------
 LDAPAuth | dbadmin | server_cert | ca             |               | DISABLE
 LDAPAuth | dbadmin | server_cert | ica            |               | DISABLE
(2 rows)

To make more clear the relationship between a TLS Configuration and its CA certificates, you can format the query with LISTAGG:

=> SELECT name, owner, certificate, LISTAGG(ca_certificate) AS ca_certificates, cipher_suites, mode
FROM tls_configurations
WHERE name='LDAPAuth'
GROUP BY name, owner, certificate, cipher_suites, mode
ORDER BY 1;
   name   |  owner  | certificate | ca_certificates | cipher_suites |  mode
----------+---------+-------------+-----------------+---------------+---------
 LDAPAuth | dbadmin | server_cert | ca,ica          |               | DISABLE
(1 row)