Configuring TLS for ODBC Clients

Configuring TLS for ODBC clients requires that you configure Vertica for client-server TLS and set the SSLMode connection property.

You can configure TLS for ODBC clients by setting the DSN connection properties setting the DSN connection properties for the following. For details on these parameters, see ODBC DSN connection properties:

  • SSLMode: Determines whether TLS is required and how the client should behave if the TLS connection attempt fails.
  • SSLCertFile (SSL CA file in Windows): The absolute path of the client's public certificate file.
  • SSLKeyFile (SSL cert file in Windows): The absolute path to the client's private key file.

SSLModes: verify-ca and verify-full

You can use the SSLMode property values verify-ca and verify-full if you want the client to verify the server's information before establishing the connection. If any of these verifications fail, the connection fails:

  • verify-ca: The client verifies that the server's certificate is from a trusted certificate authority (CA).
  • verify-full: The client verifies both that the server's certificate is from a trusted CA and that the server's hostname matches the hostname on the certificate.

If verify-ca or verify-full are specified, the client requires the following to establish the connection:

  • The root.crt, which is the certificate of a CA trusted by both the server and the client.
  • The server must have:
    • server.crt, a certificate signed by the trusted CA.
    • server.key, the server's private key.
  • For verify-full, each server node must meet one of the following requirements:
    • Its hostname matches the common name specified in server.crt.
    • Its hostname or IP address appears in the Subject Alternative Name (SAN) field of server.crt.

TLS behavior flowchart

The following diagram shows an example flowchart for a client connecting with TLS.

In this example:

  • If SSLMode is set to none, the client connects without authentication.
  • If SSLMode is set to verify-ca or verify-full and the client does not have root.crt, the connection fails.
  • At the SSL authentication node, if the SSLMode connection is set to verify-full and the server hostname differs from the hostname specified by the client, authentication fails.

Example ODBC TLS flow