Configuring TLS for ADO.NET

You can optionally use TLS to secure communication between your ADO.NET application and Vertica.

Prerequisites

Before you configure ADO.NET for TLS, you must configure client-server TLS, setting the TLSMODE to ENABLE. Mutual mode (TRY_VERIFY or higher) is not supported for ADO.NET.

Linux

The following procedure configures TLS on a Linux system:

1. On the client filesystem, create the file /etc/ssl/certs/server.crt with the certificate text of the server certificate. You can retrieve the certificate text from a certificate in Vertica by querying the CERTIFICATES system table.
2. Run the following command to verify that the certificate file is valid. If it is valid, the command outputs information about the certificate:

   $ openssl x509 -in /etc/ssl/certs/server.crt -text -noout
   
   Certificate:
   Data:
       Version: 3 (0x2)
       Serial Number:
           65:e7:fe:f9:0e:60:8a:79:ff:97:e2:c2:e4:e8:57:09:bd:f3:34:20
       Signature Algorithm: sha256WithRSAEncryption
       Issuer: C = US, ST = Massachusetts, L = Burlington, O = OpenText, OU = Vertica, CN = Vertica Root CA
       Validity
           Not Before: Aug  3 18:11:44 2023 GMT
           Not After : Aug 12 18:11:44 2024 GMT
       Subject: C = US, ST = Massachusetts, L = Burlington, O = OpenText, OU = Vertica, CN = *.example.com
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
               RSA Public-Key: (2048 bit)
               Modulus:
                   00:9a:3a:83:5b:e7:73:c2:a4:15:c7:0a:81:a0:02:
                   f3:a6:6c:bb:aa:fb:fc:c8:9a:db:b9:41:21:2d:ca:
                   d9:07:1a:b1:07:35:39:0b:f3:62:08:1c:31:49:d4:
                   e2:b3:21:a8:84:eb:f4:43:5f:92:9e:c3:34:3d:4b:
                   4b:ab:ad:75:05:3c:c4:82:b5:21:45:a3:a5:c2:5c:
                   1d:c9:e3:d2:93:c1:40:b4:f6:07:f7:6c:47:68:9f:
                   9b:5d:41:4b:85:83:e0:f2:56:36:67:ee:ac:1e:08:
                   8c:6c:3a:af:b8:20:84:1d:7e:bb:d2:5e:45:d0:a8:
                   6d:ca:d8:46:5a:83:e6:d0:8d:00:fc:c1:bf:ce:d7:
                   95:4c:1d:ed:3a:45:82:d5:4d:1b:2c:d6:c4:17:5c:
                   aa:78:bc:e3:c2:2b:06:70:c3:1a:42:57:3e:19:5f:
                   7c:2f:0c:f2:d5:09:6a:ad:04:cd:95:33:92:20:56:
                   41:86:62:b2:fb:a5:d1:c5:65:cd:be:f9:31:6c:45:
                   79:a5:7f:10:7d:07:1d:26:eb:f3:18:42:14:3b:37:
                   84:81:f4:4f:c0:8d:93:b2:57:da:4f:64:53:b8:cc:
                   ed:ce:a7:c5:cc:af:5b:d1:4a:3f:fc:32:5a:f3:84:
                   89:cb:19:52:43:22:5c:9d:54:88:6b:41:3a:39:00:
                   86:bd
               Exponent: 65537 (0x10001)
       X509v3 extensions:
           X509v3 Basic Constraints:
               CA:FALSE
           X509v3 Extended Key Usage:
               TLS Web Server Authentication
           X509v3 Key Usage: critical
               Digital Signature, Key Encipherment
           X509v3 Subject Key Identifier:
               DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09
           X509v3 Authority Key Identifier:
               keyid:DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09
               DirName:/C=US/ST=Massachusetts/L=Burlington/O=OpenText/OU=Vertica/CN=Vertica Root CA
               serial:4C:92:49:E5:98:94:C3:9C:B9:3E:DE:30:39:ED:52:23:E6:A8:7E:D8
   
   Signature Algorithm: sha256WithRSAEncryption
        a7:f5:35:12:ef:f2:8e:7e:85:45:6a:a0:7a:64:7b:d7:82:62:
        fc:2b:b4:76:1c:5b:3e:73:f8:cb:a7:8a:07:e7:1a:f3:fc:bc:
        45:58:b0:3c:13:6f:29:fa:7b:1a:cc:7b:c7:79:bc:54:62:5c:
        3f:44:ae:7e:af:68:6d:bc:3a:38:93:3f:a6:c9:42:70:68:c3:
        39:fc:a4:1a:2f:d5:d6:5d:0f:e4:06:cb:53:61:a7:b3:44:a5:
        85:74:76:f7:b7:65:1b:74:bf:58:63:40:60:82:59:01:b7:0f:
        a4:8c:58:44:7e:41:c9:63:a2:da:92:64:0e:a0:a5:f7:ad:49:
        40:f9:e3:e4:21:f2:d3:9c:c9:06:03:d6:5d:61:ef:ef:31:49:
        e0:66:79:08:97:0e:20:ec:2f:03:6c:a1:6e:9e:3c:24:5d:da:
        cc:20:ec:29:10:92:28:b2:3d:af:fb:3a:46:7d:ca:e5:bb:48:
        57:93:ef:27:a4:4d:00:2d:6d:7c:3c:6b:55:83:af:11:ef:c3:
        2f:d2:16:09:f0:4e:45:64:8d:50:93:da:ab:07:33:fb:2b:6c:
        d2:12:16:f9:a7:3d:de:e7:b9:62:0c:c3:37:bc:51:24:e7:aa:
        64:6d:19:15:7e:f5:f0:31:e6:5c:14:56:3b:6f:f0:6b:e0:35:
        68:b1:fa:27
   

3. On the client filesystem, create the file /usr/local/share/ca-certificates/root.crt with the certificate text of the CA certificate.
4. Verify that the certificate was issued by the CA certificate:

   $ openssl verify -CAfile /usr/local/share/ca-certificates/root.crt /etc/ssl/certs/server.crt
   server.crt: OK
   

5. Update the certificate store:

   $ update-ca-certificates
   

Windows

The Vertica ADO.NET driver uses the TLS certificates in the default Windows key store.

To use TLS for ADO.NET connections to Vertica:

1. Import the server certificate into the Windows key store:
   1. Create a file server.crt with the certificate text of the server certificate.
   2. Double-click server.crt certificate file.
   3. Let Windows determine the key type and select Install.
2. Import the CA certificate into the Windows key store:
   1. Create a file root.crt with the certificate text of the CA certificate.
   2. Double-click root.crt certificate file.
   3. Select Place all certificates in the following store.
   4. Select Browse, Trusted Root Certification Authorities, and Next.
   5. Select Install.

Enable SSL in your ADO.NET applications

In your connection string, enable SSL by setting the SSL property in VerticaConnectionStringBuilder to true, for example:

    //configure connection properties
    VerticaConnectionStringBuilder builder = new VerticaConnectionStringBuilder();
    builder.Host = "192.168.17.10";
    builder.Database = "VMart";
    builder.User = "dbadmin";
    builder.SSL = true;
    //open the connection
    VerticaConnection _conn = new VerticaConnection(builder.ToString());
    _conn.Open();